diff options
| author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-10 15:23:41 +0100 |
|---|---|---|
| committer | Dr. David von Oheimb <dev@ddvo.net> | 2021-01-13 11:53:15 +0100 |
| commit | ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad (patch) | |
| tree | 6933e942381aa061e6a61b4e5a375098294c88fc /crypto | |
| parent | f2a0458731f15fd4d45f5574a221177f4591b1d8 (diff) | |
apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default
Fixes #13603
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13658)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/x509/v3_akey.c | 13 | ||||
| -rw-r--r-- | crypto/x509/v3_skey.c | 13 |
2 files changed, 16 insertions, 10 deletions
diff --git a/crypto/x509/v3_akey.c b/crypto/x509/v3_akey.c index 96e415aeb1..2e90d495c5 100644 --- a/crypto/x509/v3_akey.c +++ b/crypto/x509/v3_akey.c @@ -78,7 +78,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, STACK_OF(CONF_VALUE) *values) { char keyid = 0, issuer = 0; - int i; + int i, n = sk_CONF_VALUE_num(values); CONF_VALUE *cnf; ASN1_OCTET_STRING *ikeyid = NULL; X509_NAME *isname = NULL; @@ -92,7 +92,11 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, if (akeyid == NULL) goto err; - for (i = 0; i < sk_CONF_VALUE_num(values); i++) { + if (n == 1 && strcmp(sk_CONF_VALUE_value(values, 0)->name, "none") == 0) { + return akeyid; + } + + for (i = 0; i < n; i++) { cnf = sk_CONF_VALUE_value(values, i); if (strcmp(cnf->name, "keyid") == 0) { keyid = 1; @@ -115,14 +119,15 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_CERTIFICATE); goto err; } - cert = ctx->issuer_cert; if (keyid) { i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); if ((i >= 0) && (ext = X509_get_ext(cert, i))) ikeyid = X509V3_EXT_d2i(ext); - if ((keyid == 2 || issuer == 0) && ikeyid == NULL) { + if ((keyid == 2 || issuer == 0) + && (ikeyid == NULL + || ASN1_STRING_length(ikeyid) <= 2) /* indicating "none" */ ) { ERR_raise(ERR_LIB_X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); goto err; } diff --git a/crypto/x509/v3_skey.c b/crypto/x509/v3_skey.c index b4b1616688..6122596081 100644 --- a/crypto/x509/v3_skey.c +++ b/crypto/x509/v3_skey.c @@ -62,7 +62,10 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, unsigned char pkey_dig[EVP_MAX_MD_SIZE]; unsigned int diglen; - if (strcmp(str, "hash")) + if (strcmp(str, "none") == 0) + return ASN1_OCTET_STRING_new(); /* dummy */ + + if (strcmp(str, "hash") != 0) return s2i_ASN1_OCTET_STRING(method, ctx, str); if ((oct = ASN1_OCTET_STRING_new()) == NULL) { @@ -78,11 +81,9 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, goto err; } - if (ctx->subject_req) - pubkey = ctx->subject_req->req_info.pubkey; - else - pubkey = ctx->subject_cert->cert_info.key; - + pubkey = ctx->subject_req != NULL ? + ctx->subject_req->req_info.pubkey : + ctx->subject_cert->cert_info.key; if (pubkey == NULL) { ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY); goto err; |