Branch: refs/heads/OpenSSL_1_1_1-stable Home: https://github.openssl.org/openssl/openssl Commit: 952fab01bebb15a8408c6ac27b59c28c979f7d49 https://github.openssl.org/openssl/openssl/commit/952fab01bebb15a8408c6ac27b59c28c979f7d49 Author: Todd Short <tsh...@akamai.com> Date: 2022-07-22 (Fri, 22 Jul 2022)
Changed paths: M apps/x509.c M test/recipes/25-test_x509.t Log Message: ----------- Fix re-signing certificates with different key sizes PR #18129 broke the scenario of signing a certificate (not CSR) with different-sized key. This works in 3.0, so port the fix from 3.0 (which is to only update the issuer for a request). Partially undo #18129, but keep setting the issuer only for a CSR Create two certs (a and ca) then sign a with c (into b): ``` openssl req -x509 -newkey rsa:2048 -keyout a-key.pem -out a-cert.pem -days 365 -nodes -subj /CN=a.example.com openssl req -x509 -newkey rsa:4096 -keyout ${HERE}/ca-key.pem -out ${HERE}/ca-cert.pem -days 3650 -nodes -subj /CN=ca.example.com openssl x509 -in a-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial '1234567890' -preserve_dates -sha256 -out b-cert.pem ``` The above succeeds in 1.1.1n and 3.0, fails in 1.1.1o (which includes #18129) The issue in #16080 is also fixed. Reviewed-by: Matt Caswell <m...@openssl.org> Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Ben Kaduk <ka...@mit.edu> (Merged from https://github.com/openssl/openssl/pull/18836)