Clear the extension list when removing the last extension#28398
Closed
davidben wants to merge 2 commits intoopenssl:masterfrom
Closed
Clear the extension list when removing the last extension#28398davidben wants to merge 2 commits intoopenssl:masterfrom
davidben wants to merge 2 commits intoopenssl:masterfrom
Conversation
paulidale
previously approved these changes
Aug 31, 2025
Contributor
paulidale
left a comment
paulidale
left a comment
There was a problem hiding this comment.
Just some formatting nits. Approved once these are addressed.
Is it worthwhile factoring the repeated code into a function?
Or even defining a new delete function that does the additional work?
paulidale
added
branch: master
Contributor
|
Happy for this to be back–ported to any relevant branches too. |
The extensions list in a certificate, CRL, and CRL entry is defined as:
... extensions [3] EXPLICIT Extensions OPTIONAL ...
... crlEntryExtensions Extensions OPTIONAL ...
... crlExtensions [0] EXPLICIT Extensions OPTIONAL ...
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
This means that a present but empty extensions list is actually invalid.
Rather, if you have no extensions to encode, you are meant to omit the
list altogether. Fix the delete_ext functions to handle this correctly.
This would mostly be moot, as an application adding extensions only to
delete them all would be unusual. However, openssl#13658 implemented a slightly
roundabout design where, to omit SKID/AKID, the library first puts them
in and then the command-line tool detects some placeholder values and
deletes the extension again.
Fixes openssl#28397
paulidale
previously approved these changes
Aug 31, 2025
Contributor
Author
|
(Alright, hopefully that version works? Embarrassing type errors. 😳 In my defense, it looks like the default macOS build doesn't check them, which is a little odd.)
Ah sure, done.
You mean whether to export the helper publicly? I figure that can probably be left to when/if someone needs it, but no strong feelings either way. 🤷 |
paulidale
approved these changes
Aug 31, 2025
t-j-h
approved these changes
Aug 31, 2025
Member
t-j-h
left a comment
t-j-h
left a comment
There was a problem hiding this comment.
Nice fix. Thanks.
Ok for backfit.
t-j-h
added
approval: done
mattcaswell
approved these changes
Sep 1, 2025
t8m
added
branch: 3.0
t8m
approved these changes
Sep 1, 2025
openssl-machine
added
approval: ready to merge
openssl-machine
pushed a commit
that referenced
this pull request
Sep 9, 2025
The extensions list in a certificate, CRL, and CRL entry is defined as:
... extensions [3] EXPLICIT Extensions OPTIONAL ...
... crlEntryExtensions Extensions OPTIONAL ...
... crlExtensions [0] EXPLICIT Extensions OPTIONAL ...
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
This means that a present but empty extensions list is actually invalid.
Rather, if you have no extensions to encode, you are meant to omit the
list altogether. Fix the delete_ext functions to handle this correctly.
This would mostly be moot, as an application adding extensions only to
delete them all would be unusual. However, #13658 implemented a slightly
roundabout design where, to omit SKID/AKID, the library first puts them
in and then the command-line tool detects some placeholder values and
deletes the extension again.
Fixes #28397
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #28398)
(cherry picked from commit 9a8d7dc)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 9, 2025
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28398) (cherry picked from commit 9e8898b)
Member
|
Merged to all the active branches. Thank you for your contribution. |
openssl-machine
pushed a commit
that referenced
this pull request
Sep 9, 2025
The extensions list in a certificate, CRL, and CRL entry is defined as:
... extensions [3] EXPLICIT Extensions OPTIONAL ...
... crlEntryExtensions Extensions OPTIONAL ...
... crlExtensions [0] EXPLICIT Extensions OPTIONAL ...
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
This means that a present but empty extensions list is actually invalid.
Rather, if you have no extensions to encode, you are meant to omit the
list altogether. Fix the delete_ext functions to handle this correctly.
This would mostly be moot, as an application adding extensions only to
delete them all would be unusual. However, #13658 implemented a slightly
roundabout design where, to omit SKID/AKID, the library first puts them
in and then the command-line tool detects some placeholder values and
deletes the extension again.
Fixes #28397
Reviewed-by: Paul Dale <[email protected]>
Reviewed-by: Tim Hudson <[email protected]>
Reviewed-by: Matt Caswell <[email protected]>
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #28398)
(cherry picked from commit 9a8d7dc)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 9, 2025
Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Matt Caswell <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28398) (cherry picked from commit 9e8898b)
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 11, 2025
CHANGES.md: * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 11, 2025
CHANGES.md: * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 11, 2025
CHANGES.md: * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
openssl-machine
pushed a commit
that referenced
this pull request
Sep 13, 2025
CHANGES.md: * #28398 * #28411 * #28447 * #28449 NEWS.md: * #28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #28521)
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 15, 2025
CHANGES.md: * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 15, 2025
CHANGES.md: * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 16, 2025
CHANGES.md: * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
openssl-machine
pushed a commit
that referenced
this pull request
Sep 16, 2025
CHANGES.md: * #28198 * #28398 * #28411 * #28447 * #28449 NEWS.md: * #28447 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from #28558)
openssl-machine
pushed a commit
that referenced
this pull request
Sep 16, 2025
CHANGES.md: * #28398 * #28411 * #28447 * #28449 NEWS.md: * #28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28547)
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.0.18 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28624 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.2.6 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.3.5 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28415 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.4.3 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.3.5 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28415 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.4.3 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28603 * openssl#28624 * openssl#28642 3.2.6 NEWS.md do not have any updates. Updated the changes and news in the previous branches. Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
esyr
added a commit
to esyr/openssl
that referenced
this pull request
Sep 30, 2025
3.0.18 CHANGES.md includes the following: * openssl#28098 * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28449 * openssl#28504 * openssl#28535 * openssl#28591 * openssl#28624 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
openssl-machine
pushed a commit
that referenced
this pull request
Sep 30, 2025
3.4.3 CHANGES.md includes the following: * #28198 * #28398 * #28411 * #28415 * #28449 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]>
openssl-machine
pushed a commit
that referenced
this pull request
Sep 30, 2025
3.3.5 CHANGES.md includes the following: * #28198 * #28398 * #28411 * #28449 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]>
openssl-machine
pushed a commit
that referenced
this pull request
Sep 30, 2025
3.2.6 CHANGES.md includes the following: * #28198 * #28398 * #28411 * #28449 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]>
openssl-machine
pushed a commit
that referenced
this pull request
Sep 30, 2025
3.0.18 CHANGES.md includes the following: * #28198 * #28398 * #28411 * #28449 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The extensions list in a certificate, CRL, and CRL entry is defined as:
This means that a present but empty extensions list is actually invalid. Rather, if you have no extensions to encode, you are meant to omit the list altogether. Fix the delete_ext functions to handle this correctly.
This would mostly be moot, as an application adding extensions only to delete them all would be unusual. However, #13658 implemented a slightly roundabout design where, to omit SKID/AKID, the library first puts them in and then the command-line tool detects some placeholder values and deletes the extensino again.
Fixes #28397
Checklist