public_key_fingerprint_x509_sha256

docs/data-sources/public_key.md

@@ -46,5 +46,6 @@ data "tls_public_key" "private_key_openssh-example" {
 - `openssh_comment` (String) The OpenSSH comment.
 - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, as per the rules for `public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).
 - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, as per the rules for `public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).
+- `public_key_fingerprint_x509_sha256` (String) The SHA256 hash of the binary key data, encoded as a base64 string
 - `public_key_openssh` (String) The public key, in  [OpenSSH PEM (RFC 4716)](https://datatracker.ietf.org/doc/html/rfc4716) format. This is also known as ['Authorized Keys'](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
 - `public_key_pem` (String) The public key, in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).

docs/resources/private_key.md

@@ -64,6 +64,7 @@ resource "tls_private_key" "ed25519-example" {
 - `private_key_pem_pkcs8` (String, Sensitive) Private key data in [PKCS#8 PEM (RFC 5208)](https://datatracker.ietf.org/doc/html/rfc5208) format.
 - `public_key_fingerprint_md5` (String) The fingerprint of the public key data in OpenSSH MD5 hash format, e.g. `aa:bb:cc:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
 - `public_key_fingerprint_sha256` (String) The fingerprint of the public key data in OpenSSH SHA256 hash format, e.g. `SHA256:...`. Only available if the selected private key format is compatible, similarly to `public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).
+- `public_key_fingerprint_x509_sha256` (String) The SHA256 hash of the binary key data, encoded as a base64 string
 - `public_key_openssh` (String) The public key data in ["Authorized Keys"](https://www.ssh.com/academy/ssh/authorized_keys/openssh#format-of-the-authorized-keys-file) format. This is not populated for `ECDSA` with curve `P224`, as it is [not supported](../../docs#limitations). **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
 - `public_key_pem` (String) Public key data in [PEM (RFC 1421)](https://datatracker.ietf.org/doc/html/rfc1421) format. **NOTE**: the [underlying](https://pkg.go.dev/encoding/pem#Encode) [libraries](https://pkg.go.dev/golang.org/x/crypto/ssh#MarshalAuthorizedKey) that generate this value append a `\n` at the end of the PEM. In case this disrupts your use case, we recommend using [`trimspace()`](https://www.terraform.io/language/functions/trimspace).
 

internal/provider/common_key.go

@@ -12,6 +12,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/pem"
 	"fmt"
 	"strings"
@@ -183,6 +184,9 @@ func setPublicKeyAttributes(ctx context.Context, s *tfsdk.State, prvKey crypto.P
 		Type:  PreamblePublicKey.String(),
 		Bytes: pubKeyBytes,
 	}
+	hasher := crypto.SHA256.New()
+	hasher.Write(pubKeyBytes)
+	pubKeyDERFingerprintSHA256 := hasher.Sum(nil)
 
 	diags.Append(s.SetAttribute(ctx, path.Root("id"), hashForState(string(pubKeyBytes)))...)
 	if diags.HasError() {
@@ -194,6 +198,11 @@ func setPublicKeyAttributes(ctx context.Context, s *tfsdk.State, prvKey crypto.P
 		return diags
 	}
 
+	diags.Append(s.SetAttribute(ctx, path.Root("public_key_fingerprint_x509_sha256"), base64.StdEncoding.EncodeToString(pubKeyDERFingerprintSHA256))...)
+	if diags.HasError() {
+		return diags
+	}
+
 	// NOTE: ECDSA keys with elliptic curve P-224 are not supported by `x/crypto/ssh`,
 	// so this will return an error: in that case, we set the below fields to emptry strings
 	sshPubKey, err := ssh.NewPublicKey(pubKey)

internal/provider/data_source_public_key.go

@@ -105,6 +105,10 @@ func (d *publicKeyDataSource) Schema(ctx context.Context, req datasource.SchemaR
 					"Only available if the selected private key format is compatible, as per the rules for " +
 					"`public_key_openssh` and [ECDSA P224 limitations](../../docs#limitations).",
 			},
+			"public_key_fingerprint_x509_sha256": schema.StringAttribute{
+				Computed:    true,
+				Description: "The SHA256 hash of the binary key data, encoded as a base64 string",
+			},
 			"id": schema.StringAttribute{
 				Computed: true,
 				Description: "Unique identifier for this data source: " +

internal/provider/data_source_public_key_test.go

@@ -42,6 +42,7 @@ func TestPublicKey_dataSource_PEM(t *testing.T) {
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_sha256", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintSHA256)),
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_x509_sha256", strings.TrimSpace((fixtures.TestPublicKeyX509FingerprintSHA256))),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "algorithm", "RSA"),
 				),
 			},
@@ -96,6 +97,7 @@ func TestPublicKey_dataSource_PEM_UpgradeFromVersion3_4_0(t *testing.T) {
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_sha256", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintSHA256)),
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_x509_sha256", strings.TrimSpace((fixtures.TestPublicKeyX509FingerprintSHA256))),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "algorithm", "RSA"),
 				),
 			},
@@ -112,6 +114,7 @@ func TestPublicKey_dataSource_PEM_UpgradeFromVersion3_4_0(t *testing.T) {
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_sha256", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintSHA256)),
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_x509_sha256", strings.TrimSpace((fixtures.TestPublicKeyX509FingerprintSHA256))),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "algorithm", "RSA"),
 				),
 			},
@@ -130,6 +133,7 @@ func TestPublicKey_dataSource_OpenSSHPEM(t *testing.T) {
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_sha256", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintSHA256)),
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_x509_sha256", strings.TrimSpace((fixtures.TestPublicKeyX509FingerprintSHA256))),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "algorithm", "RSA"),
 				),
 			},
@@ -183,6 +187,7 @@ func TestAccPublicKey_dataSource_OpenSSHPEM_UpgradeFromVersion3_4_0(t *testing.T
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_sha256", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintSHA256)),
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_x509_sha256", strings.TrimSpace((fixtures.TestPublicKeyX509FingerprintSHA256))),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "algorithm", "RSA"),
 				),
 			},
@@ -194,6 +199,7 @@ func TestAccPublicKey_dataSource_OpenSSHPEM_UpgradeFromVersion3_4_0(t *testing.T
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_openssh", strings.TrimSpace(fixtures.TestPublicKeyOpenSSH)+"\n"),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_md5", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintMD5)),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_sha256", strings.TrimSpace(fixtures.TestPublicKeyOpenSSHFingerprintSHA256)),
+					r.TestCheckResourceAttr("data.tls_public_key.test", "public_key_fingerprint_x509_sha256", strings.TrimSpace((fixtures.TestPublicKeyX509FingerprintSHA256))),
 					r.TestCheckResourceAttr("data.tls_public_key.test", "algorithm", "RSA"),
 				),
 			},

internal/provider/fixtures/fixtures.go

@@ -71,7 +71,7 @@ D9Hk2MajZuFnJiqj1QIDAQAB
 	TestPublicKeyOpenSSH                  = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDPLaq43D9C596ko9yQipWUf2FbRhFs18D3wBDBqXLIoP7W3rm5S292/JiNPa+mX76IYFF416zTBGG9J5w4d4VFrROn8IuMWqHgdXsCUf2szN7EnJcVBsBzTxxWqz4DjX315vbm/PFOLlKzC0Ngs4h1iDiCD9Hk2MajZuFnJiqj1Q==`
 	TestPublicKeyOpenSSHFingerprintMD5    = `62:c2:c6:7a:d0:27:72:e7:0d:bc:4e:97:42:0e:9e:e6`
 	TestPublicKeyOpenSSHFingerprintSHA256 = `SHA256:V5XlMMAMdN4T4S2uBqiXBuI2C9VPNG2J8a5r1Vb8Vn8`
-
+	TestPublicKeyX509FingerprintSHA256    = "Tjv0oV3kNJRjpeIadBtzbRYjG7IG/jnSyOEJnr7FL1s="
 	// NOTE: See ../scripts/make-test-ca.tf for a Terraform script to create the following CA Private Key and Certificate.
 	TestCAPrivateKey = `
 -----BEGIN RSA PRIVATE KEY-----

internal/provider/models.go

@@ -65,18 +65,19 @@ type certificateSubjectModel struct {
 }
 
 type privateKeyResourceModel struct {
-	Algorithm                  types.String `tfsdk:"algorithm"`
-	OpenSSHComment             types.String `tfsdk:"openssh_comment"`
-	RSABits                    types.Int64  `tfsdk:"rsa_bits"`
-	ECDSACurve                 types.String `tfsdk:"ecdsa_curve"`
-	PrivateKeyPem              types.String `tfsdk:"private_key_pem"`
-	PrivateKeyOpenSSH          types.String `tfsdk:"private_key_openssh"`
-	PrivateKeyPKCS8            types.String `tfsdk:"private_key_pem_pkcs8"`
-	PublicKeyPem               types.String `tfsdk:"public_key_pem"`
-	PublicKeyOpenSSH           types.String `tfsdk:"public_key_openssh"`
-	PublicKeyFingerprintMD5    types.String `tfsdk:"public_key_fingerprint_md5"`
-	PublicKeyFingerprintSHA256 types.String `tfsdk:"public_key_fingerprint_sha256"`
-	ID                         types.String `tfsdk:"id"`
+	Algorithm                      types.String `tfsdk:"algorithm"`
+	OpenSSHComment                 types.String `tfsdk:"openssh_comment"`
+	RSABits                        types.Int64  `tfsdk:"rsa_bits"`
+	ECDSACurve                     types.String `tfsdk:"ecdsa_curve"`
+	PrivateKeyPem                  types.String `tfsdk:"private_key_pem"`
+	PrivateKeyOpenSSH              types.String `tfsdk:"private_key_openssh"`
+	PrivateKeyPKCS8                types.String `tfsdk:"private_key_pem_pkcs8"`
+	PublicKeyPem                   types.String `tfsdk:"public_key_pem"`
+	PublicKeyOpenSSH               types.String `tfsdk:"public_key_openssh"`
+	PublicKeyFingerprintMD5        types.String `tfsdk:"public_key_fingerprint_md5"`
+	PublicKeyFingerprintSHA256     types.String `tfsdk:"public_key_fingerprint_sha256"`
+	PublicKeyFingerprintX509SHA256 types.String `tfsdk:"public_key_fingerprint_x509_sha256"`
+	ID                             types.String `tfsdk:"id"`
 }
 
 type selfSignedCertResourceModel struct {

internal/provider/resource_private_key.go

@@ -140,6 +140,10 @@ func (r *privateKeyResource) Schema(_ context.Context, req resource.SchemaReques
 					"Only available if the selected private key format is compatible, similarly to " +
 					"`public_key_openssh` and the [ECDSA P224 limitations](../../docs#limitations).",
 			},
+			"public_key_fingerprint_x509_sha256": schema.StringAttribute{
+				Computed:    true,
+				Description: "The SHA256 hash of the binary key data, encoded as a base64 string",
+			},
 			"id": schema.StringAttribute{
 				Computed: true,
 				MarkdownDescription: "Unique identifier for this resource: " +