openssl_csr*: fix crash for key_usage idempotency check (#935)

* Fix crash for key_usage idempotency check. * Add test.
2026-03-27 05:43:22 +00:00 · 2025-07-17 19:37:46 +02:00
parent e294890a5e
commit 55ae448036
4 changed files with 27 additions and 1 deletions
--- a/changelogs/fragments/395-csr-key_usage.yml
+++ b/changelogs/fragments/395-csr-key_usage.yml
@@ -0,0 +1,3 @@
+bugfixes:
+  - "openssl_csr and openssl_csr_pipe - the idempotency check for ``key_usage`` resulted in a crash if ``Key Agreement``/``keyAgreement`` was not set
+     (https://github.com/ansible-collections/community.crypto/issues/934, https://github.com/ansible-collections/community.crypto/pull/935)."
--- a/plugins/module_utils/_crypto/module_backends/csr.py
+++ b/plugins/module_utils/_crypto/module_backends/csr.py
@@ -546,7 +546,14 @@ class CertificateSigningRequestBackend:
                return False
            params = cryptography_parse_key_usage_params(self.key_usage)
            for param, value in params.items():
-                if getattr(current_keyusage_ext.value, param) != value:
+                try:
+                    # param in ('encipher_only', 'decipher_only') can result in ValueError()
+                    # being raised if key_agreement == False.
+                    current_value = getattr(current_keyusage_ext.value, param)
+                except ValueError:
+                    # In that case, assume that the value is False.
+                    current_value = False
+                if current_value != value:
                    return False
            return current_keyusage_ext.critical == self.key_usage_critical

--- a/tests/integration/targets/openssl_csr/tasks/impl.yml
+++ b/tests/integration/targets/openssl_csr/tasks/impl.yml
@@ -165,6 +165,21 @@
    select_crypto_backend: '{{ select_crypto_backend }}'
  register: csr_ku_xku_change_2

+- name: "({{ select_crypto_backend }}) Generate CSR with KU and XKU (idempotency 2)"
+  community.crypto.openssl_csr:
+    path: '{{ remote_tmp_dir }}/csr_ku_xku.csr'
+    privatekey_path: '{{ remote_tmp_dir }}/privatekey.pem'
+    subject:
+      commonName: 'www.ansible.com'
+    keyUsage:
+      - digitalSignature
+    extendedKeyUsage:
+      - ipsecUser
+      - qcStatements
+      - Biometric Info
+    select_crypto_backend: '{{ select_crypto_backend }}'
+  register: csr_ku_xku_change_2_idempotency
+
 - name: "({{ select_crypto_backend }}) Generate CSR with old API"
  community.crypto.openssl_csr:
    path: '{{ remote_tmp_dir }}/csr_oldapi.csr'
--- a/tests/integration/targets/openssl_csr/tests/validate.yml
+++ b/tests/integration/targets/openssl_csr/tests/validate.yml
@@ -56,6 +56,7 @@
      - csr_ku_xku is not changed
      - csr_ku_xku_change is changed
      - csr_ku_xku_change_2 is changed
+      - csr_ku_xku_change_2_idempotency is not changed

 - name: "({{ select_crypto_backend }}) Validate old_API CSR (test - Common Name)"
  ansible.builtin.command: "{{ openssl_binary }} req -noout -subject -in {{ remote_tmp_dir }}/csr_oldapi.csr -nameopt oneline,-space_eq"