Skip to content

Commit 7e8f8ce

Browse files
bernd-edlingerbernd-edlinger
committed
fixup! Restore previous semantics of authorityKeyIdentifier=keyid
1 parent 60695f6 commit 7e8f8ce

File tree

2 files changed

+15
-7
lines changed

2 files changed

+15
-7
lines changed

crypto/x509/v3_akid.c

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
107107
ASN1_INTEGER *serial = NULL;
108108
X509_EXTENSION *ext;
109109
X509 *issuer_cert;
110+
int self_signed = 0;
110111
AUTHORITY_KEYID *akeyid = AUTHORITY_KEYID_new();
111112

112113
if (akeyid == NULL)
@@ -156,8 +157,15 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
156157
goto err;
157158
}
158159

159-
/* unless forced with "always", AKID is optional */
160-
if (keyid != 0) {
160+
if (ctx->subject_cert != NULL && ctx->issuer_pkey != NULL) {
161+
ERR_set_mark();
162+
self_signed = X509_check_private_key(ctx->subject_cert,
163+
ctx->issuer_pkey);
164+
ERR_pop_to_mark();
165+
}
166+
167+
/* unless forced with "always", AKID is suppressed for self-signed certs */
168+
if (keyid == 2 || (keyid == 1 && !self_signed)) {
161169
/*
162170
* prefer any pre-existing subject key identifier of the issuer cert
163171
* except issuer cert is same as subject cert and private key is given
@@ -180,7 +188,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
180188
}
181189
}
182190

183-
if (issuer == 2 || (issuer == 1 && ikeyid == NULL)) {
191+
if (issuer == 2 || (issuer == 1 && ikeyid == NULL && !self_signed)) {
184192
if (ctx->subject_cert == issuer_cert)
185193
isname = X509_NAME_dup(X509_get_issuer_name(issuer_cert));
186194
else

test/recipes/25-test_req.t

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -612,7 +612,7 @@ has_AKID($cert, 0); # forced no AKID
612612

613613
$cert = "self-signed_v3_CA_explicit_AKID.pem";
614614
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid");
615-
has_AKID($cert, 1); # for self-signed cert, AKID present but not forced
615+
has_AKID($cert, 0); # for self-signed cert, AKID suppressed and not forced
616616

617617
$cert = "self-signed_v3_CA_forced_AKID.pem";
618618
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always");
@@ -621,19 +621,19 @@ strict_verify($cert, 1);
621621

622622
$cert = "self-signed_v3_CA_issuer_AKID.pem";
623623
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer");
624-
has_AKID($cert, 1); # AKID present but not forced
624+
has_AKID($cert, 0); # suppressed AKID since not forced
625625

626626
$cert = "self-signed_v3_CA_forced_issuer_AKID.pem";
627627
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = issuer:always");
628628
cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # forced issuer AKID
629629

630630
$cert = "self-signed_v3_CA_nonforced_keyid_issuer_AKID.pem";
631631
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer");
632-
has_AKID($cert, 1); # AKID present but not forced
632+
has_AKID($cert, 0); # AKID not present because not forced and cert self-signed
633633

634634
$cert = "self-signed_v3_CA_keyid_forced_issuer_AKID.pem";
635635
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid, issuer:always");
636-
cert_contains($cert, "Authority Key Identifier: keyid:.* DirName:/CN=CA serial:", 1); # issuer AKID forced, with keyid not forced
636+
cert_contains($cert, "Authority Key Identifier: DirName:/CN=CA serial:", 1); # issuer AKID forced, with keyid not forced
637637

638638
$cert = "self-signed_v3_CA_forced_keyid_issuer_AKID.pem";
639639
generate_cert($cert, @v3_ca, "-addext", "authorityKeyIdentifier = keyid:always, issuer");

0 commit comments

Comments
 (0)