Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert

Also clean up some related auxiliary functions and documentation Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13658)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-12-24 11:25:47 +0100
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-01-13 11:53:15 +0100
commit: 41e597a01d95540f52e8bc4d69f88c3d93a093ce (patch)
tree: 5ae2b3b3691b635e55d704f8874bacfce6c34911 /apps/x509.c
parent: ea9fd333d19096d654cb252a2f6785ca03bfcbc1 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/apps/x509.c b/apps/x509.c
index 34d654c8f2..5769f5f982 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1079,7 +1079,13 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer,
         while (X509_get_ext_count(x) > 0)
             X509_delete_ext(x, 0);
     }
+
     X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE);
+    if (issuer == x
+        /* prepare the correct AKID of self-issued, possibly self-signed cert */
+            && !X509V3_set_issuer_pkey(&ext_ctx, pkey))
+        return 0;
+
     if (conf != NULL) {
         X509V3_set_nconf(&ext_ctx, conf);
         if (!X509V3_EXT_add_nconf(conf, &ext_ctx, section, x)) {
@@ -1149,7 +1155,7 @@ static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names)
 
     exts = X509_get0_extensions(x);
     if ((num = sk_X509_EXTENSION_num(exts)) <= 0) {
-        BIO_printf(bio, "No extensions in certificate\n");
+        BIO_printf(bio_err, "No extensions in certificate\n");
         ret = 1;
         goto end;
     }
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-12-24 11:25:47 +0100
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-01-13 11:53:15 +0100
commit	41e597a01d95540f52e8bc4d69f88c3d93a093ce (patch)
tree	5ae2b3b3691b635e55d704f8874bacfce6c34911 /apps/x509.c
parent	ea9fd333d19096d654cb252a2f6785ca03bfcbc1 (diff)