[openssl] master update

dev at ddvo.net dev at ddvo.net
Thu Aug 26 15:44:18 UTC 2021 

The branch master has been updated
       via  b4fec69b2a8b5b93ec0e2603e4d27e5d722b87fc (commit)
      from  78539b250b05d0721da775bf4eddc096bde5ecaa (commit)


- Log -----------------------------------------------------------------
commit b4fec69b2a8b5b93ec0e2603e4d27e5d722b87fc
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Aug 25 08:35:40 2021 +0200

    APPS/x509: fix -extfile option, which was ignored with -x509toreq
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16417)

-----------------------------------------------------------------------

Summary of changes:
 apps/x509.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/apps/x509.c b/apps/x509.c
index e9a45e4d8f..7236972c5b 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -190,9 +190,7 @@ static void warn_copying(ASN1_OBJECT *excluded, const char *names)
                    sn);
 }
 
-static X509_REQ *x509_to_req(X509 *cert, EVP_PKEY *pkey, const char *digest,
-                             STACK_OF(OPENSSL_STRING) *sigopts,
-                             int ext_copy, const char *names)
+static X509_REQ *x509_to_req(X509 *cert, int ext_copy, const char *names)
 {
     const STACK_OF(X509_EXTENSION) *cert_exts = X509_get0_extensions(cert);
     int i, n = sk_X509_EXTENSION_num(cert_exts /* may be NULL */);
@@ -228,8 +226,6 @@ static X509_REQ *x509_to_req(X509 *cert, EVP_PKEY *pkey, const char *digest,
             goto err;
         }
     }
-    if (!do_X509_REQ_sign(req, pkey, digest, sigopts))
-        goto err;
     sk_X509_EXTENSION_free(exts);
     return req;
 
@@ -804,7 +800,7 @@ int x509_main(int argc, char **argv)
     }
 
     X509V3_set_ctx(&ext_ctx, issuer_cert, x, req, NULL, X509V3_CTX_REPLACE);
-    if (extconf != NULL) {
+    if (extconf != NULL && !x509toreq) {
         X509V3_set_nconf(&ext_ctx, extconf);
         if (!X509V3_EXT_add_nconf(extconf, &ext_ctx, extsect, x)) {
             BIO_printf(bio_err,
@@ -830,8 +826,17 @@ int x509_main(int argc, char **argv)
             BIO_printf(bio_err, "Must not use -clrext together with -copy_extensions\n");
             goto end;
         }
-        if ((rq = x509_to_req(x, privkey, digest, sigopts,
-                              ext_copy, ext_names)) == NULL)
+        if ((rq = x509_to_req(x, ext_copy, ext_names)) == NULL)
+            goto end;
+        if (extconf != NULL) {
+            X509V3_set_nconf(&ext_ctx, extconf);
+            if (!X509V3_EXT_REQ_add_nconf(extconf, &ext_ctx, extsect, rq)) {
+                BIO_printf(bio_err,
+                           "Error adding request extensions from section %s\n", extsect);
+                goto end;
+            }
+        }
+        if (!do_X509_REQ_sign(rq, privkey, digest, sigopts))
             goto end;
         if (!noout) {
             if (outformat == FORMAT_ASN1) {

More information about the openssl-commits mailing list