diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2021-08-25 12:21:06 +0200 |
---|---|---|
committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-08-26 17:45:35 +0200 |
commit | 4fdb0d2535323373650bd68e7a659f9320828857 (patch) | |
tree | be963076b87f558fd38ef91eae575710b2eeb3b8 /apps/req.c | |
parent | f2b6edcfdd9ba0b17c8d6d6d76aa892fe76315fc (diff) |
APPS/req: Fix AKID generation in case -CA option is used
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16420)
Diffstat (limited to 'apps/req.c')
-rw-r--r-- | apps/req.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/apps/req.c b/apps/req.c index 4313249295..6aa364fec5 100644 --- a/apps/req.c +++ b/apps/req.c @@ -791,6 +791,7 @@ int req_main(int argc, char **argv) } if (gen_x509) { EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); + EVP_PKEY *issuer_key = CAcert != NULL ? CAkey : pkey; X509V3_CTX ext_ctx; X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : X509_REQ_get_subject_name(req); @@ -831,11 +832,12 @@ int req_main(int argc, char **argv) /* Set up V3 context struct */ X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509, new_x509, NULL, NULL, X509V3_CTX_REPLACE); - if (CAcert == NULL) { /* self-issued, possibly self-signed */ - if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) /* prepare right AKID */ + /* prepare fallback for AKID, but only if issuer cert == new_x509 */ + if (CAcert == NULL) { + if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key)) goto end; ERR_set_mark(); - if (!X509_check_private_key(new_x509, pkey)) + if (!X509_check_private_key(new_x509, issuer_key)) BIO_printf(bio_err, "Warning: Signature key and public key of cert do not match\n"); ERR_pop_to_mark(); @@ -866,8 +868,7 @@ int req_main(int argc, char **argv) } } - i = do_X509_sign(new_x509, CAcert != NULL ? CAkey : pkey, - digest, sigopts, &ext_ctx); + i = do_X509_sign(new_x509, issuer_key, digest, sigopts, &ext_ctx); if (!i) goto end; } else { |