APPS/x509: Fix generation of AKID via v2i_AUTHORITY_KEYID()

Fixes #16300 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16442)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2021-08-27 11:34:23 +0200
committer: Dr. David von Oheimb <dev@ddvo.net> 2021-11-08 09:15:13 +0100
commit: 9bf1061c44c81059102cd4749f6078b6ce71da9d (patch)
tree: e79e5c54b5d979cef00e9b174fc65e2ffee0add5 /crypto/x509
parent: APPS/cmp: make the -sans option support email addresses (type rfc822Name) (diff)
download: openssl-9bf1061c44c81059102cd4749f6078b6ce71da9d.tar.xz
openssl-9bf1061c44c81059102cd4749f6078b6ce71da9d.zip
1 files changed, 19 insertions, 6 deletions
diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index 5abd35d644..43b515f50c 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -107,6 +107,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
     ASN1_INTEGER *serial = NULL;
     X509_EXTENSION *ext;
     X509 *issuer_cert;
+    int same_issuer, ss;
     AUTHORITY_KEYID *akeyid = AUTHORITY_KEYID_new();
 
     if (akeyid == NULL)
@@ -144,14 +145,26 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
         ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);
         goto err;
     }
-
-    if (keyid != 0) {
-        /* prefer any pre-existing subject key identifier of the issuer cert */
+    same_issuer = ctx->subject_cert == ctx->issuer_cert;
+    ERR_set_mark();
+    if (ctx->issuer_pkey != NULL)
+        ss = X509_check_private_key(ctx->subject_cert, ctx->issuer_pkey);
+    else
+        ss = same_issuer;
+    ERR_pop_to_mark();
+
+    /* unless forced with "always", AKID is suppressed for self-signed certs */
+    if (keyid == 2 || (keyid == 1 && !ss)) {
+        /*
+         * prefer any pre-existing subject key identifier of the issuer cert
+         * except issuer cert is same as subject cert and is not self-signed
+         */
         i = X509_get_ext_by_NID(issuer_cert, NID_subject_key_identifier, -1);
-        if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL)
+        if (i >= 0 && (ext = X509_get_ext(issuer_cert, i)) != NULL
+            && !(same_issuer && !ss))
             ikeyid = X509V3_EXT_d2i(ext);
-        if (ikeyid == NULL && ctx->issuer_pkey != NULL) { /* fallback */
-            /* generate AKID from scratch, emulating s2i_skey_id(..., "hash") */
+        if (ikeyid == NULL && same_issuer && ctx->issuer_pkey != NULL) {
+            /* generate fallback AKID, emulating s2i_skey_id(..., "hash") */
             X509_PUBKEY *pubkey = NULL;
 
             if (X509_PUBKEY_set(&pubkey, ctx->issuer_pkey))
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2021-08-27 11:34:23 +0200
committer	Dr. David von Oheimb <dev@ddvo.net>	2021-11-08 09:15:13 +0100
commit	9bf1061c44c81059102cd4749f6078b6ce71da9d (patch)
tree	e79e5c54b5d979cef00e9b174fc65e2ffee0add5 /crypto/x509
parent	APPS/cmp: make the -sans option support email addresses (type rfc822Name) (diff)
download	openssl-9bf1061c44c81059102cd4749f6078b6ce71da9d.tar.xz openssl-9bf1061c44c81059102cd4749f6078b6ce71da9d.zip