apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default

Fixes #13603

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)

1 files changed, 4 insertions, 4 deletions

diff --git a/apps/x509.c b/apps/x509.c
index c8fcb7a7ae..34d654c8f2 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1067,6 +1067,8 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer,
                 const EVP_MD *digest, CONF *conf, const char *section,
                 int preserve_dates)
 {
+    X509V3_CTX ext_ctx;
+
     if (!X509_set_issuer_name(x, X509_get_subject_name(issuer)))
         return 0;
 
@@ -1077,10 +1079,8 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer,
         while (X509_get_ext_count(x) > 0)
             X509_delete_ext(x, 0);
     }
+    X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE);
     if (conf != NULL) {
-        X509V3_CTX ext_ctx;
-
-        X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE);
         X509V3_set_nconf(&ext_ctx, conf);
         if (!X509V3_EXT_add_nconf(conf, &ext_ctx, section, x)) {
             BIO_printf(bio_err,
@@ -1088,7 +1088,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer,
             return 0;
         }
     }
-    return do_X509_sign(x, pkey, digest, sigopts);
+    return do_X509_sign(x, pkey, digest, sigopts, &ext_ctx);
 }
 
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)