[openssl] master update

dev at ddvo.net dev at ddvo.net
Sat Sep 5 18:12:02 UTC 2020


The branch master has been updated
       via  076bf8c2c972d01a70ca4146e637dfbe6f35b2fb (commit)
      from  0b86eefd431dd05a0ba87b2f67a6b99def89b6d5 (commit)


- Log -----------------------------------------------------------------
commit 076bf8c2c972d01a70ca4146e637dfbe6f35b2fb
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu Sep 3 23:04:48 2020 +0200

    X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs
    
    Reviewed-by: Matt Caswell <matt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/12787)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/t_x509.c   | 21 +++++++++++++++------
 crypto/x509/v3_prn.c   |  7 ++++++-
 include/openssl/x509.h |  1 +
 3 files changed, 22 insertions(+), 7 deletions(-)

diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 199f88857b..f0240f12c3 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -200,9 +200,10 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
         }
     }
 
-    if (!(cflag & X509_FLAG_NO_EXTENSIONS))
-        X509V3_extensions_print(bp, "X509v3 extensions",
-                                X509_get0_extensions(x), cflag, 8);
+    if (!(cflag & X509_FLAG_NO_EXTENSIONS)
+        && !X509V3_extensions_print(bp, "X509v3 extensions",
+                                    X509_get0_extensions(x), cflag, 8))
+        goto err;
 
     if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
         const X509_ALGOR *sig_alg;
@@ -415,7 +416,8 @@ int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags)
     if (X509_cmp_current_time(X509_get0_notAfter(cert)) < 0)
         if (BIO_printf(bio, "        no more valid\n") <= 0)
             return 0;
-    return X509_print_ex(bio, cert, flags, ~(neg_cflags));
+    return X509_print_ex(bio, cert, flags,
+                         ~neg_cflags & ~X509_FLAG_EXTENSIONS_ONLY_KID);
 }
 
 static int print_certs(BIO *bio, const STACK_OF(X509) *certs)
@@ -427,8 +429,15 @@ static int print_certs(BIO *bio, const STACK_OF(X509) *certs)
 
     for (i = 0; i < sk_X509_num(certs); i++) {
         X509 *cert = sk_X509_value(certs, i);
-        if (cert != NULL && !x509_print_ex_brief(bio, cert, 0))
-            return 0;
+
+        if (cert != NULL) {
+            if (!x509_print_ex_brief(bio, cert, 0))
+                return 0;
+            if (!X509V3_extensions_print(bio, NULL,
+                                         X509_get0_extensions(cert),
+                                         X509_FLAG_EXTENSIONS_ONLY_KID, 8))
+                return 0;
+            }
     }
     return 1;
 }
diff --git a/crypto/x509/v3_prn.c b/crypto/x509/v3_prn.c
index aa902204f0..4b2ad2685b 100644
--- a/crypto/x509/v3_prn.c
+++ b/crypto/x509/v3_prn.c
@@ -156,10 +156,15 @@ int X509V3_extensions_print(BIO *bp, const char *title,
     for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
         ASN1_OBJECT *obj;
         X509_EXTENSION *ex;
+
         ex = sk_X509_EXTENSION_value(exts, i);
+        obj = X509_EXTENSION_get_object(ex);
+        if ((flag & X509_FLAG_EXTENSIONS_ONLY_KID) != 0
+                && OBJ_obj2nid(obj) != NID_subject_key_identifier
+                && OBJ_obj2nid(obj) != NID_authority_key_identifier)
+            continue;
         if (indent && BIO_printf(bp, "%*s", indent, "") <= 0)
             return 0;
-        obj = X509_EXTENSION_get_object(ex);
         i2a_ASN1_OBJECT(bp, obj);
         j = X509_EXTENSION_get_critical(ex);
         if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0)
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index d243fda94c..bbe2d62cf9 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -159,6 +159,7 @@ DEFINE_OR_DECLARE_STACK_OF(X509_TRUST)
 # define X509_FLAG_NO_AUX                (1L << 10)
 # define X509_FLAG_NO_ATTRIBUTES         (1L << 11)
 # define X509_FLAG_NO_IDS                (1L << 12)
+# define X509_FLAG_EXTENSIONS_ONLY_KID   (1L << 13)
 
 /* Flags specific to X509_NAME_print_ex() */
 


More information about the openssl-commits mailing list