From 9427d7b001bd9cb769fb2940cfa263a448d62b80 Mon Sep 17 00:00:00 2001
From: Daniil Baturin <daniil@baturin.org>
Date: Wed, 9 Aug 2023 17:54:31 +0100
Subject: pki: T5273: add a certificate fingerprint command

---
 op-mode-definitions/pki.xml.in |  9 +++++++++
 python/vyos/pki.py             | 14 +++++++++++++-
 src/op_mode/pki.py             | 13 ++++++++++++-
 3 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/op-mode-definitions/pki.xml.in b/op-mode-definitions/pki.xml.in
index c5abf86cd..ca0eb3687 100644
--- a/op-mode-definitions/pki.xml.in
+++ b/op-mode-definitions/pki.xml.in
@@ -535,6 +535,15 @@
                 </properties>
                 <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" --pem</command>
               </leafNode>
+              <tagNode name="fingerprint">
+                <properties>
+                  <help>Show x509 certificate fingerprint</help>
+                  <completionHelp>
+                    <list>sha256 sha384 sha512</list>
+                  </completionHelp>
+                </properties>
+                <command>sudo ${vyos_op_scripts_dir}/pki.py --action show --certificate "$4" --fingerprint "$6"</command>
+              </tagNode>
             </children>
           </tagNode>
           <leafNode name="crl">
diff --git a/python/vyos/pki.py b/python/vyos/pki.py
index cd15e3878..792e24b76 100644
--- a/python/vyos/pki.py
+++ b/python/vyos/pki.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 #
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2023 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
@@ -63,6 +63,18 @@ private_format_map = {
     'OpenSSH': serialization.PrivateFormat.OpenSSH
 }
 
+hash_map = {
+    'sha256': hashes.SHA256,
+    'sha384': hashes.SHA384,
+    'sha512': hashes.SHA512,
+}
+
+def get_certificate_fingerprint(cert, hash):
+    hash_algorithm = hash_map[hash]()
+    fp = cert.fingerprint(hash_algorithm)
+
+    return fp.hex(':').upper()
+
 def encode_certificate(cert):
     return cert.public_bytes(encoding=serialization.Encoding.PEM).decode('utf-8')
 
diff --git a/src/op_mode/pki.py b/src/op_mode/pki.py
index 4c31291ad..f638c51bc 100755
--- a/src/op_mode/pki.py
+++ b/src/op_mode/pki.py
@@ -28,6 +28,7 @@ from vyos.config import Config
 from vyos.configquery import ConfigTreeQuery
 from vyos.configdict import dict_merge
 from vyos.pki import encode_certificate, encode_public_key, encode_private_key, encode_dh_parameters
+from vyos.pki import get_certificate_fingerprint
 from vyos.pki import create_certificate, create_certificate_request, create_certificate_revocation_list
 from vyos.pki import create_private_key
 from vyos.pki import create_dh_parameters
@@ -916,6 +917,12 @@ def show_certificate(name=None, pem=False):
     print("Certificates:")
     print(tabulate.tabulate(data, headers))
 
+def show_certificate_fingerprint(name, hash):
+    cert = get_config_certificate(name=name)
+    cert = load_certificate(cert['certificate'])
+
+    print(get_certificate_fingerprint(cert, hash))
+
 def show_crl(name=None, pem=False):
     headers = ['CA Name', 'Updated', 'Revokes']
     data = []
@@ -961,6 +968,7 @@ if __name__ == '__main__':
     parser.add_argument('--sign', help='Sign certificate with specified CA', required=False)
     parser.add_argument('--self-sign', help='Self-sign the certificate', action='store_true')
     parser.add_argument('--pem', help='Output using PEM encoding', action='store_true')
+    parser.add_argument('--fingerprint', help='Show fingerprint and exit', action='store')
 
     # SSH
     parser.add_argument('--ssh', help='SSH Key', required=False)
@@ -1057,7 +1065,10 @@ if __name__ == '__main__':
                     if not conf.exists(['pki', 'certificate', cert_name]):
                         print(f'Certificate "{cert_name}" does not exist!')
                         exit(1)
-                show_certificate(None if args.certificate == 'all' else args.certificate, args.pem)
+                if args.fingerprint is None:
+                    show_certificate(None if args.certificate == 'all' else args.certificate, args.pem)
+                else:
+                    show_certificate_fingerprint(args.certificate, args.fingerprint)
             elif args.crl:
                 show_crl(None if args.crl == 'all' else args.crl, args.pem)
             else:
-- 
cgit v1.2.3