[openssl] master update

dev at ddvo.net dev at ddvo.net
Tue Dec 7 14:19:59 UTC 2021


The branch master has been updated
       via  317acac5cc0a2cb31bc4b91353c2b752a3989d8a (commit)
       via  15ac84e603678140ba32832c288e5f1745a258f8 (commit)
      from  e819b5727312477f8c1f56bf928e611ad7e78315 (commit)


- Log -----------------------------------------------------------------
commit 317acac5cc0a2cb31bc4b91353c2b752a3989d8a
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Nov 10 09:39:55 2021 +0100

    X509V3_set_ctx(): Clarify subject/req parameter for constructing SAN email addresses from subject DN
    
    Also slightly improve the style of the respective code in crypto/x509/v3_san.c.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17145)

commit 15ac84e603678140ba32832c288e5f1745a258f8
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Wed Nov 10 09:31:11 2021 +0100

    X509V3_set_ctx(): Clarify use of subject/req parameter for constructing SKID by hash of pubkey
    
    This does not change the semantics of expected usage because only either one may be given.
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/17145)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/v3_san.c        | 11 +++++------
 crypto/x509/v3_skid.c       |  6 +++---
 doc/man3/X509V3_set_ctx.pod | 12 ++++++++----
 doc/man5/x509v3_config.pod  |  8 +++++---
 4 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/crypto/x509/v3_san.c b/crypto/x509/v3_san.c
index 26708aefae..c081f02e19 100644
--- a/crypto/x509/v3_san.c
+++ b/crypto/x509/v3_san.c
@@ -393,11 +393,11 @@ static GENERAL_NAMES *v2i_subject_alt(X509V3_EXT_METHOD *method,
 
     for (i = 0; i < num; i++) {
         cnf = sk_CONF_VALUE_value(nval, i);
-        if (!ossl_v3_name_cmp(cnf->name, "email")
+        if (ossl_v3_name_cmp(cnf->name, "email") == 0
             && cnf->value && strcmp(cnf->value, "copy") == 0) {
             if (!copy_email(ctx, gens, 0))
                 goto err;
-        } else if (!ossl_v3_name_cmp(cnf->name, "email")
+        } else if (ossl_v3_name_cmp(cnf->name, "email") == 0
                    && cnf->value && strcmp(cnf->value, "move") == 0) {
             if (!copy_email(ctx, gens, 1))
                 goto err;
@@ -434,10 +434,9 @@ static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p)
         return 0;
     }
     /* Find the subject name */
-    if (ctx->subject_cert)
-        nm = X509_get_subject_name(ctx->subject_cert);
-    else
-        nm = X509_REQ_get_subject_name(ctx->subject_req);
+    nm = ctx->subject_cert != NULL ?
+        X509_get_subject_name(ctx->subject_cert) :
+        X509_REQ_get_subject_name(ctx->subject_req);
 
     /* Now add any email address(es) to STACK */
     while ((i = X509_NAME_get_index_by_NID(nm,
diff --git a/crypto/x509/v3_skid.c b/crypto/x509/v3_skid.c
index bab88898e6..18223f2ef4 100644
--- a/crypto/x509/v3_skid.c
+++ b/crypto/x509/v3_skid.c
@@ -105,7 +105,7 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
         return NULL;
     }
 
-    return ossl_x509_pubkey_hash(ctx->subject_req != NULL ?
-                                 ctx->subject_req->req_info.pubkey :
-                                 ctx->subject_cert->cert_info.key);
+    return ossl_x509_pubkey_hash(ctx->subject_cert != NULL ?
+                                 ctx->subject_cert->cert_info.key :
+                                 ctx->subject_req->req_info.pubkey);
 }
diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod
index 1fc5111de4..8287802e41 100644
--- a/doc/man3/X509V3_set_ctx.pod
+++ b/doc/man3/X509V3_set_ctx.pod
@@ -18,12 +18,16 @@ X509V3_set_issuer_pkey - X.509 v3 extension generation utilities
 X509V3_set_ctx() fills in the basic fields of I<ctx> of type B<X509V3_CTX>,
 providing details potentially needed by functions producing X509 v3 extensions,
 e.g., to look up values for filling in authority key identifiers.
-Any of I<subj>, I<req>, or I<crl> may be provided, pointing to a certificate,
+Any of I<subject>, I<req>, or I<crl> may be provided, pointing to a certificate,
 certification request, or certificate revocation list, respectively.
-If I<subj> or I<crl> is provided, I<issuer> should point to its issuer,
+When constructing the subject key identifier of a certificate by computing a
+hash value of its public key, the public key is taken from I<subject> or I<req>.
+Similarly, when constructing subject alternative names from any email addresses
+contained in a subject DN, the subject DN is taken from I<subject> or I<req>.
+If I<subject> or I<crl> is provided, I<issuer> should point to its issuer,
 for instance to help generating an authority key identifier extension.
-Note that if I<subj> is provided, I<issuer> may be the same as I<subj>,
-which means that I<subj> is self-issued (or even self-signed).
+Note that if I<subject> is provided, I<issuer> may be the same as I<subject>,
+which means that I<subject> is self-issued (or even self-signed).
 I<flags> may be 0
 or contain B<X509V3_CTX_TEST>, which means that just the syntax of
 extension definitions is to be checked without actually producing an extension,
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index 0114b45505..fb9e562d7f 100644
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -229,9 +229,11 @@ B<dirName> (a distinguished name),
 and B<otherName>.
 The syntax of each is described in the following paragraphs.
 
-The B<email> option has a special C<copy> value, which will automatically
-include any email addresses contained in the certificate subject name in
-the extension.
+The B<email> option has two special values.
+C<copy> will automatically include any email addresses
+contained in the certificate subject name in the extension.
+C<move> will automatically move any email addresses
+from the certificate subject name to the extension.
 
 The IP address used in the B<IP> option can be in either IPv4 or IPv6 format.
 


More information about the openssl-commits mailing list