[gnutls-devel] GnuTLS | honor_crq_extensions breaks certificate generation if trying to use a CSR that includes a Subject_Key_Identifier (#1550)

[Read-only notification of GnuTLS library development activities]

Andreas Pousette created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1550



## Description of problem:
In certtool, if using the option `honor_crq_extensions` when generating/signing a certificate from a CSR containing a `Subject_Key_Identifier`, certtool fails. The error stated is: `set_subject_key_id: The request is invalid`. If not using `honor_crq_extensions` the certificate can be created from the CSR, but then the other crq extensions are not carried over either. Note that a new `Subject_Key_Identifier` is created in tihs case.

## Version of gnutls used:
3.6.16-8.el8_9.3.x86_64

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)
Rocky (RHEL)

## How reproducible:

Steps to Reproduce:

 * one: Create a CSR containing a Subject_Key_Identifier
 * two: Try to create a certificate from that CSR using certtool and using the option honor_crq_extensions

## Actual results:
Certtool fails with an error. The error stated is: set_subject_key_id: The request is invalid


## Expected results: 
A certificate is created from the CSR containing the CRQ extensions. Regarding the `Subject_Key_Identifier` there are probably two ways to handle this, either overwrite the existing `Subject_Key_Identifier` or respect the one from the CSR. What is the best option I leave up to you.

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1550
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20240516/e064f75d/attachment.html>