internet/community.crypto
3
0
Fork 0
mirror of https://github.com/ansible-collections/community.crypto.git synced 2026-05-06 13:22:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

x509_crl_info: allow to not enumerate revoked certificates (#232)

Browse Source 
* Allow to not enumerate revoked certificates.

* Forgot to remove one instance.

* Add example.
This commit is contained in:
Felix Fontein
2021-05-19 09:32:30 +02:00
committed by GitHub
parent 7298c1f49a
commit 69aeb2d86f
5 changed files with 64 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
plugins/module_utils/crypto/module_backends/crl_info.py
View File

@@ -46,10 +46,11 @@ else:
class CRLInfoRetrieval(object):
def __init__(self, module, content):
def __init__(self, module, content, list_revoked_certificates=True):
# content must be a bytes string
self.module = module
self.content = content
self.list_revoked_certificates = list_revoked_certificates
def get_info(self):
self.crl_pem = identify_pem_format(self.content)
@@ -69,7 +70,6 @@ class CRLInfoRetrieval(object):
'digest': None,
'issuer_ordered': None,
'issuer': None,
'revoked_certificates': [],
}
result['last_update'] = self.crl.last_update.strftime(TIMESTAMP_FORMAT)
@@ -82,18 +82,19 @@ class CRLInfoRetrieval(object):
result['issuer'] = {}
for k, v in issuer:
result['issuer'][k] = v
result['revoked_certificates'] = []
for cert in self.crl:
entry = cryptography_decode_revoked_certificate(cert)
result['revoked_certificates'].append(cryptography_dump_revoked(entry))
if self.list_revoked_certificates:
result['revoked_certificates'] = []
for cert in self.crl:
entry = cryptography_decode_revoked_certificate(cert)
result['revoked_certificates'].append(cryptography_dump_revoked(entry))
return result
def get_crl_info(module, content):
def get_crl_info(module, content, list_revoked_certificates=True):
if not CRYPTOGRAPHY_FOUND:
module.fail_json(msg=missing_required_lib('cryptography >= {0}'.format(MINIMAL_CRYPTOGRAPHY_VERSION)),
exception=CRYPTOGRAPHY_IMP_ERR)
info = CRLInfoRetrieval(module, content)
info = CRLInfoRetrieval(module, content, list_revoked_certificates=list_revoked_certificates)
return info.get_info()

20
plugins/modules/x509_crl_info.py
View File

@@ -30,6 +30,15 @@ options:
- Content of the X.509 CRL in PEM format, or Base64-encoded X.509 CRL.
- Either I(path) or I(content) must be specified, but not both.
type: str
list_revoked_certificates:
description:
- If set to C(false), the list of revoked certificates is not included in the result.
- This is useful when retrieving information on large CRL files. Enumerating all revoked
certificates can take some time, including serializing the result as JSON, sending it to
the Ansible controller, and decoding it again.
type: bool
default: true
version_added: 1.7.0
notes:
- All timestamp values are provided in ASN.1 TIME format, in other words, following the C(YYYYMMDDHHMMSSZ) pattern.
@@ -48,6 +57,12 @@ EXAMPLES = r'''
- name: Print the information
ansible.builtin.debug:
msg: "{{ result }}"
- name: Get information on CRL without list of revoked certificates
community.crypto.x509_crl_info:
path: /etc/ssl/very-large.crl
list_revoked_certificates: false
register: result
'''
RETURN = r'''
@@ -87,7 +102,7 @@ digest:
sample: sha256WithRSAEncryption
revoked_certificates:
description: List of certificates to be revoked.
returned: success
returned: success if I(list_revoked_certificates=true)
type: list
elements: dict
contains:
@@ -157,6 +172,7 @@ def main():
argument_spec=dict(
path=dict(type='path'),
content=dict(type='str'),
list_revoked_certificates=dict(type='bool', default=True),
),
required_one_of=(
['path', 'content'],
@@ -182,7 +198,7 @@ def main():
module.fail_json(msg='Error while Base64 decoding content: {0}'.format(e))
try:
result = get_crl_info(module, data)
result = get_crl_info(module, data, list_revoked_certificates=module.params['list_revoked_certificates'])
module.exit_json(**result)
except OpenSSLObjectError as e:
module.fail_json(msg=to_native(e))