a-c-m
/
community.crypto
mirror of https://github.com/ansible-collections/community.crypto.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

openssl_csr: handle missing basic constraint (#180) 

* openssl_csr: handle missing basic constraint

* openssl_csr: condense missing basic constraint check

As suggested by felixfontein

* add changelog fragment

* Update changelogs/fragments/179-openssl-csr-basic-constraint.yml

Co-authored-by: Felix Fontein <felix@fontein.de>
pull/185/head
Ed Schaller 2021-02-01 13:40:51 -07:00 committed by GitHub
parent 36683e1dd7
commit b0dbccaf3c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
changelogs/fragments/179-openssl-csr-basic-constraint.yml Normal file
View File

@ -0,0 +1,3 @@
---
bugfixes:
- "openssl_csr - no longer fails when comparing CSR without basic constraint when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179, https://github.com/ansible-collections/community.crypto/pull/180)."

6
plugins/module_utils/crypto/module_backends/csr.py
View File

@ -626,9 +626,9 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
return False
# Check criticality
if self.basicConstraints:
if bc_ext.critical != self.basicConstraints_critical:
return False
return True
return bc_ext is not None and bc_ext.critical == self.basicConstraints_critical
else:
return bc_ext is None
def _check_ocspMustStaple(extensions):
try: