openssl_certificate_info subject_hash?
102 views
Skip to first unread message
Dick Visser
Feb 13, 2022, 12:18:20 PM2/13/22
to ansible...@googlegroups.com
Hi
I am moving some older code that uses openssl shell commands to use
the newer community crypto OpenSSL ansible modules. Most of that works
well.
However, I have this task to find the issuer's hash:
shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash
I don't see any way of doing this using the community.crypto modules.
I've looked at community.crypto.x509_certificate_info but I don't see
this in the returned results.
Does anyone have a suggestion?
Similar for the issuer_hash.
thx
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
I am moving some older code that uses openssl shell commands to use
the newer community crypto OpenSSL ansible modules. Most of that works
well.
However, I have this task to find the issuer's hash:
shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash
I don't see any way of doing this using the community.crypto modules.
I've looked at community.crypto.x509_certificate_info but I don't see
this in the returned results.
Does anyone have a suggestion?
Similar for the issuer_hash.
thx
--
Dick Visser
Trust & Identity Service Operations Manager
GÉANT
Felix Fontein
Feb 13, 2022, 1:57:00 PM2/13/22
to ansible...@googlegroups.com
Hi Dick,
> I am moving some older code that uses openssl shell commands to use
> the newer community crypto OpenSSL ansible modules. Most of that works
> well.
> However, I have this task to find the issuer's hash:
>
> shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash
>
> I don't see any way of doing this using the community.crypto modules.
> I've looked at community.crypto.x509_certificate_info but I don't see
> this in the returned results.
> Does anyone have a suggestion?
I haven't checked, but if the issuer/subject hash for certificates is
similar to the one for CRLs, this unfortunately isn't easy to implement
(using the library we're using). Or at least that used to be the case
when I last checked this ~10 months ago :) The issue where it was
discussed is
https://github.com/ansible-collections/community.crypto/issues/200
Cheers,
Felix
> I am moving some older code that uses openssl shell commands to use
> the newer community crypto OpenSSL ansible modules. Most of that works
> well.
> However, I have this task to find the issuer's hash:
>
> shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash
>
> I don't see any way of doing this using the community.crypto modules.
> I've looked at community.crypto.x509_certificate_info but I don't see
> this in the returned results.
> Does anyone have a suggestion?
similar to the one for CRLs, this unfortunately isn't easy to implement
(using the library we're using). Or at least that used to be the case
when I last checked this ~10 months ago :) The issue where it was
discussed is
https://github.com/ansible-collections/community.crypto/issues/200
Cheers,
Felix
Dick Visser
Feb 14, 2022, 8:29:08 AM2/14/22
to ansible...@googlegroups.com
Yup, this is exactly the issue.
I did read https://stackoverflow.com/questions/71004481/what-does-openssl-x509-hash-calculate-the-hash-of/71004482,
and figured as much (very specific OpenSSL-ism), and didn't see any
refs to it in python cryptography.
We use certificates from only a handful of different CAs and we use an
ansible role that, given just the certificate, looks up what CA and/or
intermediates go with that. This avoids errors in deployment of the
CA(s), the order of the intermediate(s), and also avoids the
accidental deployment of root certs.
Up to now I had used the issuer_hash and subject_hash to do this matching.
This works, but after having read
https://security.stackexchange.com/a/200301 I think this is actually
not entirely correct.
The correct thing to do is using the subject/issuer key identifier -
which *are* reported by openssl_certificate_info.
I have rewritten the tasks, and now the logic is more correct, and the
code is simpler.
> --
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20220213195633.599334f5%40rovaniemi.
I did read https://stackoverflow.com/questions/71004481/what-does-openssl-x509-hash-calculate-the-hash-of/71004482,
and figured as much (very specific OpenSSL-ism), and didn't see any
refs to it in python cryptography.
We use certificates from only a handful of different CAs and we use an
ansible role that, given just the certificate, looks up what CA and/or
intermediates go with that. This avoids errors in deployment of the
CA(s), the order of the intermediate(s), and also avoids the
accidental deployment of root certs.
Up to now I had used the issuer_hash and subject_hash to do this matching.
This works, but after having read
https://security.stackexchange.com/a/200301 I think this is actually
not entirely correct.
The correct thing to do is using the subject/issuer key identifier -
which *are* reported by openssl_certificate_info.
I have rewritten the tasks, and now the logic is more correct, and the
code is simpler.
> You received this message because you are subscribed to the Google Groups "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20220213195633.599334f5%40rovaniemi.
Reply all
Reply to author
Forward
0 new messages