Support basicConstraints in openssl_csr (#32632)

lib/ansible/modules/crypto/openssl_csr.py

@@ -131,6 +131,18 @@ options:
         aliases: [ 'extKeyUsage_critical', 'extendedKeyUsage_critical' ]
         description:
             - Should the extkeyUsage extension be considered as critical
+    basic_constraints:
+        required: false
+        aliases: ['basicConstraints']
+        description:
+            - Indicates basic constraints, such as if the certificate is a CA.
+        version_added: 2.5
+    basic_constraints_critical:
+        required: false
+        aliases: [ 'basicConstraints_critical' ]
+        description:
+            - Should the basicConstraints extension be considered as critical
+        version_added: 2.5
 extends_documentation_fragment: files
 
 notes:
@@ -221,6 +233,11 @@ extendedKeyUsage:
     returned: changed or success
     type: list
     sample: [ 'clientAuth' ]
+basicConstraints:
+    description: Indicates if the certificate belongs to a CA
+    returned: changed or success
+    type: list
+    sample: ['CA:TRUE', 'pathLenConstraint:0']
 '''
 
 import os
@@ -261,6 +278,8 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
         self.keyUsage_critical = module.params['keyUsage_critical']
         self.extendedKeyUsage = module.params['extendedKeyUsage']
         self.extendedKeyUsage_critical = module.params['extendedKeyUsage_critical']
+        self.basicConstraints = module.params['basicConstraints']
+        self.basicConstraints_critical = module.params['basicConstraints_critical']
         self.request = None
         self.privatekey = None
 
@@ -301,6 +320,10 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
                 usages = ', '.join(self.extendedKeyUsage)
                 extensions.append(crypto.X509Extension(b"extendedKeyUsage", self.extendedKeyUsage_critical, usages.encode('ascii')))
 
+            if self.basicConstraints:
+                usages = ', '.join(self.basicConstraints)
+                extensions.append(crypto.X509Extension(b"basicConstraints", self.basicConstraints_critical, usages.encode('ascii')))
+
             req.add_extensions(extensions)
 
             req.set_pubkey(self.privatekey)
@@ -366,9 +389,13 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
         def _check_extenededKeyUsage(extensions):
             return _check_keyUsage_(extensions, b'extendedKeyUsage', self.extendedKeyUsage, self.extendedKeyUsage_critical)
 
+        def _check_basicConstraints(extensions):
+            return _check_keyUsage_(extensions, b'basicConstraints', self.basicConstraints, self.basicConstraints_critical)
+
         def _check_extensions(csr):
             extensions = csr.get_extensions()
-            return _check_subjectAltName(extensions) and _check_keyUsage(extensions) and _check_extenededKeyUsage(extensions)
+            return (_check_subjectAltName(extensions) and _check_keyUsage(extensions) and
+                    _check_extenededKeyUsage(extensions) and _check_basicConstraints(extensions))
 
         def _check_signature(csr):
             try:
@@ -393,6 +420,7 @@ class CertificateSigningRequest(crypto_utils.OpenSSLObject):
             'subjectAltName': self.subjectAltName,
             'keyUsage': self.keyUsage,
             'extendedKeyUsage': self.extendedKeyUsage,
+            'basicConstraints': self.basicConstraints,
             'changed': self.changed
         }
 
@@ -422,6 +450,8 @@ def main():
             keyUsage_critical=dict(aliases=['key_usage_critical'], default=False, type='bool'),
             extendedKeyUsage=dict(aliases=['extKeyUsage', 'extended_key_usage'], type='list'),
             extendedKeyUsage_critical=dict(aliases=['extKeyUsage_critical', 'extended_key_usage_critical'], default=False, type='bool'),
+            basicConstraints=dict(aliases=['basic_constraints'], type='list'),
+            basicConstraints_critical=dict(aliases=['basic_constraints_critical'], default=False, type='bool'),
         ),
         add_file_common_args=True,
         supports_check_mode=True,