X509: Fix handling of AKID and SKID extensions according to configuration

Fixes #16300 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16342)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-08-17 23:13:28 +0200
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-11-11 20:18:55 +0100
commit: adbd77f6d7cc4efb7b4bde483036fab8e48ce870 (patch)
tree: 2de0061bf11418cb9ebd080eb77f136c707040fa /apps/ca.c
parent: b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/apps/ca.c b/apps/ca.c
index 24883615ed..1e77bf50c5 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1709,7 +1709,16 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
 
     /* Initialize the context structure */
     X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509,
-                   ret, req, NULL, X509V3_CTX_REPLACE);
+                   ret, NULL /* no need to give req, needed info is in ret */,
+                   NULL, X509V3_CTX_REPLACE);
+    /* prepare fallback for AKID, but only if issuer cert equals subject cert */
+    if (selfsign) {
+        if (!X509V3_set_issuer_pkey(&ext_ctx, pkey))
+            goto end;
+        if (!cert_matches_key(ret, pkey))
+            BIO_printf(bio_err,
+                       "Warning: Signature key and public key of cert do not match\n");
+    }
 
     /* Lets add the extensions, if there are any */
     if (ext_sect) {
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-08-17 23:13:28 +0200
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-11-11 20:18:55 +0100
commit	adbd77f6d7cc4efb7b4bde483036fab8e48ce870 (patch)
tree	2de0061bf11418cb9ebd080eb77f136c707040fa /apps/ca.c
parent	b0c1214e1e82bc4c98eadd11d368b4ba9ffa202c (diff)