openssl_csr: handle missing basic constraint (#180)

* openssl_csr: handle missing basic constraint * openssl_csr: condense missing basic constraint check As suggested by felixfontein * add changelog fragment * Update changelogs/fragments/179-openssl-csr-basic-constraint.yml Co-authored-by: Felix Fontein <felix@fontein.de>
2026-04-26 00:16:28 +00:00 · 2021-02-01 13:40:51 -07:00
parent 36683e1dd7
commit b0dbccaf3c
2 changed files with 6 additions and 3 deletions
--- a/plugins/module_utils/crypto/module_backends/csr.py
+++ b/plugins/module_utils/crypto/module_backends/csr.py
@@ -626,9 +626,9 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
                return False
            # Check criticality
            if self.basicConstraints:
-                if bc_ext.critical != self.basicConstraints_critical:
-                    return False
-            return True
+                return bc_ext is not None and bc_ext.critical == self.basicConstraints_critical
+            else:
+                return bc_ext is None

        def _check_ocspMustStaple(extensions):
            try: