From b0dbccaf3ce73ea169993ed4aeabfc8a1160e1a9 Mon Sep 17 00:00:00 2001 From: Ed Schaller Date: Mon, 1 Feb 2021 13:40:51 -0700 Subject: [PATCH] openssl_csr: handle missing basic constraint (#180) * openssl_csr: handle missing basic constraint * openssl_csr: condense missing basic constraint check As suggested by felixfontein * add changelog fragment * Update changelogs/fragments/179-openssl-csr-basic-constraint.yml Co-authored-by: Felix Fontein --- changelogs/fragments/179-openssl-csr-basic-constraint.yml | 3 +++ plugins/module_utils/crypto/module_backends/csr.py | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/179-openssl-csr-basic-constraint.yml diff --git a/changelogs/fragments/179-openssl-csr-basic-constraint.yml b/changelogs/fragments/179-openssl-csr-basic-constraint.yml new file mode 100644 index 00000000..4afe2c5a --- /dev/null +++ b/changelogs/fragments/179-openssl-csr-basic-constraint.yml @@ -0,0 +1,3 @@ +--- +bugfixes: + - "openssl_csr - no longer fails when comparing CSR without basic constraint when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179, https://github.com/ansible-collections/community.crypto/pull/180)." diff --git a/plugins/module_utils/crypto/module_backends/csr.py b/plugins/module_utils/crypto/module_backends/csr.py index f5ba21ff..75560f8c 100644 --- a/plugins/module_utils/crypto/module_backends/csr.py +++ b/plugins/module_utils/crypto/module_backends/csr.py @@ -626,9 +626,9 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack return False # Check criticality if self.basicConstraints: - if bc_ext.critical != self.basicConstraints_critical: - return False - return True + return bc_ext is not None and bc_ext.critical == self.basicConstraints_critical + else: + return bc_ext is None def _check_ocspMustStaple(extensions): try: