[openssl] master update
dev at ddvo.net
dev at ddvo.net
Tue Dec 7 14:19:59 UTC 2021
The branch master has been updated
via 317acac5cc0a2cb31bc4b91353c2b752a3989d8a (commit)
via 15ac84e603678140ba32832c288e5f1745a258f8 (commit)
from e819b5727312477f8c1f56bf928e611ad7e78315 (commit)
- Log -----------------------------------------------------------------
commit 317acac5cc0a2cb31bc4b91353c2b752a3989d8a
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Nov 10 09:39:55 2021 +0100
X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses from subject DN
Also slightly improve the style of the respective code in crypto/x509/v3_san.c.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17145)
commit 15ac84e603678140ba32832c288e5f1745a258f8
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Nov 10 09:31:11 2021 +0100
X509V3_set_ctx(): Clarify use of subject/req parameter for constructing SKID by hash of pubkey
This does not change the semantics of expected usage because only either one may be given.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17145)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/v3_san.c | 11 +++++------
crypto/x509/v3_skid.c | 6 +++---
doc/man3/X509V3_set_ctx.pod | 12 ++++++++----
doc/man5/x509v3_config.pod | 8 +++++---
4 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index 26708aefae..c081f02e19 100644
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
for (i = 0; i < num; i++) {
cnf = sk_CONF_VALUE_value(nval, i);
- if (!ossl_v3_name_cmp(cnf->name, "email")
+ if (ossl_v3_name_cmp(cnf->name, "email") == 0
&& cnf->value && strcmp(cnf->value, "copy") == 0) {
if (!copy_email(ctx, gens, 0))
goto err;
- } else if (!ossl_v3_name_cmp(cnf->name, "email")
+ } else if (ossl_v3_name_cmp(cnf->name, "email") == 0
&& cnf->value && strcmp(cnf->value, "move") == 0) {
if (!copy_email(ctx, gens, 1))
goto err;
@@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
return 0;
}
/* Find the subject name */
- if (ctx->subject_cert)
- nm = X509_get_subject_name(ctx->subject_cert);
- else
- nm = X509_REQ_get_subject_name(ctx->subject_req);
+ nm = ctx->subject_cert != NULL ?
+ X509_get_subject_name(ctx->subject_cert) :
+ X509_REQ_get_subject_name(ctx->subject_req);
/* Now add any email address(es) to STACK */
while ((i = X509_NAME_get_index_by_NID(nm,
diff --git a/crypto/x509/v3_skid.c b/crypto/x509/v3_skid.c
index bab88898e6..18223f2ef4 100644
--- a/crypto/x509/v3_skid.c
+++ b/crypto/x509/v3_skid.c
@@ -105,7 +105,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
return NULL;
}
- return ossl_x509_pubkey_hash(ctx->subject_req != NULL ?
- ctx->subject_req->req_info.pubkey :
- ctx->subject_cert->cert_info.key);
+ return ossl_x509_pubkey_hash(ctx->subject_cert != NULL ?
+ ctx->subject_cert->cert_info.key :
+ ctx->subject_req->req_info.pubkey);
}
diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod
index 1fc5111de4..8287802e41 100644
--- a/doc/man3/X509V3_set_ctx.pod
+++ b/doc/man3/X509V3_set_ctx.pod
@@ -18,12 +18,16 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation utilities
X509V3_set_ctx() fills in the basic fields of I<ctx> of type B<X509V3_CTX>,
providing details potentially needed by functions producing X509 v3 extensions,
e.g., to look up values for filling in authority key identifiers.
-Any of I<subj>, I<req>, or I<crl> may be provided, pointing to a certificate,
+Any of I<subject>, I<req>, or I<crl> may be provided, pointing to a certificate,
certification request, or certificate revocation list, respectively.
-If I<subj> or I<crl> is provided, I<issuer> should point to its issuer,
+When constructing the subject key identifier of a certificate by computing a
+hash value of its public key, the public key is taken from I<subject> or I<req>.
+Similarly, when constructing subject alternative names from any email addresses
+contained in a subject DN, the subject DN is taken from I<subject> or I<req>.
+If I<subject> or I<crl> is provided, I<issuer> should point to its issuer,
for instance to help generating an authority key identifier extension.
-Note that if I<subj> is provided, I<issuer> may be the same as I<subj>,
-which means that I<subj> is self-issued (or even self-signed).
+Note that if I<subject> is provided, I<issuer> may be the same as I<subject>,
+which means that I<subject> is self-issued (or even self-signed).
I<flags> may be 0
or contain B<X509V3_CTX_TEST>, which means that just the syntax of
extension definitions is to be checked without actually producing an extension,
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index 0114b45505..fb9e562d7f 100644
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -229,9 +229,11 @@ B<dirName> (a distinguished name),
and B<otherName>.
The syntax of each is described in the following paragraphs.
-The B<email> option has a special C<copy> value, which will automatically
-include any email addresses contained in the certificate subject name in
-the extension.
+The B<email> option has two special values.
+C<copy> will automatically include any email addresses
+contained in the certificate subject name in the extension.
+C<move> will automatically move any email addresses
+from the certificate subject name to the extension.
The IP address used in the B<IP> option can be in either IPv4 or IPv6 format.
More information about the openssl-commits
mailing list