From: Dr. David von Oheimb Date: Fri, 4 Dec 2020 08:26:25 +0000 (+0100) Subject: x509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKeyIdentifier X-Git-Tag: openssl-3.0.0-alpha10~97 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e9701a0141313d2c7008c6ee6d821ba80b3a14d9;p=thirdparty%2Fopenssl.git x509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKeyIdentifier Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/13614) --- diff --git a/crypto/x509/v3_akey.c b/crypto/x509/v3_akey.c index 21ea1e4c758..a6157fcf4db 100644 --- a/crypto/x509/v3_akey.c +++ b/crypto/x509/v3_akey.c @@ -119,7 +119,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1); if ((i >= 0) && (ext = X509_get_ext(cert, i))) ikeyid = X509V3_EXT_d2i(ext); - if (keyid == 2 && !ikeyid) { + if ((keyid == 2 || issuer == 0) && ikeyid == NULL) { ERR_raise(ERR_LIB_X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID); return NULL; } diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod index 953b0268cdb..a20065a8d9e 100644 --- a/doc/man5/x509v3_config.pod +++ b/doc/man5/x509v3_config.pod @@ -164,11 +164,14 @@ Examples: =head2 Subject Key Identifier -This is a string extension with one of two legal values. If it is the word -B, then OpenSSL will follow the process in RFC 5280 to calculate the -hash value. -Otherwise, the value should be a hex string to output directly, however, this -is strongly discouraged. +This SKID extension is a string with one of two legal values. +If it is the word B, then OpenSSL will follow +the process specified in RFC 5280 section 4.2.1.2. (1): +The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT +STRING subjectPublicKey (excluding the tag, length, and number of unused bits). + +Otherwise, the value must be a hex string (possibly with C<:> separating bytes) +to output directly, however, this is strongly discouraged. Example: @@ -176,16 +179,19 @@ Example: =head2 Authority Key Identifier -This extension has two options, B and B. Either or both -can have the value B, indicated by putting a colon between -the option and its value. +The AKID extension specification may have the value B or B +or both of them, separated by C<,>. +Either or both can have the option B, +indicated by putting a colon C<:> between the value and this opton. + +If B is present, an attempt is made to copy the subject key identifier +(SKID) from the issuer certificate, which is the default behavior. +If this fails and the option B is present, an error is returned. +For self-issued certs the specification for the SKID must be given before. -If B is present, than an attempt is made to copy the subject key -identifier from the parent certificate. If the value B is present, -then an error can be returned if the option fails. If B is present, -an attempt is made to copy the issuer and serial number from the parent -certificate. This is done if the B option fails, or if B -has B specified. +If B is present and no B has been added +or it has the option B specified, then +the issuer DN and serial number are copied from the issuer certificate. Examples: