[openssl/openssl] c55fda: Polish AKID/SKID handling and related docs
0 views
Skip to first unread message
openssl-machine
Mar 2, 2026, 12:44:34 PM (16 hours ago) Mar 2
to openssl...@openssl.org
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: c55fda746ab5fea93c8531f436bee867d6b30357
https://github.com/openssl/openssl/commit/c55fda746ab5fea93c8531f436bee867d6b30357
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M CHANGES.md
M apps/openssl-vms.cnf
M apps/openssl.cnf
M crypto/x509/v3_conf.c
M crypto/x509/v3_lib.c
M crypto/x509/x509_ext.c
M crypto/x509/x509_local.h
M crypto/x509/x509_v3.c
M crypto/x509/x_all.c
M doc/man1/openssl-req.pod.in
M doc/man1/openssl-x509.pod.in
M doc/man5/config.pod
M doc/man5/x509v3_config.pod
M test/recipes/25-test_req.t
M test/recipes/80-test_ca.t
M test/x509_test.c
Log Message:
-----------
Polish AKID/SKID handling and related docs
- Drop empty requestExtensions CSR attributes
While `attributes` is a required CSR field, its `requestExtensions`
attribute is optional, and should be avoided if empty.
- Detail documentation of req extension section selection
- Fixed req CI test case naming nits
- Refer to config(5) for meaning of "variable"
- In code comments, note possibility of fewer extensions after adding
an ignored empty extension while deleting a previous value.
- Mention new "nonss" AKID qualifier in CHANGES
- I x509_config(5) Clarify AKID issuer as fallback (unless ":always")
- In stock config file, comment proxy cert issuer SKID expectation.
- Clarify comment on empty SKID/AKID vs. prior value
- Use B<default> not C<default> for unnamed section
- Polish (mostly CSR) extension handling
* In update_req_extensions() drop extraneous duplicate
X509at_delete_attr() call.
* Consolidate empty SKID/AKID detection in new
ossl_ignored_x509_extension().
* Handle empty SKID/AKID also in X509V3_add1_i2d().
* In test_drop_empty_csr_keyids() exercise the full NCONF extension
management stack, using X509_REQ_get_attr_count() to check that
after "subjectKeyIdentifier = none" not an even an empty extension
set remains as a CSR attribute (X509_REQ_get_extensions() always
returns at least an empty stack because NULL signals an error).
Reviewed-by: David von Oheimb <david.vo...@siemens.com>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Mon Mar 2 17:04:22 2026
(Merged from https://github.com/openssl/openssl/pull/30217)
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Home: https://github.com/openssl/openssl
Commit: c55fda746ab5fea93c8531f436bee867d6b30357
https://github.com/openssl/openssl/commit/c55fda746ab5fea93c8531f436bee867d6b30357
Author: Viktor Dukhovni <openss...@dukhovni.org>
Date: 2026-03-02 (Mon, 02 Mar 2026)
Changed paths:
M CHANGES.md
M apps/openssl-vms.cnf
M apps/openssl.cnf
M crypto/x509/v3_conf.c
M crypto/x509/v3_lib.c
M crypto/x509/x509_ext.c
M crypto/x509/x509_local.h
M crypto/x509/x509_v3.c
M crypto/x509/x_all.c
M doc/man1/openssl-req.pod.in
M doc/man1/openssl-x509.pod.in
M doc/man5/config.pod
M doc/man5/x509v3_config.pod
M test/recipes/25-test_req.t
M test/recipes/80-test_ca.t
M test/x509_test.c
Log Message:
-----------
Polish AKID/SKID handling and related docs
- Drop empty requestExtensions CSR attributes
While `attributes` is a required CSR field, its `requestExtensions`
attribute is optional, and should be avoided if empty.
- Detail documentation of req extension section selection
- Fixed req CI test case naming nits
- Refer to config(5) for meaning of "variable"
- In code comments, note possibility of fewer extensions after adding
an ignored empty extension while deleting a previous value.
- Mention new "nonss" AKID qualifier in CHANGES
- I x509_config(5) Clarify AKID issuer as fallback (unless ":always")
- In stock config file, comment proxy cert issuer SKID expectation.
- Clarify comment on empty SKID/AKID vs. prior value
- Use B<default> not C<default> for unnamed section
- Polish (mostly CSR) extension handling
* In update_req_extensions() drop extraneous duplicate
X509at_delete_attr() call.
* Consolidate empty SKID/AKID detection in new
ossl_ignored_x509_extension().
* Handle empty SKID/AKID also in X509V3_add1_i2d().
* In test_drop_empty_csr_keyids() exercise the full NCONF extension
management stack, using X509_REQ_get_attr_count() to check that
after "subjectKeyIdentifier = none" not an even an empty extension
set remains as a CSR attribute (X509_REQ_get_extensions() always
returns at least an empty stack because NULL signals an error).
Reviewed-by: David von Oheimb <david.vo...@siemens.com>
Reviewed-by: Tim Hudson <t...@openssl.org>
Reviewed-by: Neil Horman <nho...@openssl.org>
MergeDate: Mon Mar 2 17:04:22 2026
(Merged from https://github.com/openssl/openssl/pull/30217)
To unsubscribe from these emails, change your notification settings at https://github.com/openssl/openssl/settings/notifications
Reply all
Reply to author
Forward
0 new messages