X509_STORE_CTX_print_verify_cb(): add AKID and SKID output for (non-)trusted certs

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12787)

diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 199f88857b8a51a2cc5906d15fcc552684187051..f0240f12c39b808c622160083dd6261b8bd421cd 100644 (file)
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -200,9 +200,10 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
         }
     }
 
-    if (!(cflag & X509_FLAG_NO_EXTENSIONS))
-        X509V3_extensions_print(bp, "X509v3 extensions",
-                                X509_get0_extensions(x), cflag, 8);
+    if (!(cflag & X509_FLAG_NO_EXTENSIONS)
+        && !X509V3_extensions_print(bp, "X509v3 extensions",
+                                    X509_get0_extensions(x), cflag, 8))
+        goto err;
 
     if (!(cflag & X509_FLAG_NO_SIGDUMP)) {
         const X509_ALGOR *sig_alg;
@@ -415,7 +416,8 @@ int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags)
     if (X509_cmp_current_time(X509_get0_notAfter(cert)) < 0)
         if (BIO_printf(bio, "        no more valid\n") <= 0)
             return 0;
-    return X509_print_ex(bio, cert, flags, ~(neg_cflags));
+    return X509_print_ex(bio, cert, flags,
+                         ~neg_cflags & ~X509_FLAG_EXTENSIONS_ONLY_KID);
 }
 
 static int print_certs(BIO *bio, const STACK_OF(X509) *certs)
@@ -427,8 +429,15 @@ static int print_certs(BIO *bio, const STACK_OF(X509) *certs)
 
     for (i = 0; i < sk_X509_num(certs); i++) {
         X509 *cert = sk_X509_value(certs, i);
-        if (cert != NULL && !x509_print_ex_brief(bio, cert, 0))
-            return 0;
+
+        if (cert != NULL) {
+            if (!x509_print_ex_brief(bio, cert, 0))
+                return 0;
+            if (!X509V3_extensions_print(bio, NULL,
+                                         X509_get0_extensions(cert),
+                                         X509_FLAG_EXTENSIONS_ONLY_KID, 8))
+                return 0;
+            }
     }
     return 1;
 }

diff --git a/crypto/x509/v3_prn.c b/crypto/x509/v3_prn.c
index aa902204f0f29feba53c6f5c36f411c8446f64a7..4b2ad2685b74f34ef55bca85da2842c389259d20 100644 (file)
--- a/crypto/x509/v3_prn.c
+++ b/crypto/x509/v3_prn.c
@@ -156,10 +156,15 @@ int X509V3_extensions_print(BIO *bp, const char *title,
     for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
         ASN1_OBJECT *obj;
         X509_EXTENSION *ex;
+
         ex = sk_X509_EXTENSION_value(exts, i);
+        obj = X509_EXTENSION_get_object(ex);
+        if ((flag & X509_FLAG_EXTENSIONS_ONLY_KID) != 0
+                && OBJ_obj2nid(obj) != NID_subject_key_identifier
+                && OBJ_obj2nid(obj) != NID_authority_key_identifier)
+            continue;
         if (indent && BIO_printf(bp, "%*s", indent, "") <= 0)
             return 0;
-        obj = X509_EXTENSION_get_object(ex);
         i2a_ASN1_OBJECT(bp, obj);
         j = X509_EXTENSION_get_critical(ex);
         if (BIO_printf(bp, ": %s\n", j ? "critical" : "") <= 0)

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index d243fda94c409c3d4840a557e443709f93b6ff87..bbe2d62cf9b1553e9d1f6e4bcda1d71a9c178da0 100644 (file)
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -159,6 +159,7 @@ DEFINE_OR_DECLARE_STACK_OF(X509_TRUST)
 # define X509_FLAG_NO_AUX                (1L << 10)
 # define X509_FLAG_NO_ATTRIBUTES         (1L << 11)
 # define X509_FLAG_NO_IDS                (1L << 12)
+# define X509_FLAG_EXTENSIONS_ONLY_KID   (1L << 13)
 
 /* Flags specific to X509_NAME_print_ex() */