openssl_csr: handle missing basic constraint (#180)

* openssl_csr: handle missing basic constraint

* openssl_csr: condense missing basic constraint check

As suggested by felixfontein

* add changelog fragment

* Update changelogs/fragments/179-openssl-csr-basic-constraint.yml

Co-authored-by: Felix Fontein <felix@fontein.de>

changelogs/fragments/179-openssl-csr-basic-constraint.yml

@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - "openssl_csr - no longer fails when comparing CSR without basic constraint when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179, https://github.com/ansible-collections/community.crypto/pull/180)."

plugins/module_utils/crypto/module_backends/csr.py

@@ -626,9 +626,9 @@ class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBack
                 return False
             # Check criticality
             if self.basicConstraints:
-                if bc_ext.critical != self.basicConstraints_critical:
+                return bc_ext is not None and bc_ext.critical == self.basicConstraints_critical
-                    return False
+            else:
-            return True
+                return bc_ext is None
 
         def _check_ocspMustStaple(extensions):
             try: