From fc1f44e7944cd41dfe69df9511af082db76a1d9c Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Mon, 8 Mar 2021 10:10:46 +0100
Subject: [PATCH] Backport of
 https://github.com/ansible-collections/community.crypto/pull/180 to
 stable-2.9. (#73815)

---
 .../community.cryto-180-openssl-csr-basic-constraint.yml    | 3 +++
 lib/ansible/modules/crypto/openssl_csr.py                   | 6 +++---
 2 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/fragments/community.cryto-180-openssl-csr-basic-constraint.yml

diff --git a/changelogs/fragments/community.cryto-180-openssl-csr-basic-constraint.yml b/changelogs/fragments/community.cryto-180-openssl-csr-basic-constraint.yml
new file mode 100644
index 00000000000..4afe2c5a5fe
--- /dev/null
+++ b/changelogs/fragments/community.cryto-180-openssl-csr-basic-constraint.yml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - "openssl_csr - no longer fails when comparing CSR without basic constraint when ``basic_constraints`` is specified (https://github.com/ansible-collections/community.crypto/issues/179, https://github.com/ansible-collections/community.crypto/pull/180)."
diff --git a/lib/ansible/modules/crypto/openssl_csr.py b/lib/ansible/modules/crypto/openssl_csr.py
index c045f2594dd..e2ffe38e023 100644
--- a/lib/ansible/modules/crypto/openssl_csr.py
+++ b/lib/ansible/modules/crypto/openssl_csr.py
@@ -911,9 +911,9 @@ class CertificateSigningRequestCryptography(CertificateSigningRequestBase):
                 return False
             # Check criticality
             if self.basicConstraints:
-                if bc_ext.critical != self.basicConstraints_critical:
-                    return False
-            return True
+                return bc_ext is not None and bc_ext.critical == self.basicConstraints_critical
+            else:
+                return bc_ext is None
 
         def _check_ocspMustStaple(extensions):
             try: