Yup, this is exactly the issue. I did read https://stackoverflow.com/questions/71004481/what-does-openssl-x509-hash-calculate-the-hash-of/71004482, and figured as much (very specific OpenSSL-ism), and didn't see any refs to it in python cryptography. We use certificates from only a handful of different CAs and we use an ansible role that, given just the certificate, looks up what CA and/or intermediates go with that. This avoids errors in deployment of the CA(s), the order of the intermediate(s), and also avoids the accidental deployment of root certs. Up to now I had used the issuer_hash and subject_hash to do this matching. This works, but after having read https://security.stackexchange.com/a/200301 I think this is actually not entirely correct. The correct thing to do is using the subject/issuer key identifier - which *are* reported by openssl_certificate_info. I have rewritten the tasks, and now the logic is more correct, and the code is simpler.
On Sun, 13 Feb 2022 at 19:56, 'Felix Fontein' via Ansible Project <[email protected]> wrote: > > Hi Dick, > > > I am moving some older code that uses openssl shell commands to use > > the newer community crypto OpenSSL ansible modules. Most of that works > > well. > > However, I have this task to find the issuer's hash: > > > > shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash > > > > I don't see any way of doing this using the community.crypto modules. > > I've looked at community.crypto.x509_certificate_info but I don't see > > this in the returned results. > > Does anyone have a suggestion? > > I haven't checked, but if the issuer/subject hash for certificates is > similar to the one for CRLs, this unfortunately isn't easy to implement > (using the library we're using). Or at least that used to be the case > when I last checked this ~10 months ago :) The issue where it was > discussed is > https://github.com/ansible-collections/community.crypto/issues/200 > > Cheers, > Felix > > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/20220213195633.599334f5%40rovaniemi. > -- Dick Visser Trust & Identity Service Operations Manager GÉANT -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAL8fbwP9%3DRwUCGwWV9KMA9hHYsBPAkjurNxVbpY9mcy67g7%3DNA%40mail.gmail.com.
