[openssl/openssl] 952fab: Fix re-signing certificates with different key sizes

Todd Short noreply at github.com
Fri Jul 22 18:49:30 UTC 2022


  Branch: refs/heads/OpenSSL_1_1_1-stable
  Home:   https://github.com/openssl/openssl
  Commit: 952fab01bebb15a8408c6ac27b59c28c979f7d49
      https://github.com/openssl/openssl/commit/952fab01bebb15a8408c6ac27b59c28c979f7d49
  Author: Todd Short <tshort at akamai.com>
  Date:   2022-07-22 (Fri, 22 Jul 2022)

  Changed paths:
    M apps/x509.c
    M test/recipes/25-test_x509.t

  Log Message:
  -----------
  Fix re-signing certificates with different key sizes

PR #18129 broke the scenario of signing a certificate (not CSR) with
different-sized key. This works in 3.0, so port the fix from 3.0
(which is to only update the issuer for a request).

Partially undo #18129, but keep setting the issuer only for a CSR

Create two certs (a and ca) then sign a with c (into b):
```
openssl req -x509 -newkey rsa:2048 -keyout a-key.pem -out a-cert.pem -days 365 -nodes -subj /CN=a.example.com
openssl req -x509 -newkey rsa:4096 -keyout ${HERE}/ca-key.pem -out ${HERE}/ca-cert.pem -days 3650 -nodes -subj /CN=ca.example.com
openssl x509 -in a-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial '1234567890' -preserve_dates -sha256 -out b-cert.pem
```
The above succeeds in 1.1.1n and 3.0, fails in 1.1.1o (which includes #18129)
The issue in #16080 is also fixed.

Reviewed-by: Matt Caswell <matt at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Ben Kaduk <kaduk at mit.edu>
(Merged from https://github.com/openssl/openssl/pull/18836)




More information about the openssl-commits mailing list