[openssl/openssl] 84419e: Improved handling of AKID/SKID extensions in CSRs ...
0 views
Skip to first unread message
openssl-machine
Feb 28, 2026, 10:24:45 AM (3 days ago) Feb 28
to openssl...@openssl.org
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: 84419e373ac1f28194fc4b2d9398f664322c9b75
https://github.com/openssl/openssl/commit/84419e373ac1f28194fc4b2d9398f664322c9b75
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M apps/lib/apps.c
M apps/req.c
M apps/x509.c
M crypto/err/openssl.txt
M crypto/x509/v3_akid.c
M crypto/x509/v3_conf.c
M crypto/x509/x509_err.c
M crypto/x509/x509_ext.c
M crypto/x509/x509_req.c
M crypto/x509/x509_v3.c
M crypto/x509/x_all.c
M include/crypto/x509.h
M include/crypto/x509err.h
M include/openssl/x509err.h
M test/recipes/25-test_req.t
Log Message:
-----------
Improved handling of AKID/SKID extensions in CSRs and certs
With the advent of the new AKID and SKID value syntax:
- subjectKeyIdentifier = none
- authorityKeyIdentifier = none
the resulting extensions are not directly suppressed, instead they
are parsed respectively as an empty OCTET STRING or an empty SEQUENCE.
There was new code in "apps/" to then drop the extension when signing
certificates, but this did not address applications that sign
certificates via the API, nor did it avoid adding these in CSRs.
We now drop these specific empty extensions from both certificates and
CSRs as part of X509v3_add_ext(), with the parsed extension never added
to the extension stack.
This means that in the "apps" the default "hash" or "keyid, issuer"
values must now be created first, with config settings and command-line
options applied after replacing the default as requested (including
"none" to suppress the extensions if desired).
If somehow an application manages to construct a TBS cert or CSR with a
pending empty SKID or AKID extension, an error is raised and the TBS is
not signed.
When no SKID is present in a self-signed cert, attempts to
force an AKID keyid need to fail, rather than produce an AKID
that will never match.
Similarly, when issuer cert == subject cert (same object in memory), but
the issuer key is not the subject key (forced signing key), there is no
way to infer the unknown issuer's name or serial number, so, with
"issuer:always" we must fail, rather than record the subject's own
issuer name and serial.
New "keyid:nonss" and "issuer:nonss" syntax is now supported, which
allows either part of the AKID to be conditional on the certificate not
being self-signed. In the case if "issuer:nonss" this is also
conditional on there being no non-empty issuer keyid. To force
inclusion of issuer+serial in the AKID use "issuer:always".
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Sat Feb 28 15:22:47 2026
(Merged from https://github.com/openssl/openssl/pull/29057)
Commit: 16e5d81a610003ea0b5e1d40c116f2b21b3443fd
https://github.com/openssl/openssl/commit/16e5d81a610003ea0b5e1d40c116f2b21b3443fd
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M CHANGES.md
M apps/openssl-vms.cnf
M apps/openssl.cnf
M crypto/x509/v3_akid.c
M crypto/x509/x509_v3.c
M doc/man1/openssl-ca.pod.in
M doc/man1/openssl-req.pod.in
M doc/man1/openssl-x509.pod.in
M doc/man3/X509_sign.pod
M doc/man3/X509v3_get_ext_by_NID.pod
M doc/man5/x509v3_config.pod
M test/ca-and-certs.cnf
M test/recipes/25-test_req.t
M test/recipes/80-test_ca.t
M test/x509_test.c
Log Message:
-----------
Replace built-in AKID/SKID with configs
Add tests for suppression of skid/akid via explicit "none"
values and per-keyword "nonss" qualifiers and update docs.
Signing of X509 certs and X509_REQ CSRs rejects empty AKID/SKID
extensions, document and test this behaviour.
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Sat Feb 28 15:22:53 2026
(Merged from https://github.com/openssl/openssl/pull/29057)
Compare: https://github.com/openssl/openssl/compare/b678c18c9e86...16e5d81a6100
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Home: https://github.com/openssl/openssl
Commit: 84419e373ac1f28194fc4b2d9398f664322c9b75
https://github.com/openssl/openssl/commit/84419e373ac1f28194fc4b2d9398f664322c9b75
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M apps/lib/apps.c
M apps/req.c
M apps/x509.c
M crypto/err/openssl.txt
M crypto/x509/v3_akid.c
M crypto/x509/v3_conf.c
M crypto/x509/x509_err.c
M crypto/x509/x509_ext.c
M crypto/x509/x509_req.c
M crypto/x509/x509_v3.c
M crypto/x509/x_all.c
M include/crypto/x509.h
M include/crypto/x509err.h
M include/openssl/x509err.h
M test/recipes/25-test_req.t
Log Message:
-----------
Improved handling of AKID/SKID extensions in CSRs and certs
With the advent of the new AKID and SKID value syntax:
- subjectKeyIdentifier = none
- authorityKeyIdentifier = none
the resulting extensions are not directly suppressed, instead they
are parsed respectively as an empty OCTET STRING or an empty SEQUENCE.
There was new code in "apps/" to then drop the extension when signing
certificates, but this did not address applications that sign
certificates via the API, nor did it avoid adding these in CSRs.
We now drop these specific empty extensions from both certificates and
CSRs as part of X509v3_add_ext(), with the parsed extension never added
to the extension stack.
This means that in the "apps" the default "hash" or "keyid, issuer"
values must now be created first, with config settings and command-line
options applied after replacing the default as requested (including
"none" to suppress the extensions if desired).
If somehow an application manages to construct a TBS cert or CSR with a
pending empty SKID or AKID extension, an error is raised and the TBS is
not signed.
When no SKID is present in a self-signed cert, attempts to
force an AKID keyid need to fail, rather than produce an AKID
that will never match.
Similarly, when issuer cert == subject cert (same object in memory), but
the issuer key is not the subject key (forced signing key), there is no
way to infer the unknown issuer's name or serial number, so, with
"issuer:always" we must fail, rather than record the subject's own
issuer name and serial.
New "keyid:nonss" and "issuer:nonss" syntax is now supported, which
allows either part of the AKID to be conditional on the certificate not
being self-signed. In the case if "issuer:nonss" this is also
conditional on there being no non-empty issuer keyid. To force
inclusion of issuer+serial in the AKID use "issuer:always".
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Sat Feb 28 15:22:47 2026
(Merged from https://github.com/openssl/openssl/pull/29057)
Commit: 16e5d81a610003ea0b5e1d40c116f2b21b3443fd
https://github.com/openssl/openssl/commit/16e5d81a610003ea0b5e1d40c116f2b21b3443fd
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-03-01 (Sun, 01 Mar 2026)
Changed paths:
M CHANGES.md
M apps/openssl-vms.cnf
M apps/openssl.cnf
M crypto/x509/v3_akid.c
M crypto/x509/x509_v3.c
M doc/man1/openssl-ca.pod.in
M doc/man1/openssl-req.pod.in
M doc/man1/openssl-x509.pod.in
M doc/man3/X509_sign.pod
M doc/man3/X509v3_get_ext_by_NID.pod
M doc/man5/x509v3_config.pod
M test/ca-and-certs.cnf
M test/recipes/25-test_req.t
M test/recipes/80-test_ca.t
M test/x509_test.c
Log Message:
-----------
Replace built-in AKID/SKID with configs
Add tests for suppression of skid/akid via explicit "none"
values and per-keyword "nonss" qualifiers and update docs.
Signing of X509 certs and X509_REQ CSRs rejects empty AKID/SKID
extensions, document and test this behaviour.
Reviewed-by: Matt Caswell <ma...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Sat Feb 28 15:22:53 2026
(Merged from https://github.com/openssl/openssl/pull/29057)
Compare: https://github.com/openssl/openssl/compare/b678c18c9e86...16e5d81a6100
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Reply all
Reply to author
Forward
0 new messages