diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py index c0e76dda619..55ac9cc8ab6 100644 --- a/lib/ansible/modules/crypto/openssl_csr.py +++ b/lib/ansible/modules/crypto/openssl_csr.py @@ -131,6 +131,18 @@ options: aliases: [ 'extKeyUsage_critical', 'extendedKeyUsage_critical' ] description: - Should the extkeyUsage extension be considered as critical + basic_constraints: + required: false + aliases: ['basicConstraints'] + description: + - Indicates basic constraints, such as if the certificate is a CA. + version_added: 2.5 + basic_constraints_critical: + required: false + aliases: [ 'basicConstraints_critical' ] + description: + - Should the basicConstraints extension be considered as critical + version_added: 2.5 extends_documentation_fragment: files notes: @@ -221,6 +233,11 @@ extendedKeyUsage: returned: changed or success type: list sample: [ 'clientAuth' ] +basicConstraints: + description: Indicates if the certificate belongs to a CA + returned: changed or success + type: list + sample: ['CA:TRUE', 'pathLenConstraint:0'] ''' import os @@ -261,6 +278,8 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject): self.keyUsage_critical = module.params['keyUsage_critical'] self.extendedKeyUsage = module.params['extendedKeyUsage'] self.extendedKeyUsage_critical = module.params['extendedKeyUsage_critical'] + self.basicConstraints = module.params['basicConstraints'] + self.basicConstraints_critical = module.params['basicConstraints_critical'] self.request = None self.privatekey = None @@ -301,6 +320,10 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject): usages = ', '.join(self.extendedKeyUsage) extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii'))) + if self.basicConstraints: + usages = ', '.join(self.basicConstraints) + extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii'))) + req.add_extensions(extensions) req.set_pubkey(self.privatekey) @@ -366,9 +389,13 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject): def _check_extenededKeyUsage(extensions): return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical) + def _check_basicConstraints(extensions): + return _check_keyUsage_(extensions, b'basicConstraints', self.basicConstraints, self.basicConstraints_critical) + def _check_extensions(csr): extensions = csr.get_extensions() - return _check_subjectAltName(extensions) and _check_keyUsage(extensions) and _check_extenededKeyUsage(extensions) + return (_check_subjectAltName(extensions) and _check_keyUsage(extensions) and + _check_extenededKeyUsage(extensions) and _check_basicConstraints(extensions)) def _check_signature(csr): try: @@ -393,6 +420,7 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject): 'subjectAltName': self.subjectAltName, 'keyUsage': self.keyUsage, 'extendedKeyUsage': self.extendedKeyUsage, + 'basicConstraints': self.basicConstraints, 'changed': self.changed } @@ -422,6 +450,8 @@ def main(): keyUsage_critical=dict(aliases=['key_usage_critical'], default=False, type='bool'), extendedKeyUsage=dict(aliases=['extKeyUsage', 'extended_key_usage'], type='list'), extendedKeyUsage_critical=dict(aliases=['extKeyUsage_critical', 'extended_key_usage_critical'], default=False, type='bool'), + basicConstraints=dict(aliases=['basic_constraints'], type='list'), + basicConstraints_critical=dict(aliases=['basic_constraints_critical'], default=False, type='bool'), ), add_file_common_args=True, supports_check_mode=True,