openssl_certificate_info: add ocsp_uri return value (#60393)

* Add ocsp_uri return value. * Add changelog. * Add integration test. * Fix rebase error.
5 years ago · 14974f5fc2
parent a567a3fae0
commit 14974f5fc2
4 changed files with 94 additions and 0 deletions
--- a/changelogs/fragments/60393-openssl_certificate_info-ocsp_uri.yml
+++ b/changelogs/fragments/60393-openssl_certificate_info-ocsp_uri.yml
@ -0,0 +1,2 @@
+minor_changes:
+- "openssl_certificate_info - add ``ocsp_uri`` return value."
--- a/lib/ansible/modules/crypto/openssl_certificate_info.py
+++ b/lib/ansible/modules/crypto/openssl_certificate_info.py
@ -272,6 +272,12 @@ authority_cert_serial_number:
    type: int
    sample: '12345'
    version_added: "2.9"
+ocsp_uri:
+    description: The OCSP responder URI, if included in the certificate. Will be
+                 C(none) if no OCSP responder URI is included.
+    returned: success
+    type: str
+    version_added: "2.9"
 '''


@ -279,6 +285,7 @@ import abc
 import binascii
 import datetime
 import os
+import re
 import traceback
 from distutils.version import LooseVersion

@ -443,6 +450,10 @@ class CertificateInfo(crypto_utils.OpenSSLObject):
    def _get_all_extensions(self):
        pass

+    @abc.abstractmethod
+    def _get_ocsp_uri(self):
+        pass
+
    def get_info(self):
        result = dict()
        self.cert = crypto_utils.load_certificate(self.path, backend=self.backend)
@ -497,6 +508,7 @@ class CertificateInfo(crypto_utils.OpenSSLObject):

        result['serial_number'] = self._get_serial_number()
        result['extensions_by_oid'] = self._get_all_extensions()
+        result['ocsp_uri'] = self._get_ocsp_uri()

        return result

@ -644,6 +656,17 @@ class CertificateInfoCryptography(CertificateInfo):
    def _get_all_extensions(self):
        return crypto_utils.cryptography_get_extensions_from_cert(self.cert)

+    def _get_ocsp_uri(self):
+        try:
+            ext = self.cert.extensions.get_extension_for_class(x509.AuthorityInformationAccess)
+            for desc in ext.value:
+                if desc.access_method == x509.oid.AuthorityInformationAccessOID.OCSP:
+                    if isinstance(desc.access_location, x509.UniformResourceIdentifier):
+                        return desc.access_location.value
+        except x509.ExtensionNotFound as dummy:
+            pass
+        return None
+

 class CertificateInfoPyOpenSSL(CertificateInfo):
    """validate the supplied certificate."""
@ -764,6 +787,16 @@ class CertificateInfoPyOpenSSL(CertificateInfo):
    def _get_all_extensions(self):
        return crypto_utils.pyopenssl_get_extensions_from_cert(self.cert)

+    def _get_ocsp_uri(self):
+        for i in range(self.cert.get_extension_count()):
+            ext = self.cert.get_extension(i)
+            if ext.get_short_name() == b'authorityInfoAccess':
+                v = str(ext)
+                m = re.search('^OCSP - URI:(.*)$', v, flags=re.MULTILINE)
+                if m:
+                    return m.group(1)
+        return None
+

 def main():
    module = AnsibleModule(
--- a/test/integration/targets/openssl_certificate_info/files/cert1.pem
+++ b/test/integration/targets/openssl_certificate_info/files/cert1.pem
@ -0,0 +1,45 @@
+-----BEGIN CERTIFICATE-----
+MIIH5jCCBs6gAwIBAgISA2gSCm/BtvCR2e2bIap5YbXaMA0GCSqGSIb3DQEBCwUA
+MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
+ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MjcxNzMxMjdaFw0x
+ODEwMjUxNzMxMjdaMB4xHDAaBgNVBAMTE3d3dy5sZXRzZW5jcnlwdC5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpL8ZjVL0MUkUAIbYO9+ZCni+c
+ghGd9WhM2Ztaay6Wyh6lNoCdltdqTwUhE4O+d7UFModjM3G/KMyfuujr06c5iGKL
+3saPmIzLaRPIEOUlB2rKgasKhe8mDRyRLzQSXXgnsaKcTBBuhIHvtP51ZMr05nJJ
+sX/5FGjj96w+KJel6E/Ux1a1ZDOFkAYNSIrJJhA5jjIvUPr+Ri6Oc6UlhF9oueKI
+uWBILxQpC778tBWdHoZeBCNTHA1VvtwC53OeuHvdZm1jB/e30Mgf5DtVizYpFXVD
+mztkrd6z/3B6ZwPyfCE4KgzSf70/byOz971OJxNKTUVWedKHHDlrMxfsPclbAgMB
+AAGjggTwMIIE7DAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
+CCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFG1w4j/KDrYSFu7m9DPE
+xRR0E5gzMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUF
+BwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNy
+eXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNy
+eXB0Lm9yZy8wggHxBgNVHREEggHoMIIB5IIbY2VydC5pbnQteDEubGV0c2VuY3J5
+cHQub3JnghtjZXJ0LmludC14Mi5sZXRzZW5jcnlwdC5vcmeCG2NlcnQuaW50LXgz
+LmxldHNlbmNyeXB0Lm9yZ4IbY2VydC5pbnQteDQubGV0c2VuY3J5cHQub3Jnghxj
+ZXJ0LnJvb3QteDEubGV0c2VuY3J5cHQub3Jngh9jZXJ0LnN0YWdpbmcteDEubGV0
+c2VuY3J5cHQub3Jngh9jZXJ0LnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JngiBj
+ZXJ0LnN0Zy1yb290LXgxLmxldHNlbmNyeXB0Lm9yZ4ISY3AubGV0c2VuY3J5cHQu
+b3JnghpjcC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZ4ITY3BzLmxldHNlbmNyeXB0
+Lm9yZ4IbY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3Jnghtjcmwucm9vdC14MS5s
+ZXRzZW5jcnlwdC5vcmeCD2xldHNlbmNyeXB0Lm9yZ4IWb3JpZ2luLmxldHNlbmNy
+eXB0Lm9yZ4IXb3JpZ2luMi5sZXRzZW5jcnlwdC5vcmeCFnN0YXR1cy5sZXRzZW5j
+cnlwdC5vcmeCE3d3dy5sZXRzZW5jcnlwdC5vcmcwgf4GA1UdIASB9jCB8zAIBgZn
+gQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
+LmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmlj
+YXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBh
+bmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGlj
+eSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCC
+AQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AMEWSuCnctLUOS3ICsEHcNTwxJvemRpI
+QMH6B1Fk9jNgAAABZN0ChToAAAQDAEcwRQIgblal8oXnfoopr1+dWVhvBx+sqHT0
+eLYxJHBTaRp3j1QCIQDhFQqMk6DDXUgcU12K36zLVFwJTdAJI4RBisnX+g+W0AB2
+ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZN0Chz4AAAQDAEcw
+RQIhAImOjvkritUNKJZB7dcUtjoyIbfNwdCspvRiEzXuvVQoAiAZryoyg3TcMun5
+Gb2dEn1cttMnPW9u670/JdRjvjU/wTANBgkqhkiG9w0BAQsFAAOCAQEAGepCmckP
+Tn9Sz268FEwkdD+6wWaPfeYlh+9nacFh90nQ35EYQMOK8a+X7ixHGbRz19On3Wt4
+1fcbPa9SefocTjAintMwwreCxpRTmwGACYojd7vRWEmA6q7+/HO2BfZahWzclOjw
+mSDBycDEm8R0ZK52vYjzVno8x0mrsmSO0403S/6syYB/guH6P17kIBw+Tgx6/i/c
+I1C6MoFkuaAKUUcZmgGGBgE+L/7cWtWjbkVXyA3ZQQy9G7rcBT+N/RrDfBh4iZDq
+jAN5UIIYL8upBhjiMYVuoJrH2nklzEwr5SWKcccJX5eWkGLUwlcY9LGAA8+17l2I
+l1Ou20Dm9TxnNw==
+-----END CERTIFICATE-----
--- a/test/integration/targets/openssl_certificate_info/tasks/impl.yml
+++ b/test/integration/targets/openssl_certificate_info/tasks/impl.yml
@ -93,3 +93,17 @@
 - name: Update result list
  set_fact:
    info_results: "{{ info_results + [result] }}"
+
+- name: ({{select_crypto_backend}}) Get certificate info for packaged cert 1
+  openssl_certificate_info:
+    path: '{{ role_path }}/files/cert1.pem'
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: result
+- assert:
+    that:
+      - "'ocsp_uri' in result"
+      - "result.ocsp_uri == 'http://ocsp.int-x3.letsencrypt.org'"
+
+- name: Update result list
+  set_fact:
+    info_results: "{{ info_results + [result] }}"