Vh`ddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl Z ddl Z ddlmZddlmZmZmZddl mZmZmZmZdd lmZmZdd lmZmZdd lmZdd lm Z m!Z!m"Z"m#Z#m$Z$dd l%m&Z&ddl'm(Z(dZ)dZ* ddl m+Z+dZ,dZ/ ddl0Z0ddl1Z0ddl2Z0ddl3m4Z5e(e0jlZ7dZ8dZ9dZ:e;dk(re:yy#e-$re j\Z*dZ,YWwxYw#e-$re j\Z/dZ8YLwxYw))absolute_importdivisionprint_functiona  module: get_certificate author: "John Westcott IV (@john-westcott-iv)" short_description: Get a certificate from a host:port description: - Makes a secure connection and returns information about the presented certificate. - The module uses the cryptography Python library. - Support SNI (L(Server Name Indication,https://en.wikipedia.org/wiki/Server_Name_Indication)) only with Python 2.7 and newer. extends_documentation_fragment: - community.crypto.attributes - community.crypto.attributes.idempotent_not_modify_state attributes: check_mode: support: none details: - This action does not modify state. diff_mode: support: N/A details: - This action does not modify state. options: host: description: - The host to get the cert for (IP is fine). type: str required: true ca_cert: description: - A PEM file containing one or more root certificates; if present, the cert will be validated against these root certs. - Note that this only validates the certificate is signed by the chain; not that the cert is valid for the host presenting it. type: path port: description: - The port to connect to. type: int required: true server_name: description: - Server name used for SNI (L(Server Name Indication,https://en.wikipedia.org/wiki/Server_Name_Indication)) when hostname is an IP or is different from server name. type: str version_added: 1.4.0 proxy_host: description: - Proxy host used when get a certificate. type: str proxy_port: description: - Proxy port used when get a certificate. type: int default: 8080 starttls: description: - Requests a secure connection for protocols which require clients to initiate encryption. - Only available for V(mysql) currently. type: str choices: - mysql version_added: 1.9.0 timeout: description: - The timeout in seconds. type: int default: 10 select_crypto_backend: description: - Determines which crypto backend to use. - The default choice is V(auto), which tries to use C(cryptography) if available. - If set to V(cryptography), will try to use the L(cryptography,https://cryptography.io/) library. type: str default: auto choices: [auto, cryptography] ciphers: description: - SSL/TLS Ciphers to use for the request. - When a list is provided, all ciphers are joined in order with V(:). - See the L(OpenSSL Cipher List Format,https://www.openssl.org/docs/manmaster/man1/openssl-ciphers.html#CIPHER-LIST-FORMAT) for more details. - The available ciphers is dependent on the Python and OpenSSL/LibreSSL versions. type: list elements: str version_added: 2.11.0 asn1_base64: description: - Whether to encode the ASN.1 values in the RV(extensions) return value with Base64 or not. - The documentation claimed for a long time that the values are Base64 encoded, but they never were. For compatibility this option is set to V(false). - The default value V(false) is B(deprecated) and will change to V(true) in community.crypto 3.0.0. type: bool version_added: 2.12.0 tls_ctx_options: description: - TLS context options (TLS/SSL OP flags) to use for the request. - See the L(List of SSL OP Flags,https://wiki.openssl.org/index.php/List_of_SSL_OP_Flags) for more details. - The available TLS context options is dependent on the Python and OpenSSL/LibreSSL versions. type: list elements: raw version_added: 2.21.0 get_certificate_chain: description: - If set to V(true), will obtain the certificate chain next to the certificate itself. - The chain as returned by the server can be found in RV(unverified_chain), and the chain that passed validation in RV(verified_chain). - B(Note) that this needs B(Python 3.10 or newer). Also note that only Python 3.13 or newer officially supports this. The module uses internal APIs of Python 3.10, 3.11, and 3.12 to achieve the same. It can be that future versions of Python 3.10, 3.11, or 3.12 break this. type: bool default: false version_added: 2.21.0 notes: - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed. requirements: - "Python >= 2.7 when using O(proxy_host), and Python >= 3.10 when O(get_certificate_chain=true)" - "cryptography >= 1.6" seealso: - plugin: community.crypto.to_serial plugin_type: filter a0 cert: description: The certificate retrieved from the port. returned: success type: str expired: description: Boolean indicating if the cert is expired. returned: success type: bool extensions: description: Extensions applied to the cert. returned: success type: list elements: dict contains: critical: returned: success type: bool description: Whether the extension is critical. asn1_data: returned: success type: str description: - The ASN.1 content of the extension. - If O(asn1_base64=true) this will be Base64 encoded, otherwise the raw binary value will be returned. - Please note that the raw binary value might not survive JSON serialization to the Ansible controller, and also might cause failures when displaying it. See U(https://github.com/ansible/ansible/issues/80258) for more information. - B(Note) that depending on the C(cryptography) version used, it is not possible to extract the ASN.1 content of the extension, but only to provide the re-encoded content of the extension in case it was parsed by C(cryptography). This should usually result in exactly the same value, except if the original extension value was malformed. name: returned: success type: str description: The extension's name. issuer: description: Information about the issuer of the cert. returned: success type: dict not_after: description: Expiration date of the cert. returned: success type: str not_before: description: Issue date of the cert. returned: success type: str serial_number: description: - The serial number of the cert. - This return value is an B(integer). If you need the serial numbers as a colon-separated hex string, such as C(11:22:33), you need to convert it to that form with P(community.crypto.to_serial#filter). returned: success type: int signature_algorithm: description: The algorithm used to sign the cert. returned: success type: str subject: description: Information about the subject of the cert (C(OU), C(CN), and so on). returned: success type: dict version: description: The version number of the certificate. returned: success type: str verified_chain: description: - The verified certificate chain retrieved from the port. - The first entry is always RV(cert). - The last certificate the root certificate the chain is traced to. If O(ca_cert) is provided this certificate is part of that store; otherwise it is part of the store used by default by Python. - Note that RV(unverified_chain) generally does not contain the root certificate, and might contain other certificates that are not part of the validated chain. returned: success and O(get_certificate_chain=true) type: list elements: str version_added: 2.21.0 unverified_chain: description: - The certificate chain retrieved from the port. - The first entry is always RV(cert). returned: success and O(get_certificate_chain=true) type: list elements: str version_added: 2.21.0 am --- - name: Get the cert from an RDP port community.crypto.get_certificate: host: "1.2.3.4" port: 3389 delegate_to: localhost run_once: true register: cert - name: Get a cert from an https port community.crypto.get_certificate: host: "www.google.com" port: 443 delegate_to: localhost run_once: true register: cert - name: How many days until cert expires ansible.builtin.debug: msg: "cert expires in: {{ expire_days }} days." vars: expire_days: >- {{ ( (cert.not_after | ansible.builtin.to_datetime('%Y%m%d%H%M%SZ')) - (ansible_date_time.iso8601 | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ')) ).days }} - name: Allow legacy insecure renegotiation to get a cert from a legacy device community.crypto.get_certificate: host: "legacy-device.domain.com" port: 443 ciphers: - HIGH tls_ctx_options: - OP_ALL - OP_NO_SSLv3 - OP_CIPHER_SERVER_PREFERENCE - OP_ENABLE_MIDDLEBOX_COMPAT - OP_NO_COMPRESSION - 4 # OP_LEGACY_SERVER_CONNECT delegate_to: localhost run_once: true register: legacy_cert N)isfile)create_connectionsetdefaulttimeoutsocket) CERT_NONE CERT_REQUIREDDER_cert_to_PEM_certget_server_certificate) AnsibleModulemissing_required_lib)to_bytes to_native) string_types)CRYPTOGRAPHY_TIMEZONE%cryptography_get_extensions_from_certcryptography_oid_to_nameget_not_valid_afterget_not_valid_before)get_now_datetime) LooseVersionz1.6)create_default_contextTF)default_backendcX|dk(r%d}|jd|j|yy)Nmysqls$ ! )recvsend)sock server_typessl_request_packets t/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/crypto/plugins/modules/get_certificate.pysend_starttls_packetr%Cs9g "    $%ctttdtddtddtdtddtdtdd tdd d gd tdd gtddtdtddtdd }|jjd}|jjd}|jjd}|jjd}|jjd}|jjd}|jjd}|jjd}|jjd} |jd} |jd } |jd!} | |j d"d#d$%d} | r6t j d&kr#|jd't jz(|jjd)} | d k(rLtxrtttk\}|rd } | d k(r%|jd*jt(| d k(r9ts3|jtd+jtt,td-}|r t!||rt#|s|jd.(d}d}t$s]|r|jd/t&,| |jd0t&,| |jd1t&, t)||f|2}n |rvd4|d5|d6}t-}t/j0|j2|j5||f|j7|j9|j;d7n,t=||f}t/j0|j2|rt?|8}d|_ tB|_"nt?}d|_ tF|_"| tI||| "d5jK| }|jM|| d9|_'| D]}tQ|tRrQtU|}tWtX|d}tQ|tZr|}nX|jd:j|(n6tQ|tZr|}n#|jd;j|(d9} |xjNzc_'|j]||xs|=}|j_d}ta|}| rt j d>krr?r@rArBzThe default value `false` for asn1_base64 is deprecated and will change to `true` in community.crypto 3.0.0. If you need this value, it is best to set the value explicitly and adjust your roles/playbooks to use `asn1_base64=true` as soon as possiblez3.0.0zcommunity.crypto)versioncollection_name)r.zget_certificate_chain=true can only be used with Python 3.10 (Python 3.13+ officially supports this). The Python version used to run the get_certificate module is %s)msgr=z?Cannot detect the required Python library cryptography (>= {0})zcryptography >= {0})rG exception)changedzca_cert file does not existzTTo use proxy_host, you must run the get_certificate module with Python 2.7 or newer.zQTo use ciphers, you must run the get_certificate module with Python 2.7 or newer.zYTo use tls_ctx_options, you must run the get_certificate module with Python 2.7 or newer.)ca_certsz+Failed to get cert from {0}:{1}, error: {2}zCONNECT :z HTTP/1.0 r)cafilerz-Failed to determine the numeric value for {0}z6tls_ctx_options must be a string or integer, got {0!r}z Failed to add {0} to CTX options)server_hostname)rF c|sgS|Dcgc]+}|jtjj-c}Scc}wN) public_bytesssl_ssl ENCODING_DERchaincs r$_convert_chainzmain.._convert_chain!s1$#%IOTU!sxx/D/D EUUUs0<c|Dcgc]=}t|tr|n(|jtjj ?c}Scc}wrP) isinstancebytesrQrRrSrTrUs r$rXzmain.._convert_chain2sN&+   !"$.a#7!"%&^^CHH4I4I%J!K  sAA z=Failed to get cert via proxy {0}:{1} from {2}:{3}, error: {4}certsubject)short) with_timezoneexpired extensionscriticalvalue)rb asn1_datanamerdissuerz %Y%m%d%H%M%SZ not_after not_before serial_numbersignature_algorithmrDunknownverified_chainunverified_chain)Ordictparamsget deprecatesys version_info fail_jsonrDCRYPTOGRAPHY_FOUNDCRYPTOGRAPHY_VERSIONrMINIMAL_CRYPTOGRAPHY_VERSIONformatrCRYPTOGRAPHY_IMP_ERRrrHAS_CREATE_DEFAULT_CONTEXTCREATE_DEFAULT_CONTEXT_IMP_ERRr Exceptionr atexitregistercloseconnectr encoderrrcheck_hostnamer verify_moder r%join set_ciphersoptionsrZrrgetattrrRr, wrap_socket getpeercertr _sslobjget_verified_chainget_unverified_chainr0x509load_pem_x509_certificatercryptography_backendr]rcroidrrrritemsObjectIdentifierbase64 b64decodeappendrfstrftimerrisignature_algorithm_oidVersionv1v3 exit_json)(moduler6r7r8r9r:r<r;start_tls_server_typer?r@rArBbackendcan_use_cryptographyresultrmrnr\err!ctxciphers_joinedtls_ctx_optiontls_ctx_option_strtls_ctx_option_attrtls_ctx_option_inttls_sockrXssl_objverified_der_chainunverified_der_chainrWr attribute dotted_numberentryrexts( r$mainrSs> f%540540'5%(eR0"&V^$  ?N %    j8       g8    &   o8   )4,IDG >BDIx + j*56 '..*+ $($6 +,G<%*""/,.%*""+$0$T+@A"!$'!2/* '6)N!.,?-6~-F*.5c;Mt.T+%&93?1D.#,,$S$Z$Z$6%"- $NC8-;*(( X _ _ .!) + '99 G)Vt[=PDQH''-D'-D$##g- V '..G)78R8R8T)U&+9446,(*88S8S8U)V&+9 557,(DV!Va"6q"9!V!V5I$01(+$ $$F6N.   :: TN02 y I 9 6y}}DQ R  058H/9  y "|$I$$O$U$U$W - M5##''88GC!*-"7^0DAC #)#3#3C 4D#EK < ' ' , -x I 8 5imm4P Q  2$7@@Q{3D9BB?S|"&"4"4(@  ( () $% <<<,,4477 7 %F9  \\\..6699 9 %F9  )F9   %'5F# $  ')9F% &FvM    AHHtUVW    V%(( B I I 2 H6H!)b"W$   W^^"JdA!   ELLdA! sob,F8c9%b::B9c93c/c9 c4c9 b7 #b22b7:.c,(c9+c,, c99 eA ee__main__)< __future__rrrr) __metaclass__ DOCUMENTATIONRETURNEXAMPLESrrrRrt tracebackos.pathrr rrr r r r ansible.module_utils.basicrr+ansible.module_utils.common.text.convertersrransible.module_utils.sixrUansible_collections.community.crypto.plugins.module_utils.crypto.cryptography_supportrrrrr>ansible_collections.community.crypto.plugins.module_utils.timerAansible_collections.community.crypto.plugins.module_utils.versionrryr}rr| ImportError format_excr{r0cryptography.exceptionscryptography.x509cryptography.hazmat.backendsrr __version__rxrwr%r__name__ror&r$rs*A@ y vU n, \ ??VVJK1 %!%&* "& "T' (@(@A  & xv  zFA '%9Y%9%9%;"!&'/9//1s$8B=$C=CCC65C6