Fix re-signing certificates with different key sizes

PR openssl#18129 broke the scenario of signing a certificate (not CSR) with different-sized key. This works in 3.0, so port the fix from 3.0 (which is to only update the issuer for a request). Create two certs (a and ca) then sign a with c (into b): ``` openssl req -x509 -newkey rsa:2048 -keyout a-key.pem -out a-cert.pem -days 365 -nodes -subj /CN=a.example.com openssl req -x509 -newkey rsa:4096 -keyout ${HERE}/ca-key.pem -out ${HERE}/ca-cert.pem -days 3650 -nodes -subj /CN=ca.example.com openssl x509 -in a-cert.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial '1234567890' -preserve_dates -sha256 -out b-cert.pem ``` The above succeeds in 1.1.1n and 3.0, fails in 1.1.1o (which includes openssl#18129)
tmshort · Jul 20, 2022 · 73c66fb · 73c66fb
1 parent 86945b1
commit 73c66fb
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/apps/x509.c b/apps/x509.c
@@ -590,7 +590,7 @@ int x509_main(int argc, char **argv)
         xca = load_cert(CAfile, CAformat, "CA Certificate");
         if (xca == NULL)
             goto end;
-        if (!X509_set_issuer_name(x, X509_get_subject_name(xca)))
+        if (reqfile && !X509_set_issuer_name(x, X509_get_subject_name(xca)))
             goto end;
     }