The branch openssl-3.0 has been updated
via ab3311576e3ab1a1e876061fcd885c9c09daddd8 (commit)
via eff06fe5a02cf35782c626231aba43e79f34a87a (commit)
from bf17b7b18d11d4005c0ff760405744c3e7da2e0d (commit)
- Log -----------------------------------------------------------------
commit ab3311576e3ab1a1e876061fcd885c9c09daddd8
Author: Dr. David von Oheimb <david.von.ohe...@siemens.com>
Date: Wed Nov 10 09:39:55 2021 +0100
X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email
addresses from subject DN
Also slightly improve the style of the respective code in
crypto/x509/v3_san.c.
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17145)
(cherry picked from commit 317acac5cc0a2cb31bc4b91353c2b752a3989d8a)
commit eff06fe5a02cf35782c626231aba43e79f34a87a
Author: Dr. David von Oheimb <david.von.ohe...@siemens.com>
Date: Wed Nov 10 09:31:11 2021 +0100
X509V3_set_ctx(): Clarify use of subject/req parameter for constructing
SKID by hash of pubkey
This does not change the semantics of expected usage because only either
one may be given.
Reviewed-by: Tomas Mraz <to...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17145)
(cherry picked from commit 15ac84e603678140ba32832c288e5f1745a258f8)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/v3_san.c | 11 +++++------
crypto/x509/v3_skid.c | 6 +++---
doc/man3/X509V3_set_ctx.pod | 12 ++++++++----
doc/man5/x509v3_config.pod | 8 +++++---
4 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index 26708aefae..c081f02e19 100644
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD
*method,
for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(nval, i);
- if (!ossl_v3_name_cmp(cnf->name, "email")
+ if (ossl_v3_name_cmp(cnf->name, "email") == 0
&& cnf->value && strcmp(cnf->value, "copy") == 0) {
if (!copy_email(ctx, gens, 0))
goto err;
- } else if (!ossl_v3_name_cmp(cnf->name, "email")
+ } else if (ossl_v3_name_cmp(cnf->name, "email") == 0
&& cnf->value && strcmp(cnf->value, "move") == 0) {
if (!copy_email(ctx, gens, 1))
goto err;
@@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES
*gens, int move_p)
return 0;
}
/* Find the subject name */
- if (ctx->subject_cert)
- nm = X509_get_subject_name(ctx->subject_cert);
- else
- nm = X509_REQ_get_subject_name(ctx->subject_req);
+ nm = ctx->subject_cert != NULL ?
+ X509_get_subject_name(ctx->subject_cert) :
+ X509_REQ_get_subject_name(ctx->subject_req);
/* Now add any email address(es) to STACK */
while ((i = X509_NAME_get_index_by_NID(nm,
diff --git a/crypto/x509/v3_skid.c b/crypto/x509/v3_skid.c
index bab88898e6..18223f2ef4 100644
--- a/crypto/x509/v3_skid.c
+++ b/crypto/x509/v3_skid.c
@@ -105,7 +105,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD
*method,
return NULL;
}
- return ossl_x509_pubkey_hash(ctx->subject_req != NULL ?
- ctx->subject_req->req_info.pubkey :
- ctx->subject_cert->cert_info.key);
+ return ossl_x509_pubkey_hash(ctx->subject_cert != NULL ?
+ ctx->subject_cert->cert_info.key :
+ ctx->subject_req->req_info.pubkey);
}
diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod
index 1fc5111de4..8287802e41 100644
--- a/doc/man3/X509V3_set_ctx.pod
+++ b/doc/man3/X509V3_set_ctx.pod
@@ -18,12 +18,16 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation
utilities
X509V3_set_ctx() fills in the basic fields of I<ctx> of type B<X509V3_CTX>,
providing details potentially needed by functions producing X509 v3 extensions,
e.g., to look up values for filling in authority key identifiers.
-Any of I<subj>, I<req>, or I<crl> may be provided, pointing to a certificate,
+Any of I<subject>, I<req>, or I<crl> may be provided, pointing to a
certificate,
certification request, or certificate revocation list, respectively.
-If I<subj> or I<crl> is provided, I<issuer> should point to its issuer,
+When constructing the subject key identifier of a certificate by computing a
+hash value of its public key, the public key is taken from I<subject> or
I<req>.
+Similarly, when constructing subject alternative names from any email addresses
+contained in a subject DN, the subject DN is taken from I<subject> or I<req>.
+If I<subject> or I<crl> is provided, I<issuer> should point to its issuer,
for instance to help generating an authority key identifier extension.
-Note that if I<subj> is provided, I<issuer> may be the same as I<subj>,
-which means that I<subj> is self-issued (or even self-signed).
+Note that if I<subject> is provided, I<issuer> may be the same as I<subject>,
+which means that I<subject> is self-issued (or even self-signed).
I<flags> may be 0
or contain B<X509V3_CTX_TEST>, which means that just the syntax of
extension definitions is to be checked without actually producing an extension,
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index 2a3afee27f..1830092394 100644
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -228,9 +228,11 @@ B<dirName> (a distinguished name),
and B<otherName>.
The syntax of each is described in the following paragraphs.
-The B<email> option has a special C<copy> value, which will automatically
-include any email addresses contained in the certificate subject name in
-the extension.
+The B<email> option has two special values.
+C<copy> will automatically include any email addresses
+contained in the certificate subject name in the extension.
+C<move> will automatically move any email addresses
+from the certificate subject name to the extension.
The IP address used in the B<IP> option can be in either IPv4 or IPv6 format.
