diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-24 11:25:47 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-13 11:53:15 +0100 |
| commit | 41e597a01d95540f52e8bc4d69f88c3d93a093ce (patch) | |
| tree | 5ae2b3b3691b635e55d704f8874bacfce6c34911 /apps | |
| parent | ea9fd333d19096d654cb252a2f6785ca03bfcbc1 (diff) | |
Add X509V3_set_issuer_pkey, needed for AKID of self-issued not self-signed cert
Also clean up some related auxiliary functions and documentation
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/req.c | 17 | ||||
| -rw-r--r-- | apps/x509.c | 8 |
2 files changed, 22 insertions, 3 deletions
diff --git a/apps/req.c b/apps/req.c index c57d338ec9..13d54770db 100644 --- a/apps/req.c +++ b/apps/req.c @@ -532,6 +532,7 @@ int req_main(int argc, char **argv) if (extensions != NULL) { /* Check syntax of file */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); if (!X509V3_EXT_add_nconf(req_conf, &ctx, extensions, NULL)) { @@ -544,6 +545,7 @@ int req_main(int argc, char **argv) if (addext_conf != NULL) { /* Check syntax of command line extensions */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, addext_conf); if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) { @@ -591,6 +593,7 @@ int req_main(int argc, char **argv) if (req_exts != NULL) { /* Check syntax of file */ X509V3_CTX ctx; + X509V3_set_ctx_test(&ctx); X509V3_set_nconf(&ctx, req_conf); if (!X509V3_EXT_add_nconf(req_conf, &ctx, req_exts, NULL)) { @@ -773,7 +776,7 @@ int req_main(int argc, char **argv) } if (newreq || gen_x509) { if (pkey == NULL /* can happen only if !newreq */) { - BIO_printf(bio_err, "Must provide the corresponding private key using -key\n"); + BIO_printf(bio_err, "Must provide a signature key using -key\n"); goto end; } @@ -793,7 +796,8 @@ int req_main(int argc, char **argv) X509V3_CTX ext_ctx; X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : X509_REQ_get_subject_name(req); - X509_NAME *n_subj = X509_REQ_get_subject_name(req); + X509_NAME *n_subj = fsubj != NULL ? fsubj : + X509_REQ_get_subject_name(req); if ((new_x509 = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) @@ -823,6 +827,15 @@ int req_main(int argc, char **argv) /* Set up V3 context struct */ X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509, new_x509, NULL, NULL, X509V3_CTX_REPLACE); + if (CAcert == NULL) { /* self-issued, possibly self-signed */ + if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) /* prepare right AKID */ + goto end; + ERR_set_mark(); + if (!X509_check_private_key(new_x509, pkey)) + BIO_printf(bio_err, + "Warning: Signature key and public key of cert do not match\n"); + ERR_pop_to_mark(); + } X509V3_set_nconf(&ext_ctx, req_conf); /* Add extensions */ diff --git a/apps/x509.c b/apps/x509.c index 34d654c8f2..5769f5f982 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1079,7 +1079,13 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer, while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0); } + X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE); + if (issuer == x + /* prepare the correct AKID of self-issued, possibly self-signed cert */ + && !X509V3_set_issuer_pkey(&ext_ctx, pkey)) + return 0; + if (conf != NULL) { X509V3_set_nconf(&ext_ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ext_ctx, section, x)) { @@ -1149,7 +1155,7 @@ static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names) exts = X509_get0_extensions(x); if ((num = sk_X509_EXTENSION_num(exts)) <= 0) { - BIO_printf(bio, "No extensions in certificate\n"); + BIO_printf(bio_err, "No extensions in certificate\n"); ret = 1; goto end; } |