Commit c7f2651a64 for openssl.org
commit c7f2651a648c9c0babd625cffdb684895db4b193
Author: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Thu Aug 19 20:58:55 2021 +0200
X509V3_set_ctx(): Improve error handling using this function, mostly in apps/
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16998)
diff --git a/apps/req.c b/apps/req.c
index 258e489fb0..144838e295 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -862,6 +862,7 @@ int req_main(int argc, char **argv)
/* Set up V3 context struct */
X509V3_set_ctx(&ext_ctx, CAcert != NULL ? CAcert : new_x509,
new_x509, NULL, NULL, X509V3_CTX_REPLACE);
+
/* prepare fallback for AKID, but only if issuer cert == new_x509 */
if (CAcert == NULL) {
if (!X509V3_set_issuer_pkey(&ext_ctx, issuer_key))
diff --git a/crypto/x509/v3_conf.c b/crypto/x509/v3_conf.c
index 343bdf8931..3fb4f092f3 100644
--- a/crypto/x509/v3_conf.c
+++ b/crypto/x509/v3_conf.c
@@ -454,16 +454,14 @@ void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf)
ctx->db = conf;
}
-void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req,
+void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject, X509_REQ *req,
X509_CRL *crl, int flags)
{
- if (ctx == NULL) {
- ERR_raise(ERR_LIB_X509V3, ERR_R_PASSED_NULL_PARAMETER);
+ if (ctx == NULL)
return;
- }
ctx->flags = flags;
ctx->issuer_cert = issuer;
- ctx->subject_cert = subj;
+ ctx->subject_cert = subject;
ctx->subject_req = req;
ctx->crl = crl;
ctx->db_meth = NULL;
diff --git a/doc/man3/X509V3_set_ctx.pod b/doc/man3/X509V3_set_ctx.pod
index 6f9af309f4..629d699a7a 100644
--- a/doc/man3/X509V3_set_ctx.pod
+++ b/doc/man3/X509V3_set_ctx.pod
@@ -19,7 +19,6 @@ X509V3_set_ctx() fills in the basic fields of I<ctx> of type B<X509V3_CTX>,
providing details potentially needed by functions producing X509 v3 extensions.
These may make use of fields of the certificate I<subject>, the certification
request I<req>, or the certificate revocation list I<crl>.
-At most one of these three parameters can be non-NULL.
When constructing the subject key identifier of a certificate by computing a
hash value of its public key, the public key is taken from I<subject> or I<req>.
Similarly, when constructing subject alternative names from any email addresses
@@ -45,6 +44,8 @@ to provide fallback data for the authority key identifier extension.
=head1 RETURN VALUES
+X509V3_set_ctx() does not return a value.
+
X509V3_set_issuer_pkey() returns 1 on success and 0 on error.
=head1 SEE ALSO