ansible-collections · felixfontein · Apr 16, 2023 · Apr 6, 2023
diff --git a/changelogs/fragments/592-get_certificate-base64.yml b/changelogs/fragments/592-get_certificate-base64.yml
@@ -0,0 +1,2 @@
+minor_changes:
+  - "get_certificate - add ``asn1_base64`` option to control whether the ASN.1 included in the ``extensions`` return value is binary data or Base64 encoded (https://github.com/ansible-collections/community.crypto/pull/592)."
diff --git a/plugins/modules/get_certificate.py b/plugins/modules/get_certificate.py
@@ -91,6 +91,15 @@
       type: list
       elements: str
       version_added: 2.11.0
+    asn1_base64:
+      description:
+        - Whether to encode the ASN.1 values in the C(extensions) return value with Base64 or not.
+        - The documentation claimed for a long time that the values are Base64 encoded, but they
+          never were. For compatibility this option is set to C(false), but that value will eventually
+          be deprecated and changed to C(true).
+      type: bool
+      default: false
+      version_added: 2.12.0
 
 notes:
     - When using ca_cert on OS X it has been reported that in some conditions the validate will always succeed.
@@ -123,7 +132,12 @@
             returned: success
             type: str
             description:
-              - The Base64 encoded ASN.1 content of the extension.
+              - The ASN.1 content of the extension.
+              - If I(asn1_base64=true) this will be Base64 encoded, otherwise the raw
+                binary value will be returned.
+              - Please note that the raw binary value might not survive JSON serialization
+                to the Ansible controller, and also might cause failures when displaying it.
+                See U(https://github.com/ansible/ansible/issues/80258) for more information.
               - B(Note) that depending on the C(cryptography) version used, it is
                 not possible to extract the ASN.1 content of the extension, but only
                 to provide the re-encoded content of the extension in case it was
@@ -258,6 +272,7 @@ def main():
             select_crypto_backend=dict(type='str', choices=['auto', 'cryptography'], default='auto'),
             starttls=dict(type='str', choices=['mysql']),
             ciphers=dict(type='list', elements='str'),
+            asn1_base64=dict(type='bool', default=False),
         ),
     )
 
@@ -270,6 +285,7 @@ def main():
     server_name = module.params.get('server_name')
     start_tls_server_type = module.params.get('starttls')
     ciphers = module.params.get('ciphers')
+    asn1_base64 = module.params['asn1_base64']
 
     backend = module.params.get('select_crypto_backend')
     if backend == 'auto':
@@ -366,11 +382,14 @@ def main():
         result['extensions'] = []
         for dotted_number, entry in cryptography_get_extensions_from_cert(x509).items():
             oid = cryptography.x509.oid.ObjectIdentifier(dotted_number)
-            result['extensions'].append({
+            ext = {
                 'critical': entry['critical'],
-                'asn1_data': base64.b64decode(entry['value']),
+                'asn1_data': entry['value'],
                 'name': cryptography_oid_to_name(oid, short=True),
-            })
+            }
+            if not asn1_base64:
+                ext['asn1_data'] = base64.b64decode(ext['asn1_data'])
+            result['extensions'].append(ext)
 
         result['issuer'] = {}
         for attribute in x509.issuer:

diff --git a/tests/integration/targets/get_certificate/tests/validate.yml b/tests/integration/targets/get_certificate/tests/validate.yml
@@ -8,6 +8,7 @@
     host: "{{ httpbin_host }}"
     port: 443
     server_name: "{{ sni_host }}"
+    asn1_base64: true
   register: result
 
 - debug: var=result
@@ -25,6 +26,7 @@
     host: "{{ sni_host }}"
     port: 443
     server_name: "{{ httpbin_host }}"
+    asn1_base64: true
   register: result
 
 - debug: var=result
@@ -42,6 +44,7 @@
     host: "{{ httpbin_host }}"
     port: 443
     select_crypto_backend: "{{ select_crypto_backend }}"
+    asn1_base64: true
   register: result
 
 - debug: var=result
@@ -59,6 +62,7 @@
     host: "{{ httpbin_host }}"
     port: 80
     select_crypto_backend: "{{ select_crypto_backend }}"
+    asn1_base64: true
   register: result
   ignore_errors: true
 
@@ -75,6 +79,7 @@
     port: 1234
     timeout: 1
     select_crypto_backend: "{{ select_crypto_backend }}"
+    asn1_base64: true
   register: result
   ignore_errors: true
 
@@ -91,6 +96,7 @@
     port: 443
     ca_cert: dn.e
     select_crypto_backend: "{{ select_crypto_backend }}"
+    asn1_base64: true
   register: result
   ignore_errors: true
 
@@ -112,6 +118,7 @@
     host: "{{ httpbin_host }}"
     port: 443
     select_crypto_backend: "{{ select_crypto_backend }}"
+    asn1_base64: true
   register: result
 
 - assert:
@@ -150,6 +157,7 @@
     host: "{{ httpbin_host }}"
     port: 443
     select_crypto_backend: "{{ select_crypto_backend }}"
+    asn1_base64: true
   register: result
   ignore_errors: true
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- "get_certificate - add ``asn1_base64`` option to control whether the ASN.1 included in the ``extensions`` return value is binary data or Base64 encoded (https://github.com/ansible-collections/community.crypto/pull/592)."