Commit 7b9f20d94f for openssl.org

commit 7b9f20d94fbd7a870e406509ef4bd93d005dc1c7
Author: Daniel Kubec <kubec@openssl.org>
Date:   Thu Jan 22 14:54:10 2026 +0100

    ASN1: Fix type handling in AKID serial number conversion

    The Authority Key Identifier's serial number field is an ASN1 integer, so use
    the appropriate i2s_ASN1_INTEGER function instead of i2s_ASN1_OCTET_STRING
    for string conversion. This fixes handling of negative serial numbers
    which were previously displayed incorrectly.

    While negative serial numbers are not RFC-compliant, we want to process
    existing CRLs and certificates that may contain them, as this does not cause
    any security issues. Rejecting invalid serial numbers during
    generation is out of scope for this change.

    Fixes #27406

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    MergeDate: Mon Jan 26 15:29:33 2026
    (Merged from https://github.com/openssl/openssl/pull/29717)

diff --git a/crypto/x509/v3_akid.c b/crypto/x509/v3_akid.c
index 08c751b77c..c6696577ee 100644
--- a/crypto/x509/v3_akid.c
+++ b/crypto/x509/v3_akid.c
@@ -66,7 +66,8 @@ static STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
         extlist = tmpextlist;
     }
     if (akeyid->serial) {
-        tmp = i2s_ASN1_OCTET_STRING(NULL, akeyid->serial);
+        tmp = i2s_ASN1_INTEGER(NULL, akeyid->serial);
+
         if (tmp == NULL) {
             ERR_raise(ERR_LIB_X509V3, ERR_R_ASN1_LIB);
             goto err;