openssl_certificate_info subject_hash?

Archives Ansible Project
1

Hi

I am moving some older code that uses openssl shell commands to use
the newer community crypto OpenSSL ansible modules. Most of that works
well.
However, I have this task to find the issuer's hash:

shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash

I don't see any way of doing this using the community.crypto modules.
I've looked at community.crypto.x509_certificate_info but I don't see
this in the returned results.
Does anyone have a suggestion?

Similar for the issuer_hash.

thx

2

Hi Dick,

I am moving some older code that uses openssl shell commands to use
the newer community crypto OpenSSL ansible modules. Most of that works
well.
However, I have this task to find the issuer's hash:

shell: echo "{{ tls_cert_crt }}" | openssl x509 -noout -issuer_hash

I don't see any way of doing this using the community.crypto modules.
I've looked at community.crypto.x509_certificate_info but I don't see
this in the returned results.
Does anyone have a suggestion?

I haven't checked, but if the issuer/subject hash for certificates is
similar to the one for CRLs, this unfortunately isn't easy to implement
(using the library we're using). Or at least that used to be the case
when I last checked this ~10 months ago :slight_smile: The issue where it was
discussed is
https://github.com/ansible-collections/community.crypto/issues/200

Cheers,
Felix

3

Yup, this is exactly the issue.
I did read https://stackoverflow.com/questions/71004481/what-does-openssl-x509-hash-calculate-the-hash-of/71004482,
and figured as much (very specific OpenSSL-ism), and didn't see any
refs to it in python cryptography.
We use certificates from only a handful of different CAs and we use an
ansible role that, given just the certificate, looks up what CA and/or
intermediates go with that. This avoids errors in deployment of the
CA(s), the order of the intermediate(s), and also avoids the
accidental deployment of root certs.
Up to now I had used the issuer_hash and subject_hash to do this matching.
This works, but after having read
https://security.stackexchange.com/a/200301 I think this is actually
not entirely correct.
The correct thing to do is using the subject/issuer key identifier -
which *are* reported by openssl_certificate_info.
I have rewritten the tasks, and now the logic is more correct, and the
code is simpler.