From de7a9f98edc4ff8c766bd351b57601460de27419 Mon Sep 17 00:00:00 2001
From: Ben O'Hara <ben.ohara@team.telstra.com>
Date: Wed, 8 Sep 2021 11:34:43 +1000
Subject: [PATCH] Add sha256 fingerprint alongside sha1

Generate SHA256 fingerprint and also SHA1/256 fingerprints
in RFC4716 HEX format.
---
 .../provider/data_source_tls_certificate.go   | 49 +++++++++++++++----
 .../data_source_tls_certificate_test.go       |  7 +++
 website/docs/d/tls_certificate.html.md        |  3 ++
 3 files changed, 49 insertions(+), 10 deletions(-)

diff --git a/internal/provider/data_source_tls_certificate.go b/internal/provider/data_source_tls_certificate.go
index baf081cf..02279c81 100644
--- a/internal/provider/data_source_tls_certificate.go
+++ b/internal/provider/data_source_tls_certificate.go
@@ -2,6 +2,7 @@ package provider
 
 import (
 	"crypto/sha1"
+	"crypto/sha256"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
@@ -68,6 +69,18 @@ func dataSourceTlsCertificate() *schema.Resource {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						"sha1_fingerprint_rfc4716": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"sha256_fingerprint": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"sha256_fingerprint_rfc4716": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
 					},
 				},
 			},
@@ -111,18 +124,34 @@ func dataSourceTlsCertificateRead(d *schema.ResourceData, _ interface{}) error {
 	return nil
 }
 
+func rfc4716hex(data []byte) string {
+	var fingerprint string
+	for i := 0; i < len(data); i++ {
+		fingerprint = fmt.Sprintf("%s%0.2x", fingerprint, data[i])
+		if i != len(data)-1 {
+			fingerprint = fingerprint + ":"
+		}
+	}
+	return fingerprint
+}
+
 func parsePeerCertificate(cert *x509.Certificate) map[string]interface{} {
+	sha1_fingerprint := sha1.Sum(cert.Raw)
+	sha256_fingerprint := sha256.Sum256(cert.Raw)
 	ret := map[string]interface{}{
-		"signature_algorithm":  cert.SignatureAlgorithm.String(),
-		"public_key_algorithm": cert.PublicKeyAlgorithm.String(),
-		"serial_number":        cert.SerialNumber.String(),
-		"is_ca":                cert.IsCA,
-		"version":              cert.Version,
-		"issuer":               cert.Issuer.String(),
-		"subject":              cert.Subject.String(),
-		"not_before":           cert.NotBefore.Format(time.RFC3339),
-		"not_after":            cert.NotAfter.Format(time.RFC3339),
-		"sha1_fingerprint":     fmt.Sprintf("%x", sha1.Sum(cert.Raw)),
+		"signature_algorithm":        cert.SignatureAlgorithm.String(),
+		"public_key_algorithm":       cert.PublicKeyAlgorithm.String(),
+		"serial_number":              cert.SerialNumber.String(),
+		"is_ca":                      cert.IsCA,
+		"version":                    cert.Version,
+		"issuer":                     cert.Issuer.String(),
+		"subject":                    cert.Subject.String(),
+		"not_before":                 cert.NotBefore.Format(time.RFC3339),
+		"not_after":                  cert.NotAfter.Format(time.RFC3339),
+		"sha1_fingerprint":           fmt.Sprintf("%x", sha1_fingerprint),
+		"sha1_fingerprint_rfc4716":   rfc4716hex(sha1_fingerprint[:]),
+		"sha256_fingerprint":         fmt.Sprintf("%x", sha256_fingerprint),
+		"sha256_fingerprint_rfc4716": rfc4716hex(sha256_fingerprint[:]),
 	}
 
 	return ret
diff --git a/internal/provider/data_source_tls_certificate_test.go b/internal/provider/data_source_tls_certificate_test.go
index 8d269a26..329dec7b 100644
--- a/internal/provider/data_source_tls_certificate_test.go
+++ b/internal/provider/data_source_tls_certificate_test.go
@@ -42,6 +42,9 @@ data "tls_certificate" "test" {
 					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.0.not_before", "2019-11-07T15:47:48Z"),
 					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.0.not_after", "2019-12-17T15:47:48Z"),
 					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.0.sha1_fingerprint", "5829a9bcc57f317719c5c98d1f48d6c9957cb44e"),
+					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.0.sha256_fingerprint", "fbab4a817b07545e5a674208f0fd4b6975305d0bd65419d23f6ce8476865f7a1"),
+					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.0.sha1_fingerprint_rfc4716", "58:29:a9:bc:c5:7f:31:77:19:c5:c9:8d:1f:48:d6:c9:95:7c:b4:4e"),
+					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.0.sha256_fingerprint_rfc4716", "fb:ab:4a:81:7b:07:54:5e:5a:67:42:08:f0:fd:4b:69:75:30:5d:0b:d6:54:19:d2:3f:6c:e8:47:68:65:f7:a1"),
 
 					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.signature_algorithm", "SHA256-RSA"),
 					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.public_key_algorithm", "RSA"),
@@ -53,6 +56,10 @@ data "tls_certificate" "test" {
 					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.not_before", "2019-11-08T09:01:36Z"),
 					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.not_after", "2019-11-08T19:01:36Z"),
 					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.sha1_fingerprint", "61b65624427d75b61169100836904e44364df817"),
+					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.sha256_fingerprint", "66d69bb2324b5fdef01ee5c59d6bdc1fce1a0db62ee6ba897a4bc1fdace20520"),
+					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.sha1_fingerprint_rfc4716", "61:b6:56:24:42:7d:75:b6:11:69:10:08:36:90:4e:44:36:4d:f8:17"),
+					resource.TestCheckResourceAttr("data.tls_certificate.test", "certificates.1.sha256_fingerprint_rfc4716", "66:d6:9b:b2:32:4b:5f:de:f0:1e:e5:c5:9d:6b:dc:1f:ce:1a:0d:b6:2e:e6:ba:89:7a:4b:c1:fd:ac:e2:05:20"),
+
 				),
 			},
 		},
diff --git a/website/docs/d/tls_certificate.html.md b/website/docs/d/tls_certificate.html.md
index fc95a44c..08414310 100644
--- a/website/docs/d/tls_certificate.html.md
+++ b/website/docs/d/tls_certificate.html.md
@@ -53,6 +53,9 @@ The following attributes are exported:
     * `certificates.#.serial_number` - Number that uniquely identifies the certificate with the CA's system. The `format`
     function can be used to convert this base 10 number into other bases, such as hex.
     * `certificates.#.sha1_fingerprint` - The SHA1 fingerprint of the public key of the certificate.
+    * `certificates.#.sha256_fingerprint` - The SHA256 fingerprint of the public key of the certificate.
+    * `certificates.#.sha1_fingerprint_rfc4716` - The SHA1 thumbprint of the public key of the certificate in RFC4716 format.
+    * `certificates.#.sha256_fingerprint_rfc4716` - The SHA256 thumbprint of the public key of the certificate in RFC4716 format.
     * `certificates.#.signature_algorithm` - The algorithm used to sign the certificate.
     * `certificates.#.subject` - The entity the certificate belongs to, roughly following
     [RFC2253](https://tools.ietf.org/html/rfc2253).