def _get_cert_details(self): cert_details = {} try: self._ensure_existing_certificate_loaded() except Exception as dummy: return if self.existing_certificate: serial_number = None expiry = None if self.backend == 'pyopenssl': serial_number = "{0:X}".format( self.existing_certificate.get_serial_number()) time_string = to_native( self.existing_certificate.get_notAfter()) expiry = datetime.datetime.strptime(time_string, "%Y%m%d%H%M%SZ") elif self.backend == 'cryptography': serial_number = "{0:X}".format( cryptography_serial_number_of_cert( self.existing_certificate)) expiry = self.existing_certificate.not_valid_after # get some information about the expiry of this certificate expiry_iso3339 = expiry.strftime("%Y-%m-%dT%H:%M:%S.00Z") cert_details['expiresAfter'] = expiry_iso3339 # If a trackingId is not already defined (from the result of a generate) # use the serial number to identify the tracking Id if self.trackingId is None and serial_number is not None: cert_results = self.ecs_client.GetCertificates( serialNumber=serial_number).get('certificates', {}) # Finding 0 or more than 1 result is a very unlikely use case, it simply means we cannot perform additional checks # on the 'state' as returned by Entrust Certificate Services (ECS). The general certificate validity is # still checked as it is in the rest of the module. if len(cert_results) == 1: self.trackingId = cert_results[0].get('trackingId') if self.trackingId is not None: cert_details.update( self.ecs_client.GetCertificate(trackingId=self.trackingId)) return cert_details
def dump(self, include_certificate): result = super(OwnCACertificateBackendCryptography, self).dump(include_certificate) result.update({ 'ca_cert': self.ca_cert_path, 'ca_privatekey': self.ca_privatekey_path, }) if self.module.check_mode: result.update({ 'notBefore': self.notBefore.strftime("%Y%m%d%H%M%SZ"), 'notAfter': self.notAfter.strftime("%Y%m%d%H%M%SZ"), 'serial_number': self.serial_number, }) else: if self.cert is None: self.cert = self.existing_certificate result.update({ 'notBefore': self.cert.not_valid_before.strftime("%Y%m%d%H%M%SZ"), 'notAfter': self.cert.not_valid_after.strftime("%Y%m%d%H%M%SZ"), 'serial_number': cryptography_serial_number_of_cert(self.cert), }) return result
def _get_serial_number(self): return cryptography_serial_number_of_cert(self.cert)
def __init__(self, module): super(CRL, self).__init__( module.params['path'], module.params['state'], module.params['force'], module.check_mode ) self.format = module.params['format'] self.update = module.params['mode'] == 'update' self.ignore_timestamps = module.params['ignore_timestamps'] self.return_content = module.params['return_content'] self.crl_content = None self.privatekey_path = module.params['privatekey_path'] self.privatekey_content = module.params['privatekey_content'] if self.privatekey_content is not None: self.privatekey_content = self.privatekey_content.encode('utf-8') self.privatekey_passphrase = module.params['privatekey_passphrase'] self.issuer = parse_name_field(module.params['issuer']) self.issuer = [(entry[0], entry[1]) for entry in self.issuer if entry[1]] self.last_update = get_relative_time_option(module.params['last_update'], 'last_update') self.next_update = get_relative_time_option(module.params['next_update'], 'next_update') self.digest = select_message_digest(module.params['digest']) if self.digest is None: raise CRLError('The digest "{0}" is not supported'.format(module.params['digest'])) self.revoked_certificates = [] for i, rc in enumerate(module.params['revoked_certificates']): result = { 'serial_number': None, 'revocation_date': None, 'issuer': None, 'issuer_critical': False, 'reason': None, 'reason_critical': False, 'invalidity_date': None, 'invalidity_date_critical': False, } path_prefix = 'revoked_certificates[{0}].'.format(i) if rc['path'] is not None or rc['content'] is not None: # Load certificate from file or content try: if rc['content'] is not None: rc['content'] = rc['content'].encode('utf-8') cert = load_certificate(rc['path'], content=rc['content'], backend='cryptography') result['serial_number'] = cryptography_serial_number_of_cert(cert) except OpenSSLObjectError as e: if rc['content'] is not None: module.fail_json( msg='Cannot parse certificate from {0}content: {1}'.format(path_prefix, to_native(e)) ) else: module.fail_json( msg='Cannot read certificate "{1}" from {0}path: {2}'.format(path_prefix, rc['path'], to_native(e)) ) else: # Specify serial_number (and potentially issuer) directly result['serial_number'] = rc['serial_number'] # All other options if rc['issuer']: result['issuer'] = [cryptography_get_name(issuer) for issuer in rc['issuer']] result['issuer_critical'] = rc['issuer_critical'] result['revocation_date'] = get_relative_time_option( rc['revocation_date'], path_prefix + 'revocation_date' ) if rc['reason']: result['reason'] = REVOCATION_REASON_MAP[rc['reason']] result['reason_critical'] = rc['reason_critical'] if rc['invalidity_date']: result['invalidity_date'] = get_relative_time_option( rc['invalidity_date'], path_prefix + 'invalidity_date' ) result['invalidity_date_critical'] = rc['invalidity_date_critical'] self.revoked_certificates.append(result) self.module = module self.backup = module.params['backup'] self.backup_file = None try: self.privatekey = load_privatekey( path=self.privatekey_path, content=self.privatekey_content, passphrase=self.privatekey_passphrase, backend='cryptography' ) except OpenSSLBadPassphraseError as exc: raise CRLError(exc) self.crl = None try: with open(self.path, 'rb') as f: data = f.read() self.actual_format = 'pem' if identify_pem_format(data) else 'der' if self.actual_format == 'pem': self.crl = x509.load_pem_x509_crl(data, default_backend()) if self.return_content: self.crl_content = data else: self.crl = x509.load_der_x509_crl(data, default_backend()) if self.return_content: self.crl_content = base64.b64encode(data) except Exception as dummy: self.crl_content = None self.actual_format = self.format