From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Wed, 10 Nov 2021 08:31:11 +0000 (+0100)
Subject: X509V3_set_ctx(): Clarify use of subject/req parameter for constructing SKID by hash... 
X-Git-Tag: openssl-3.2.0-alpha1~3250
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=15ac84e603678140ba32832c288e5f1745a258f8;p=thirdparty%2Fopenssl.git

X509V3_set_ctx(): Clarify use of subject/req parameter for constructing SKID by hash of pubkey

This does not change the semantics of expected usage because only either one may be given.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17145)
---

diff --git a/crypto/x509/v3_skid.c b/crypto/x509/v3_skid.c
index bab88898e68..18223f2ef49 100644
--- a/crypto/x509/v3_skid.c
+++ b/crypto/x509/v3_skid.c
@@ -105,7 +105,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
         return NULL;
     }
 
-    return ossl_x509_pubkey_hash(ctx->subject_req != NULL ?
-                                 ctx->subject_req->req_info.pubkey :
-                                 ctx->subject_cert->cert_info.key);
+    return ossl_x509_pubkey_hash(ctx->subject_cert != NULL ?
+                                 ctx->subject_cert->cert_info.key :
+                                 ctx->subject_req->req_info.pubkey);
 }
diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod
index 1fc5111de43..820052ba984 100644
--- a/doc/man3/X509V3_set_ctx.pod
+++ b/doc/man3/X509V3_set_ctx.pod
@@ -18,12 +18,14 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation utilities
 X509V3_set_ctx() fills in the basic fields of I<ctx> of type B<X509V3_CTX>,
 providing details potentially needed by functions producing X509 v3 extensions,
 e.g., to look up values for filling in authority key identifiers.
-Any of I<subj>, I<req>, or I<crl> may be provided, pointing to a certificate,
+Any of I<subject>, I<req>, or I<crl> may be provided, pointing to a certificate,
 certification request, or certificate revocation list, respectively.
-If I<subj> or I<crl> is provided, I<issuer> should point to its issuer,
+When constructing the subject key identifier of a certificate by computing a
+hash value of its public key, the public key is taken from I<subject> or I<req>.
+If I<subject> or I<crl> is provided, I<issuer> should point to its issuer,
 for instance to help generating an authority key identifier extension.
-Note that if I<subj> is provided, I<issuer> may be the same as I<subj>,
-which means that I<subj> is self-issued (or even self-signed).
+Note that if I<subject> is provided, I<issuer> may be the same as I<subject>,
+which means that I<subject> is self-issued (or even self-signed).
 I<flags> may be 0
 or contain B<X509V3_CTX_TEST>, which means that just the syntax of
 extension definitions is to be checked without actually producing an extension,