Commit ec2bfb7d23 for openssl.org

commit ec2bfb7d23b4790a5fbe3b5d73a3418966d7e8ad
Author: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date:   Thu Dec 10 15:23:41 2020 +0100

    apps/{req,x509,ca}.c Make sure certs have SKID and AKID X.509 extensions by default

    Fixes #13603

    Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/13658)

diff --git a/CHANGES.md b/CHANGES.md
index 65031b89a5..56017e503b 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -42,9 +42,9 @@ OpenSSL 3.0

    *Otto Hollmann*

- * The -cipher-commands and -digest-commands options of the command line
-   utility list has been deprecated.
-   Instead use the -cipher-algorithms and -digest-algorithms options.
+ * The `-cipher-commands` and `-digest-commands` options
+   of the command line utility `list` have been deprecated.
+   Instead use the `-cipher-algorithms` and `-digest-algorithms` options.

    *Dmitry Belyavskiy*

@@ -80,11 +80,11 @@ OpenSSL 3.0

    *Matt Caswell*

- * The -crypt option to the passwd command line tool has been removed.
+ * The `-crypt` option to the `passwd` command line tool has been removed.

    *Paul Dale*

- * The -C option to the x509, dhparam, dsaparam, and ecparam commands
+ * The -C option to the `x509`, `dhparam`, `dsaparam`, and `ecparam` commands
    were removed.

    *Rich Salz*
@@ -139,8 +139,8 @@ OpenSSL 3.0

    *Richard Levitte*

- * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced
-   EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred.
+ * Deprecated `EVP_PKEY_CTX_set_rsa_keygen_pubexp()` and introduced
+   `EVP_PKEY_CTX_set1_rsa_keygen_pubexp()`, which is now preferred.

    *Jeremy Walch*

@@ -156,7 +156,7 @@ OpenSSL 3.0
    implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the
    RAND_DRBG API is a mixture of 'front end' and 'back end' API calls
    and some of its API calls are rather low-level. This holds in particular
-   for the callback mechanism (RAND_DRBG_set_callbacks()).
+   for the callback mechanism (`RAND_DRBG_set_callbacks()`).

    Adding a compatibility layer to continue supporting the RAND_DRBG API as
    a legacy API for a regular deprecation period turned out to come at the
@@ -166,7 +166,7 @@ OpenSSL 3.0

    *Paul Dale and Matthias St. Pierre*

- * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses
+ * Allow `SSL_set1_host()` and `SSL_add1_host()` to take IP literal addresses
    as well as actual hostnames.

    *David Woodhouse*
@@ -180,7 +180,7 @@ OpenSSL 3.0
    and DTLS.

    SSL_CTX instances that are created for a fixed protocol version (e.g.
-   TLSv1_server_method()) also silently ignore version bounds.  Previously
+   `TLSv1_server_method()`) also silently ignore version bounds.  Previously
    attempts to apply bounds to these protocol versions would result in an
    error.  Now only the "version-flexible" SSL_CTX instances are subject to
    limits in configuration files in command-line options.
@@ -244,14 +244,13 @@ OpenSSL 3.0

    *Tomas Mraz*

- * Dropped interactive mode from the 'openssl' program.  From now on,
-   the `openssl` command without arguments is equivalent to `openssl
-   help`.
+ * Dropped interactive mode from the `openssl` program.  From now on,
+   running it without arguments is equivalent to `openssl help`.

    *Richard Levitte*

- * Renamed EVP_PKEY_cmp() to EVP_PKEY_eq() and
-   EVP_PKEY_cmp_parameters() to EVP_PKEY_parameters_eq().
+ * Renamed `EVP_PKEY_cmp()` to `EVP_PKEY_eq()` and
+   `EVP_PKEY_cmp_parameters()` to `EVP_PKEY_parameters_eq()`.
    While the old function names have been retained for backward compatibility
    they should not be used in new developments
    because their return values are confusing: Unlike other `_cmp()` functions
@@ -259,8 +258,8 @@ OpenSSL 3.0

    *David von Oheimb*

- * Deprecated EC_METHOD_get_field_type(). Applications should switch to
-   EC_GROUP_get_field_type().
+ * Deprecated `EC_METHOD_get_field_type()`. Applications should switch to
+   `EC_GROUP_get_field_type()`.

    *Billy Bob Brumley*

@@ -339,7 +338,7 @@ OpenSSL 3.0
    reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer
    working at the default security level of 1 and instead requires security
    level 0. The security level can be changed either using the cipher string
-   with @SECLEVEL, or calling SSL_CTX_set_security_level().
+   with `@SECLEVEL`, or calling `SSL_CTX_set_security_level()`.

    *Kurt Roeckx*

@@ -396,14 +395,14 @@ OpenSSL 3.0
    *Richard Levitte*

  * Added an implementation of CMP and CRMF (RFC 4210, RFC 4211 RFC 6712).
-   This adds crypto/cmp/, crpyto/crmf/, apps/cmp.c, and test/cmp_*.
+   This adds `crypto/cmp/`, `crpyto/crmf/`, `apps/cmp.c`, and `test/cmp_*`.
    See L<openssl-cmp(1)> and L<OSSL_CMP_exec_IR_ses(3)> as starting points.

    *David von Oheimb, Martin Peylo*

- * Generalized the HTTP client code from crypto/ocsp/ into crpyto/http/.
-   The legacy OCSP-focused and only partly documented API is retained.
-   See L<OSSL_CMP_MSG_http_perform(3)> etc. for details.
+ * Generalized the HTTP client code from `crypto/ocsp/` into `crpyto/http/`.
+   The legacy OCSP-focused and only partly documented API is retained for
+   backward compatibility. See L<OSSL_CMP_MSG_http_perform(3)> etc. for details.

    *David von Oheimb*

@@ -414,9 +413,9 @@ OpenSSL 3.0

    *David von Oheimb*

- * BIO_do_connect and BIO_do_handshake have been extended:
+ * `BIO_do_connect()` and `BIO_do_handshake()` have been extended:
    If domain name resolution yields multiple IP addresses all of them are tried
-   after connect() failures.
+   after `connect()` failures.

    *David von Oheimb*

@@ -461,13 +460,13 @@ OpenSSL 3.0
  * X509 certificates signed using SHA1 are no longer allowed at security
    level 1 and above.
    In TLS/SSL the default security level is 1. It can be set either
-   using the cipher string with @SECLEVEL, or calling
-   SSL_CTX_set_security_level(). If the leaf certificate is signed with SHA-1,
-   a call to SSL_CTX_use_certificate() will fail if the security level is not
+   using the cipher string with `@SECLEVEL`, or calling
+   `SSL_CTX_set_security_level()`. If the leaf certificate is signed with SHA-1,
+   a call to `SSL_CTX_use_certificate()` will fail if the security level is not
    lowered first.
    Outside TLS/SSL, the default security level is -1 (effectively 0). It can
-   be set using X509_VERIFY_PARAM_set_auth_level() or using the -auth_level
-   options of the apps.
+   be set using `X509_VERIFY_PARAM_set_auth_level()` or using the `-auth_level`
+   options of the commands.

    *Kurt Roeckx*

@@ -514,10 +513,11 @@ OpenSSL 3.0
    OSSL_DECODER and OSSL_ENCODER APIs to read and write DH files.

    Finaly functions that assign or obtain DH objects from an EVP_PKEY such as
-   EVP_PKEY_assign_DH(), EVP_PKEY_get0_DH, EVP_PKEY_get1_DH, EVP_PKEY_set1_DH
-   are also deprecated. Applications should instead either read or write an
-   EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER APIs. Or load an
-   EVP_PKEY directly from DH data using EVP_PKEY_fromdata().
+   `EVP_PKEY_assign_DH()`, `EVP_PKEY_get0_DH()`, `EVP_PKEY_get1_DH()`, and
+   `EVP_PKEY_set1_DH()` are also deprecated.
+   Applications should instead either read or write an
+   EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER APIs.
+   Or load an    EVP_PKEY directly from DH data using `EVP_PKEY_fromdata()`.

    *Paul Dale and Matt Caswell*

@@ -551,7 +551,7 @@ OpenSSL 3.0
    automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC.
    This means that applications don't have to look at the curve NID and
    `EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)` to get SM2 computations.
-   However, they still can, that EVP_PKEY_set_alias_type() call acts as
+   However, they still can, that `EVP_PKEY_set_alias_type()` call acts as
    a no-op when the EVP_PKEY is already of the given type.

    Parameter and key generation is also reworked to make it possible
@@ -882,8 +882,8 @@ OpenSSL 3.0

    *Jon Spillett*

- * Deprecated the public definition of ERR_STATE as well as the function
-   ERR_get_state().  This is done in preparation of making ERR_STATE an
+ * Deprecated the public definition of `ERR_STATE` as well as the function
+   `ERR_get_state()`.  This is done in preparation of making `ERR_STATE` an
    opaque type.

    *Richard Levitte*
@@ -914,7 +914,17 @@ OpenSSL 3.0

    *Richard Levitte*

- * Added several checks to X509_verify_cert() according to requirements in
+ * The `x509`, `req`, and `ca` commands now make sure that certificates they
+   generate are RFC 5280 compliant by default: For X.509 version 3 certs they ensure that
+   a subjectKeyIdentifier extension is included containing a hash value of the public key
+   and an authorityKeyIdentifier extension is included for not self-signed certs
+   containing a keyIdentifier field with the hash value identifying the signing key.
+   This is done unless some configuration overrides the new default behavior,
+   e.g. `authorityKeyIdentifier = none`.
+
+   *David von Oheimb*
+
+ * Added several checks to `X509_verify_cert()` according to requirements in
    RFC 5280 in case `X509_V_FLAG_X509_STRICT` is set
    (which may be done by using the CLI option `-x509_strict`):
    * The basicConstraints of CA certificates must be marked critical.
@@ -933,7 +943,7 @@ OpenSSL 3.0

    *David von Oheimb*

- * Certificate verification using X509_verify_cert() meanwhile rejects EC keys
+ * Certificate verification using `X509_verify_cert()` meanwhile rejects EC keys
    with explicit curve parameters (specifiedCurve) as required by RFC 5480.

    *Tomas Mraz*
@@ -1004,20 +1014,20 @@ OpenSSL 3.0
  * Changed the library initialisation so that the config file is now loaded
    by default. This was already the case for libssl. It now occurs for both
    libcrypto and libssl. Use the OPENSSL_INIT_NO_LOAD_CONFIG option to
-   OPENSSL_init_crypto() to suppress automatic loading of a config file.
+   `OPENSSL_init_crypto()` to suppress automatic loading of a config file.

    *Matt Caswell*

- * Introduced new error raising macros, ERR_raise() and ERR_raise_data(),
-   where the former acts as a replacement for ERR_put_error(), and the
-   latter replaces the combination ERR_put_error()+ERR_add_error_data().
-   ERR_raise_data() adds more flexibility by taking a format string and
+ * Introduced new error raising macros, `ERR_raise()` and `ERR_raise_data()`,
+   where the former acts as a replacement for `ERR_put_error()`, and the
+   latter replaces the combination `ERR_put_error()` + `ERR_add_error_data()`.
+   `ERR_raise_data()` adds more flexibility by taking a format string and
    an arbitrary number of arguments following it, to be processed with
-   BIO_snprintf().
+   `BIO_snprintf()`.

    *Richard Levitte*

- * Introduced a new function, OSSL_PROVIDER_available(), which can be used
+ * Introduced a new function, `OSSL_PROVIDER_available()`, which can be used
    to check if a named provider is loaded and available.  When called, it
    will also activate all fallback providers if such are still present.

@@ -1081,7 +1091,7 @@ OpenSSL 3.0

    *Paul Yang*

- * Use SHA256 as the default digest for TS query in the ts app.
+ * Use SHA256 as the default digest for TS query in the `ts` app.

    *Tomas Mraz*

@@ -1110,13 +1120,6 @@ OpenSSL 3.0

    *Richard Levitte*

- * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
-   This changes the size when using the genpkey app when no size is given. It
-   fixes an omission in earlier changes that changed all RSA, DSA and DH
-   generation apps to use 2048 bits by default.
-
-   *Kurt Roeckx*
-
  * Added command 'openssl kdf' that uses the EVP_KDF API.

    *Shane Lontis*
@@ -1178,7 +1181,7 @@ OpenSSL 3.0
    by registering BIOs as trace channels for a number of tracing and debugging
    categories.

-   The 'openssl' application has been expanded to enable any of the types
+   The `openssl` program has been expanded to enable any of the types
    available via environment variables defined by the user, and serves as
    one possible example on how to use this functionality.

@@ -1629,9 +1632,9 @@ OpenSSL 1.1.1
    *Patrick Steuer*

  * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
-   This changes the size when using the genpkey app when no size is given. It
-   fixes an omission in earlier changes that changed all RSA, DSA and DH
-   generation apps to use 2048 bits by default.
+   This changes the size when using the `genpkey` command when no size is given.
+   It fixes an omission in earlier changes that changed all RSA, DSA and DH
+   generation commands to use 2048 bits by default.

    *Kurt Roeckx*

@@ -1645,7 +1648,7 @@ OpenSSL 1.1.1

    *Matt Caswell*

- * Have apps like 's_client' and 's_server' output the signature scheme
+ * Have commands like `s_client` and `s_server` output the signature scheme
    along with other cipher suite parameters when debugging.

    *Lorinczy Zsigmond*
@@ -1870,7 +1873,7 @@ OpenSSL 1.1.1

    *Matt Caswell*

- * Enforce checking in the pkeyutl command line app to ensure that the input
+ * Enforce checking in the `pkeyutl` command to ensure that the input
    length does not exceed the maximum supported digest length when performing
    a sign, verify or verifyrecover operation.

@@ -2343,9 +2346,9 @@ OpenSSL 1.1.0
 ### Changes between 1.1.0j and 1.1.0k [28 May 2019]

  * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
-   This changes the size when using the genpkey app when no size is given. It
-   fixes an omission in earlier changes that changed all RSA, DSA and DH
-   generation apps to use 2048 bits by default.
+   This changes the size when using the `genpkey` command when no size is given.
+   It fixes an omission in earlier changes that changed all RSA, DSA and DH
+   generation commands to use 2048 bits by default.

    *Kurt Roeckx*

@@ -3136,7 +3139,7 @@ OpenSSL 1.1.0

  * Configuration change; it's now possible to build dynamic engines
    without having to build shared libraries and vice versa.  This
-   only applies to the engines in engines/, those in crypto/engine/
+   only applies to the engines in `engines/`, those in `crypto/engine/`
    will always be built into libcrypto (i.e. "static").

    Building dynamic engines is enabled by default; to disable, use
@@ -4140,9 +4143,9 @@ OpenSSL 1.0.2
 ### Changes between 1.0.2r and 1.0.2s [28 May 2019]

  * Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
-   This changes the size when using the genpkey app when no size is given. It
-   fixes an omission in earlier changes that changed all RSA, DSA and DH
-   generation apps to use 2048 bits by default.
+   This changes the size when using the `genpkey` command when no size is given.
+   It fixes an omission in earlier changes that changed all RSA, DSA and DH
+   generation commands to use 2048 bits by default.

    *Kurt Roeckx*

@@ -4877,10 +4880,10 @@ OpenSSL 1.0.2

    *Andy Polyakov*

- * Change the req app to generate a 2048-bit RSA/DSA key by default,
+ * Change the `req` command to generate a 2048-bit RSA/DSA key by default,
    if no keysize is specified with default_bits. This fixes an
    omission in an earlier change that changed all RSA/DSA key generation
-   apps to use 2048 bits by default.
+   commands to use 2048 bits by default.

    *Emilia Käsper*

@@ -6079,10 +6082,10 @@ OpenSSL 1.0.1

    *Andy Polyakov*

- * Change the req app to generate a 2048-bit RSA/DSA key by default,
+ * Change the req command to generate a 2048-bit RSA/DSA key by default,
    if no keysize is specified with default_bits. This fixes an
    omission in an earlier change that changed all RSA/DSA key generation
-   apps to use 2048 bits by default.
+   commands to use 2048 bits by default.

    *Emilia Käsper*

@@ -7975,7 +7978,7 @@ OpenSSL 1.0.1.]

    *Steve Henson*

- * Add load_crls() function to apps tidying load_certs() too. Add option
+ * Add load_crls() function to commands tidying load_certs() too. Add option
    to verify utility to allow additional CRLs to be included.

    *Steve Henson*
@@ -7990,7 +7993,7 @@ OpenSSL 1.0.1.]

    *Julia Lawall <julia@diku.dk>*

- * Update verify callback code in apps/s_cb.c and apps/verify.c, it
+ * Update verify callback code in `apps/s_cb.c` and `apps/verify.c`, it
    needlessly dereferenced structures, used obsolete functions and
    didn't handle all updated verify codes correctly.

@@ -8420,7 +8423,7 @@ OpenSSL 1.0.1.]
    arranges the ciphersuites in reasonable order before starting
    to process the rule string.  Thus, the definition for "DEFAULT"
    (SSL_DEFAULT_CIPHER_LIST) now is just "ALL:!aNULL:!eNULL", but
-   remains equivalent to "AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH".
+   remains equivalent to `"AES:ALL:!aNULL:!eNULL:+aECDH:+kRSA:+RC4:@STRENGTH"`.
    This makes it much easier to arrive at a reasonable default order
    in applications for which anonymous ciphers are OK (meaning
    that you can't actually use DEFAULT).
@@ -9442,7 +9445,7 @@ OpenSSL 0.9.x
    - fixed x86nasm.pl to create correct asm files for NASM COFF output
    - added AES, WHIRLPOOL and CPUID assembler code to build files
    - added missing AES assembler make rules to mk1mf.pl
-   - fixed order of includes in apps/ocsp.c so that e_os.h settings apply
+   - fixed order of includes in `apps/ocsp.c` so that `e_os.h` settings apply

    *Guenter Knauf <eflash@gmx.net>*

@@ -9951,7 +9954,7 @@ OpenSSL 0.9.8.]
    *Nils Larsch*

  * Use SHA-1 instead of MD5 as the default digest algorithm for
-   the apps/openssl applications.
+   the `apps/openssl` commands.

    *Nils Larsch*

@@ -11734,7 +11737,7 @@ OpenSSL 0.9.7.]

  * Add the configuration target debug-linux-ppro.
    Make 'openssl rsa' use the general key loading routines
-   implemented in apps.c, and make those routines able to
+   implemented in `apps.c`, and make those routines able to
    handle the key format FORMAT_NETSCAPE and the variant
    FORMAT_IISSGC.

@@ -12229,12 +12232,13 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

    *"Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte*

- * Rewrite apps to use NCONF routines instead of the old CONF. New functions
-   to support NCONF routines in extension code. New function CONF_set_nconf()
-   to allow functions which take an NCONF to also handle the old LHASH
-   structure: this means that the old CONF compatible routines can be
-   retained (in particular wrt extensions) without having to duplicate the
-   code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
+ * Rewrite commands to use `NCONF` routines instead of the old `CONF`.
+   New functions to support `NCONF `routines in extension code.
+   New function `CONF_set_nconf()`
+   to allow functions which take an `NCONF` to also handle the old `LHASH`
+   structure: this means that the old `CONF` compatible routines can be
+   retained (in particular w.rt. extensions) without having to duplicate the
+   code. New function `X509V3_add_ext_nconf_sk()` to add extensions to a stack.

    *Steve Henson*

@@ -12739,7 +12743,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

    *Steve Henson*

- * Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
+ * Disable stdin buffering in `load_cert()` (`apps/apps.c`) so that no certs are
    skipped when using openssl x509 multiple times on a single input file,
    e.g. `(openssl x509 -out cert1; openssl x509 -out cert2) <certs`.

@@ -13099,7 +13103,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

    *Steve Henson*

- * Add functionality to apps/openssl.c for detecting locking
+ * Add functionality to `apps/openssl.c` for detecting locking
    problems: As the program is single-threaded, all we have
    to do is register a locking callback using an array for
    storing which locks are currently held by the program.
@@ -13707,7 +13711,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

    *Nils Larsch <nla@trustcenter.de>; problem pointed out by Bodo Moeller*

- * Check various `X509_...()` return values in apps/req.c.
+ * Check various `X509_...()` return values in `apps/req.c`.

    *Nils Larsch <nla@trustcenter.de>*

@@ -15268,7 +15272,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

    *Steve Henson*

- * Bugfixes in apps/x509.c: Avoid a memory leak; and don't use
+ * Bugfixes in `apps/x509.c`: Avoid a memory leak; and don't use
    perror when PEM_read_bio_X509_REQ fails, the error message must
    be obtained from the error queue.

@@ -15833,7 +15837,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

    The syntax for the cipher sorting has been extended to support sorting by
    cipher-strength (using the strength_bits hard coded in the tables).
-   The new command is "@STRENGTH" (see also doc/apps/ciphers.pod).
+   The new command is `@STRENGTH` (see also `doc/apps/ciphers.pod`).

    Fix a bug in the cipher-command parser: when supplying a cipher command
    string with an "undefined" symbol (neither command nor alphanumeric
@@ -16286,7 +16290,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
    because it isn't possible to mix certificates and CRLs in DER format
    without choking one or the other routine. Changed this to just read
    a certificate: this is the best we can do. Also modified the code
-   in apps/verify.c to take notice of return codes: it was previously
+   in `apps/verify.c` to take notice of return codes: it was previously
    attempting to read in certificates from NULL pointers and ignoring
    any errors: this is one reason why the cert and CRL reader seemed
    to work. It doesn't check return codes from the default certificate
@@ -16459,7 +16463,7 @@ s-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

    *Bodo Moeller*

- * New file apps/app_rand.c with commonly needed functionality
+ * New file `apps/app_rand.c` with commonly needed functionality
    for handling the random seed file.

    Use the random seed file in some applications that previously did not:
@@ -17190,7 +17194,7 @@ ndif

    *Steve Henson*

- * Set #! path to perl in apps/der_chop to where we found it
+ * Set #! path to perl in `apps/der_chop` to where we found it
    instead of using a fixed path.

    *Bodo Moeller*
@@ -18065,14 +18069,14 @@ ndif

    *Eric A. Young, (from changes to C2Net SSLeay, integrated by Mark Cox)*

- * Run extensive memory leak checks on SSL apps. Fixed *lots* of memory
-   leaks in ssl/ relating to new X509_get_pubkey() behaviour. Also fixes
-   in apps/ and an unrelated leak in crypto/dsa/dsa_vrf.c
+ * Run extensive memory leak checks on SSL commands. Fixed *lots* of memory
+   leaks in `ssl/` relating to new `X509_get_pubkey()` behaviour. Also fixes
+   in `apps/` and an unrelated leak in `crypto/dsa/dsa_vrf.c`.

    *Steve Henson*

  * Support for RAW extensions where an arbitrary extension can be
-   created by including its DER encoding. See apps/openssl.cnf for
+   created by including its DER encoding. See `apps/openssl.cnf` for
    an example.

    *Steve Henson*
@@ -18331,7 +18335,7 @@ ndif

    *Ben Laurie*

- * Get the gendsa program working (hopefully) and add it to app list. Remove
+ * Get the `gendsa` command working and add it to the `list` command. Remove
    encryption from sample DSA keys (in case anyone is interested the password
    was "1234").

@@ -18350,7 +18354,7 @@ ndif

    *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*

- * Don't blow it for numeric -newkey arguments to apps/req.
+ * Don't blow it for numeric `-newkey` arguments to `apps/req`.

    *Bodo Moeller <3moeller@informatik.uni-hamburg.de>*

@@ -18390,7 +18394,7 @@ ndif

    *Ralf S. Engelschall*

- * Fix the various library and apps files to free up pkeys obtained from
+ * Fix the various library and `apps/` files to free up pkeys obtained from
    X509_PUBKEY_get() et al. Also allow x509.c to handle netscape extensions.

    *Steve Henson*
@@ -18400,7 +18404,7 @@ ndif

    *Steve Henson and Ben Laurie*

- * First cut of a cleanup for apps/. First the `ssleay` program is now named
+ * First cut of a cleanup for `apps/`. First the `ssleay` program is now named
    `openssl` and second, the shortcut symlinks for the `openssl <command>`
    are no longer created. This way we have a single and consistent command
    line interface `openssl <command>`, similar to `cvs <command>`.
@@ -18550,11 +18554,13 @@ ndif
    *Ralf S. Engelschall*

  * Removed dummy files from the 0.9.1b source tree:
+   ```
    crypto/asn1/x crypto/bio/cd crypto/bio/fg crypto/bio/grep crypto/bio/vi
    crypto/bn/asm/......add.c crypto/bn/asm/a.out crypto/dsa/f crypto/md5/f
    crypto/pem/gmon.out crypto/perlasm/f crypto/pkcs7/build crypto/rsa/f
    crypto/sha/asm/f crypto/threads/f ms/zzz ssl/f ssl/f.mak test/f
    util/f.mak util/pl/f util/pl/f.mak crypto/bf/bf_locl.old apps/f
+   ```

    *Ralf S. Engelschall*

diff --git a/apps/ca.c b/apps/ca.c
index 2772072b79..f580d97e2d 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1482,6 +1482,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     OPENSSL_STRING *irow = NULL;
     OPENSSL_STRING *rrow = NULL;
     char buf[25];
+    X509V3_CTX ext_ctx;

     for (i = 0; i < DB_NUMBER; i++)
         row[i] = NULL;
@@ -1699,8 +1700,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,

     /* Lets add the extensions, if there are any */
     if (ext_sect) {
-        X509V3_CTX ext_ctx;
-
         /* Initialize the context structure */
         X509V3_set_ctx(&ext_ctx, selfsign ? ret : x509,
                        ret, req, NULL, X509V3_CTX_REPLACE);
@@ -1903,7 +1902,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         !EVP_PKEY_missing_parameters(pkey))
         EVP_PKEY_copy_parameters(pktmp, pkey);

-    if (!do_X509_sign(ret, pkey, dgst, sigopts))
+    if (!do_X509_sign(ret, pkey, dgst, sigopts, &ext_ctx))
         goto end;

     /* We now just add it to the database as DB_TYPE_VAL('V') */
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 0a8d6f4060..30dc5d85f7 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -231,7 +231,7 @@ int init_gen_str(EVP_PKEY_CTX **pctx,
                  const char *algname, ENGINE *e, int do_param,
                  OSSL_LIB_CTX *libctx, const char *propq);
 int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
-                 STACK_OF(OPENSSL_STRING) *sigopts);
+                 STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx);
 int do_X509_verify(X509 *x, EVP_PKEY *pkey, STACK_OF(OPENSSL_STRING) *vfyopts);
 int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
                      STACK_OF(OPENSSL_STRING) *sigopts);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 457dac87bc..6ae35bac73 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -1982,12 +1982,41 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
         && do_pkey_ctx_init(pkctx, sigopts);
 }

-/* Ensure RFC 5280 compliance and then sign the certificate info */
+static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx,
+                           const char *name, const char *value, int add_default)
+{
+    const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert);
+    X509_EXTENSION *new_ext = X509V3_EXT_nconf(NULL, ext_ctx, name, value);
+    int idx, rv = 0;
+
+    if (new_ext == NULL)
+        return rv;
+
+    idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1);
+    if (idx >= 0) {
+        X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx);
+        ASN1_OCTET_STRING *data = X509_EXTENSION_get_data(found_ext);
+        int disabled = ASN1_STRING_length(data) <= 2; /* config said "none" */
+
+        if (disabled) {
+            X509_delete_ext(cert, idx);
+            X509_EXTENSION_free(found_ext);
+        } /* else keep existing key identifier, which might be outdated */
+        rv = 1;
+    } else  {
+        rv = !add_default || X509_add_ext(cert, new_ext, -1);
+    }
+    X509_EXTENSION_free(new_ext);
+    return rv;
+}
+
+/* Ensure RFC 5280 compliance, adapt keyIDs as needed, and sign the cert info */
 int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md,
-                 STACK_OF(OPENSSL_STRING) *sigopts)
+                 STACK_OF(OPENSSL_STRING) *sigopts, X509V3_CTX *ext_ctx)
 {
     const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert);
     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+    int self_sign;
     int rv = 0;

     if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) {
@@ -1995,6 +2024,21 @@ int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md,
         if (!X509_set_version(cert, 2)) /* Make sure cert is X509 v3 */
             goto end;

+        /*
+         * Add default SKID before such that default AKID can make use of it
+         * in case the certificate is self-signed
+         */
+        /* Prevent X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER */
+        if (!adapt_keyid_ext(cert, ext_ctx, "subjectKeyIdentifier", "hash", 1))
+            goto end;
+        /* Prevent X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER */
+        ERR_set_mark();
+        self_sign = X509_check_private_key(cert, pkey);
+        ERR_pop_to_mark();
+        if (!adapt_keyid_ext(cert, ext_ctx, "authorityKeyIdentifier",
+                             "keyid, issuer", !self_sign))
+            goto end;
+
         /* TODO any further measures for ensuring default RFC 5280 compliance */
     }

diff --git a/apps/req.c b/apps/req.c
index acd0cd09cb..5a065ad843 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -796,7 +796,7 @@ int req_main(int argc, char **argv)
                 }
             }

-            i = do_X509_sign(x509ss, pkey, digest, sigopts);
+            i = do_X509_sign(x509ss, pkey, digest, sigopts, &ext_ctx);
             if (!i) {
                 ERR_print_errors(bio_err);
                 goto end;
diff --git a/apps/x509.c b/apps/x509.c
index c8fcb7a7ae..34d654c8f2 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1067,6 +1067,8 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer,
                 const EVP_MD *digest, CONF *conf, const char *section,
                 int preserve_dates)
 {
+    X509V3_CTX ext_ctx;
+
     if (!X509_set_issuer_name(x, X509_get_subject_name(issuer)))
         return 0;

@@ -1077,10 +1079,8 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer,
         while (X509_get_ext_count(x) > 0)
             X509_delete_ext(x, 0);
     }
+    X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE);
     if (conf != NULL) {
-        X509V3_CTX ext_ctx;
-
-        X509V3_set_ctx(&ext_ctx, issuer, x, NULL, NULL, X509V3_CTX_REPLACE);
         X509V3_set_nconf(&ext_ctx, conf);
         if (!X509V3_EXT_add_nconf(conf, &ext_ctx, section, x)) {
             BIO_printf(bio_err,
@@ -1088,7 +1088,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, X509 *issuer,
             return 0;
         }
     }
-    return do_X509_sign(x, pkey, digest, sigopts);
+    return do_X509_sign(x, pkey, digest, sigopts, &ext_ctx);
 }

 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
diff --git a/crypto/x509/v3_akey.c b/crypto/x509/v3_akey.c
index 96e415aeb1..2e90d495c5 100644
--- a/crypto/x509/v3_akey.c
+++ b/crypto/x509/v3_akey.c
@@ -78,7 +78,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
                                             STACK_OF(CONF_VALUE) *values)
 {
     char keyid = 0, issuer = 0;
-    int i;
+    int i, n = sk_CONF_VALUE_num(values);
     CONF_VALUE *cnf;
     ASN1_OCTET_STRING *ikeyid = NULL;
     X509_NAME *isname = NULL;
@@ -92,7 +92,11 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
     if (akeyid == NULL)
         goto err;

-    for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
+    if (n == 1 && strcmp(sk_CONF_VALUE_value(values, 0)->name, "none") == 0) {
+        return akeyid;
+    }
+
+    for (i = 0; i < n; i++) {
         cnf = sk_CONF_VALUE_value(values, i);
         if (strcmp(cnf->name, "keyid") == 0) {
             keyid = 1;
@@ -115,14 +119,15 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
         ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_ISSUER_CERTIFICATE);
         goto err;
     }
-
     cert = ctx->issuer_cert;

     if (keyid) {
         i = X509_get_ext_by_NID(cert, NID_subject_key_identifier, -1);
         if ((i >= 0) && (ext = X509_get_ext(cert, i)))
             ikeyid = X509V3_EXT_d2i(ext);
-        if ((keyid == 2 || issuer == 0) && ikeyid == NULL) {
+        if ((keyid == 2 || issuer == 0)
+            && (ikeyid == NULL
+                || ASN1_STRING_length(ikeyid) <= 2)  /* indicating "none" */ ) {
             ERR_raise(ERR_LIB_X509V3, X509V3_R_UNABLE_TO_GET_ISSUER_KEYID);
             goto err;
         }
diff --git a/crypto/x509/v3_skey.c b/crypto/x509/v3_skey.c
index b4b1616688..6122596081 100644
--- a/crypto/x509/v3_skey.c
+++ b/crypto/x509/v3_skey.c
@@ -62,7 +62,10 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
     unsigned char pkey_dig[EVP_MAX_MD_SIZE];
     unsigned int diglen;

-    if (strcmp(str, "hash"))
+    if (strcmp(str, "none") == 0)
+        return ASN1_OCTET_STRING_new(); /* dummy */
+
+    if (strcmp(str, "hash") != 0)
         return s2i_ASN1_OCTET_STRING(method, ctx, str);

     if ((oct = ASN1_OCTET_STRING_new()) == NULL) {
@@ -78,11 +81,9 @@ static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method,
         goto err;
     }

-    if (ctx->subject_req)
-        pubkey = ctx->subject_req->req_info.pubkey;
-    else
-        pubkey = ctx->subject_cert->cert_info.key;
-
+    pubkey = ctx->subject_req != NULL ?
+        ctx->subject_req->req_info.pubkey :
+        ctx->subject_cert->cert_info.key;
     if (pubkey == NULL) {
         ERR_raise(ERR_LIB_X509V3, X509V3_R_NO_PUBLIC_KEY);
         goto err;
diff --git a/doc/man5/x509v3_config.pod b/doc/man5/x509v3_config.pod
index cf08f78695..b2ee41b853 100644
--- a/doc/man5/x509v3_config.pod
+++ b/doc/man5/x509v3_config.pod
@@ -168,9 +168,10 @@ Examples:

 =head2 Subject Key Identifier

-This SKID extension is a string with one of two legal values.
-If it is the word B<hash>, then OpenSSL will follow
-the process specified in RFC 5280 section 4.2.1.2. (1):
+The SKID extension specification has a value with three choices.
+If the value is the word B<none>, then no SKID extension will be included.
+If the value is the word B<hash>, or by default for the B<x509>, B<req>, and
+B<ca> apps, the process specified in RFC 5280 section 4.2.1.2. (1) is followed:
 The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT
 STRING subjectPublicKey (excluding the tag, length, and number of unused bits).

@@ -183,10 +184,14 @@ Example:

 =head2 Authority Key Identifier

-The AKID extension specification may have the value B<keyid> or B<issuer>
+The AKID extension specification may have the value B<none>
+indicating that no AKID shall be included.
+Otherwise it may have the value B<keyid> or B<issuer>
 or both of them, separated by C<,>.
 Either or both can have the option B<always>,
-indicated by putting a colon C<:> between the value and this opton.
+indicated by putting a colon C<:> between the value and this option.
+By default the B<x509>, B<req>, and B<ca> apps behave as if
+"none" was given for self-signed certificates and "keyid, issuer" otherwise.

 If B<keyid> is present, an attempt is made to copy the subject key identifier
 (SKID) from the issuer certificate, which is the default behavior.