community.crypto.openssl_csr panic with key_usage from version 3.0.0

[psvmcc]

SUMMARY

After upgrade collection from version 2.26.3 to 3.0.0 I see python trace panic when using key_usage options for generation CSR. Without key_usage options everything is ok.

ISSUE TYPE

• Bug Report

COMPONENT NAME

community.crypto.openssl_csr with key_usage

ANSIBLE VERSION

ansible [core 2.18.7]
  config file = /Users/ps/_work/git/infra/ansible.cfg
  configured module search path = ['/Users/ps/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/ps/_work/git/infra/.venv/lib/python3.13/site-packages/ansible
  ansible collection location = /Users/ps/_work/git/infra/.collections
  executable location = /Users/ps/_work/git/infra/.venv/bin/ansible
  python version = 3.13.1 (main, Jan 14 2025, 23:31:50) [Clang 19.1.6 ] (/Users/ps/_work/git/infra/.venv/bin/python3)
  jinja version = 3.1.6
  libyaml = True

COLLECTION VERSION

# /Users/ps/_work/git/infra/.collections/ansible_collections
Collection       Version
---------------- -------
community.crypto 3.0.0

CONFIGURATION

ANSIBLE_NOCOWS(/Users/ps/_work/git/infra/ansible.cfg) = True
COLLECTIONS_PATHS(/Users/ps/_work/git/infra/ansible.cfg) = ['/Users/ps/_work/git/infra/.collections']
CONFIG_FILE() = /Users/ps/_work/git/infra/ansible.cfg
DEFAULT_GATHERING(/Users/ps/_work/git/infra/ansible.cfg) = explicit
DEFAULT_STRATEGY(/Users/ps/_work/git/infra/ansible.cfg) = serverscom.mitogen.mitogen_linear
DEFAULT_TIMEOUT(/Users/ps/_work/git/infra/ansible.cfg) = 30
EDITOR(env: EDITOR) = nvim
HOST_KEY_CHECKING(/Users/ps/_work/git/infra/ansible.cfg) = False
INTERPRETER_PYTHON(/Users/ps/_work/git/infra/ansible.cfg) = auto_silent
PAGER(env: PAGER) = bat -f -p
RETRY_FILES_ENABLED(/Users/ps/_work/git/infra/ansible.cfg) = False

GALAXY_SERVERS:

OS / ENVIRONMENT

MacOS 15.5

STEPS TO REPRODUCE

Run this playbook, and then run it again, second task will fail.

- name: Create server KEY
  community.crypto.openssl_privatekey:
    path: /etc/tls/server.key
    type: Ed25519
    curve: secp256r1
    mode: "0600"
    owner: root
    group: root

- name: Create server CSR
  community.crypto.openssl_csr:
    path: /etc/tls/server.csr
    privatekey_path: /etc/tls/server.key
    common_name: 'server.name'
    basic_constraints:
      - CA:FALSE
    subject_alt_name:
      - DNS:localhost
      - IP:127.0.0.1
    key_usage_critical: true
    key_usage:
      - digitalSignature
      - keyEncipherment
    mode: "0600"
    owner: root
    group: root

EXPECTED RESULTS

Should show ok state on second task, like on version 2.26.3.

ACTUAL RESULTS

Gives error

TASK [Create server CSR] ***************************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: encipher_only is undefined unless key_agreement is true
fatal: [virt0.vsg3]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3.9"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"master:/Users/ps/_work/git/infra/.venv/lib/python3.13/site-packages/ansible_mitogen/runner.py\", line 1039, in _run\n    self._run_code(code, mod)\n  File \"master:/Users/ps/_work/git/infra/.venv/lib/python3.13/site-packages/ansible_mitogen/runner.py\", line 1003, in _run_code\n    exec(code, vars(mod))\n  File \"master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/modules/openssl_csr.py\", line 373, in <module>\n  File \"master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/modules/openssl_csr.py\", line 362, in main\n  File \"master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/modules/openssl_csr.py\", line 289, in generate\n  File \"master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/module_utils/_crypto/module_backends/csr.py\", line 755, in needs_regeneration\n    return not self._check_csr()\n  File \"master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/module_utils/_crypto/module_backends/csr.py\", line 740, in _check_csr\n    and _check_extensions(self.existing_csr)\n  File \"master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/module_utils/_crypto/module_backends/csr.py\", line 712, in _check_extensions\n    and _check_key_usage(extensions)\n  File \"master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/module_utils/_crypto/module_backends/csr.py\", line 549, in _check_key_usage\n    if getattr(current_keyusage_ext.value, param) != value:\n  File \"/usr/lib64/python3.9/site-packages/cryptography/x509/extensions.py\", line 1239, in encipher_only\n    raise ValueError(\nValueError: encipher_only is undefined unless key_agreement is true\n", "module_stdout": "", "msg": "MODULE FAILURE: No start of json char found\nSee stdout/stderr for the exact error", "rc": 1}

[felixfontein]

Traceback in readable form:

Traceback (most recent call last):
  File "master:/Users/ps/_work/git/infra/.venv/lib/python3.13/site-packages/ansible_mitogen/runner.py", line 1039, in _run
    self._run_code(code, mod)
  File "master:/Users/ps/_work/git/infra/.venv/lib/python3.13/site-packages/ansible_mitogen/runner.py", line 1003, in _run_code
    exec(code, vars(mod))
  File "master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/modules/openssl_csr.py", line 373, in <module>
  File "master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/modules/openssl_csr.py", line 362, in main
  File "master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/modules/openssl_csr.py", line 289, in generate
  File "master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/module_utils/_crypto/module_backends/csr.py", line 755, in needs_regeneration
    return not self._check_csr()
  File "master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/module_utils/_crypto/module_backends/csr.py", line 740, in _check_csr
    and _check_extensions(self.existing_csr)
  File "master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/module_utils/_crypto/module_backends/csr.py", line 712, in _check_extensions
    and _check_key_usage(extensions)
  File "master:/Users/ps/_work/git/infra/.collections/ansible_collections/community/crypto/plugins/module_utils/_crypto/module_backends/csr.py", line 549, in _check_key_usage
    if getattr(current_keyusage_ext.value, param) != value:
  File "/usr/lib64/python3.9/site-packages/cryptography/x509/extensions.py", line 1239, in encipher_only
    raise ValueError(
ValueError: encipher_only is undefined unless key_agreement is true

This failure is likely caused by the following change:

-                # TODO: check whether getattr() with '_' prepended is really needed
-                if getattr(current_keyusage_ext.value, "_" + param) != value:
+                if getattr(current_keyusage_ext.value, param) != value:

Looks like the advantage of using cryptography internals was that it avoids this error...

[felixfontein]

#935 should fix this.