diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-08-17 23:13:28 +0200 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-11-11 20:18:55 +0100 |
commit | adbd77f6d7cc4efb7b4bde483036fab8e48ce870 (patch) | |
tree | 2de0061bf11418cb9ebd080eb77f136c707040fa /apps/ca.c | |
parent | b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (diff) |
X509: Fix handling of AKID and SKID extensions according to configuration
Fixes #16300
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16342)
Diffstat (limited to 'apps/ca.c')
-rw-r--r-- | apps/ca.c | 11 |
1 files changed, 10 insertions, 1 deletions
@@ -1709,7 +1709,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Initialize the context structure */ X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509, - ret, req, NULL, X509V3_CTX_REPLACE); + ret, NULL /* no need to give req, needed info is in ret */, + NULL, X509V3_CTX_REPLACE); + /* prepare fallback for AKID, but only if issuer cert equals subject cert */ + if (selfsign) { + if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) + goto end; + if (!cert_matches_key(ret, pkey)) + BIO_printf(bio_err, + "Warning: Signature key and public key of cert do not match\n"); + } /* Lets add the extensions, if there are any */ if (ext_sect) { |