[openssl/openssl] 952fab: Fix re-signing certificates with different key sizes
Todd Short
noreply at reply.github.openssl.org
Fri Jul 22 18:48:03 UTC 2022
Branch: refs/heads/OpenSSL_1_1_1-stable
Home: https://github.openssl.org/openssl/openssl
Commit: 952fab01bebb15a8408c6ac27b59c28c979f7d49
https://github.openssl.org/openssl/openssl/commit/952fab01bebb15a8408c6ac27b59c28c979f7d49
Author: Todd Short <tshort at akamai.com>
Date: 2022-07-22 (Fri, 22 Jul 2022)
Changed paths:
M apps/x509.c
M test/recipes/25-test_x509.t
Log Message:
-----------
Fix re-signing certificates with different key sizes
PR #18129 broke the scenario of signing a certificate (not CSR) with
different-sized key. This works in 3.0, so port the fix from 3.0
(which is to only update the issuer for a request).
Partially undo #18129, but keep setting the issuer only for a CSR
Create two certs (a and ca) then sign a with c (into b):
```
openssl req -x509 -newkey rsa:2048 -keyout a-key.pem -out a-cert.pem -days 365 -nodes -subj /CN=a.example.com
openssl req -x509 -newkey rsa:4096 -keyout ${HERE}/ca-key.pem -out ${HERE}/ca-cert.pem -days 3650 -nodes -subj /CN=ca.example.com
openssl x509 -in a-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial '1234567890' -preserve_dates -sha256 -out b-cert.pem
```
The above succeeds in 1.1.1n and 3.0, fails in 1.1.1o (which includes #18129)
The issue in #16080 is also fixed.
Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18836)
More information about the openssl-commits
mailing list