Fix ValueError: excluded_subtrees must be a non-empty list or None (#481

)
ansible-collections · Jun 17, 2022 · b29f238 · b29f238
1 parent 2941bb9
commit b29f238
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/changelogs/fragments/481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml b/changelogs/fragments/481-fix-excluded_subtrees-must-be-a-non-empty-list-or-None.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - "openssl_csr - the module no longer crashes with 'permitted_subtrees/excluded_subtrees must be a non-empty list or None' if only one of ``name_constraints_permitted`` and ``name_constraints_excluded`` is provided (https://github.com/ansible-collections/community.crypto/issues/481)."
diff --git a/plugins/module_utils/crypto/module_backends/csr.py b/plugins/module_utils/crypto/module_backends/csr.py
@@ -345,8 +345,8 @@ def generate_csr(self):
         if self.name_constraints_permitted or self.name_constraints_excluded:
             try:
                 csr = csr.add_extension(cryptography.x509.NameConstraints(
-                    [cryptography_get_name(name, 'name constraints permitted') for name in self.name_constraints_permitted],
-                    [cryptography_get_name(name, 'name constraints excluded') for name in self.name_constraints_excluded],
+                    [cryptography_get_name(name, 'name constraints permitted') for name in self.name_constraints_permitted] or None,
+                    [cryptography_get_name(name, 'name constraints excluded') for name in self.name_constraints_excluded] or None,
                 ), critical=self.name_constraints_critical)
             except TypeError as e:
                 raise OpenSSLObjectError('Error while parsing name constraint: {0}'.format(e))
@@ -498,8 +498,8 @@ def _check_ocspMustStaple(extensions):
 
         def _check_nameConstraints(extensions):
             current_nc_ext = _find_extension(extensions, cryptography.x509.NameConstraints)
-            current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees] if current_nc_ext else []
-            current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees] if current_nc_ext else []
+            current_nc_perm = [to_text(altname) for altname in current_nc_ext.value.permitted_subtrees or []] if current_nc_ext else []
+            current_nc_excl = [to_text(altname) for altname in current_nc_ext.value.excluded_subtrees or []] if current_nc_ext else []
             nc_perm = [to_text(cryptography_get_name(altname, 'name constraints permitted')) for altname in self.name_constraints_permitted]
             nc_excl = [to_text(cryptography_get_name(altname, 'name constraints excluded')) for altname in self.name_constraints_excluded]
             if set(nc_perm) != set(current_nc_perm) or set(nc_excl) != set(current_nc_excl):