From: Dr. David von Oheimb Date: Wed, 25 Aug 2021 10:21:06 +0000 (+0200) Subject: APPS/req: Fix AKID generation in case -CA option is used X-Git-Tag: openssl-3.0.0~57 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fdb0d2535323373650bd68e7a659f9320828857;p=thirdparty%2Fopenssl.git APPS/req: Fix AKID generation in case -CA option is used Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/16420) --- diff --git a/apps/req.c b/apps/req.c index 43132492953..6aa364fec50 100644 --- a/apps/req.c +++ b/apps/req.c @@ -791,6 +791,7 @@ int req_main(int argc, char **argv) } if (gen_x509) { EVP_PKEY *pub_key = X509_REQ_get0_pubkey(req); + EVP_PKEY *issuer_key = CAcert != NULL ? CAkey : pkey; X509V3_CTX ext_ctx; X509_NAME *issuer = CAcert != NULL ? X509_get_subject_name(CAcert) : X509_REQ_get_subject_name(req); @@ -831,11 +832,12 @@ int req_main(int argc, char **argv) /* Set up V3 context struct */ X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509, new_x509, NULL, NULL, X509V3_CTX_REPLACE); - if (CAcert == NULL) { /* self-issued, possibly self-signed */ - if (!X509V3_set_issuer_pkey(&ext_ctx, pkey)) /* prepare right AKID */ + /* prepare fallback for AKID, but only if issuer cert == new_x509 */ + if (CAcert == NULL) { + if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key)) goto end; ERR_set_mark(); - if (!X509_check_private_key(new_x509, pkey)) + if (!X509_check_private_key(new_x509, issuer_key)) BIO_printf(bio_err, "Warning: Signature key and public key of cert do not match\n"); ERR_pop_to_mark(); @@ -866,8 +868,7 @@ int req_main(int argc, char **argv) } } - i = do_X509_sign(new_x509, CAcert != NULL ? CAkey : pkey, - digest, sigopts, &ext_ctx); + i = do_X509_sign(new_x509, issuer_key, digest, sigopts, &ext_ctx); if (!i) goto end; } else {