git.ipfire.org Git - thirdparty/openssl.git/commit

author	David Benjamin <davidben@google.com>
	Sun, 31 Aug 2025 21:25:40 +0000 (17:25 -0400)
committer	Tomas Mraz <tomas@openssl.org>
	Tue, 9 Sep 2025 09:13:46 +0000 (11:13 +0200)
commit	e32015b8f4e43c7223a87dd49d2d19fedce2e6b4
tree	8b725ce27ee0fb9fae84708814e54c1792a0a80c	tree \| snapshot
parent	871e71ff6b50e02cadce91a9313b39e6510d2c47	commit \| diff

Clear the extension list when removing the last extension

The extensions list in a certificate, CRL, and CRL entry is defined as:

    ... extensions      [3]  EXPLICIT Extensions OPTIONAL ...
    ... crlEntryExtensions      Extensions OPTIONAL ...
    ... crlExtensions           [0]  EXPLICIT Extensions OPTIONAL ...

    Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension

This means that a present but empty extensions list is actually invalid.
Rather, if you have no extensions to encode, you are meant to omit the
list altogether. Fix the delete_ext functions to handle this correctly.

This would mostly be moot, as an application adding extensions only to
delete them all would be unusual. However, #13658 implemented a slightly
roundabout design where, to omit SKID/AKID, the library first puts them
in and then the command-line tool detects some placeholder values and
deletes the extension again.

Fixes #28397

Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28398)

(cherry picked from commit 9a8d7dc14201aeeed1e77d54208e4af96916fc4f)

crypto/x509/x509_ext.c		diff \| blob \| blame \| history
test/x509_test.c		diff \| blob \| blame \| history