diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-10 15:23:41 +0100 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-13 11:53:15 +0100 |
commit | ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad (patch) | |
tree | 6933e942381aa061e6a61b4e5a375098294c88fc /apps/lib | |
parent | f2a0458731f15fd4d45f5574a221177f4591b1d8 (diff) |
apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default
Fixes #13603
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Diffstat (limited to 'apps/lib')
-rw-r--r-- | apps/lib/apps.c | 48 |
1 files changed, 46 insertions, 2 deletions
diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 457dac87bc..6ae35bac73 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -1982,12 +1982,41 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, && do_pkey_ctx_init(pkctx, sigopts); } -/* Ensure RFC 5280 compliance and then sign the certificate info */ +static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx, + const char *name, const char *value, int add_default) +{ + const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); + X509_EXTENSION *new_ext = X509V3_EXT_nconf(NULL, ext_ctx, name, value); + int idx, rv = 0; + + if (new_ext == NULL) + return rv; + + idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1); + if (idx >= 0) { + X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx); + ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(found_ext); + int disabled = ASN1_STRING_length(data) <= 2; /* config said "none" */ + + if (disabled) { + X509_delete_ext(cert, idx); + X509_EXTENSION_free(found_ext); + } /* else keep existing key identifier, which might be outdated */ + rv = 1; + } else { + rv = !add_default || X509_add_ext(cert, new_ext, -1); + } + X509_EXTENSION_free(new_ext); + return rv; +} + +/* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, - STACK_OF(OPENSSL_STRING) *sigopts) + STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx) { const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + int self_sign; int rv = 0; if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) { @@ -1995,6 +2024,21 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, if (!X509_set_version(cert, 2)) /* Make sure cert is X509 v3 */ goto end; + /* + * Add default SKID before such that default AKID can make use of it + * in case the certificate is self-signed + */ + /* Prevent X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER */ + if (!adapt_keyid_ext(cert, ext_ctx, "subjectKeyIdentifier", "hash", 1)) + goto end; + /* Prevent X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER */ + ERR_set_mark(); + self_sign = X509_check_private_key(cert, pkey); + ERR_pop_to_mark(); + if (!adapt_keyid_ext(cert, ext_ctx, "authorityKeyIdentifier", + "keyid, issuer", !self_sign)) + goto end; + /* TODO any further measures for ensuring default RFC 5280 compliance */ } |