1518073 – ExternalCA : Failure with empty skid

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1518073 - ExternalCA : Failure with empty skid

Summary: ExternalCA : Failure with empty skid

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	8.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-11-28 07:23 UTC by Geetika Kapoor
Modified:	2021-01-06 20:26 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-01-06 20:26:25 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2985	0	None	open	ExternalCA : Failure with empty skid	2021-01-15 18:24:04 UTC

Description Geetika Kapoor 2017-11-28 07:23:38 UTC

Description of problem:

External CA when installed with skid which has empty value failed during installation with no appropriate reason or failure.

Version-Release number of selected component (if applicable):

pki-ca-10.5.1-1.el7.noarch
How reproducible:

always

Steps to Reproduce:
Setup:
1. Install nssdb as rootCA. Sice rootca has SKID == AKI so we used same value at both places.

rootca_skid = "0xf738a050e0ff8e1078c8fd7ac75ff0a2ba397072" ):
        ocsp = "http://localhost:8080/ca/ocsp"
        cmd = 'echo -e "y\n\ny\ny\n%s\n\n\n\n%s\n\n2\n7\n%s\n\n\n\n" | \
 certutil -S \
 -x \
 -d /opt/pkitest/certdb \
 -f password.txt \
 -z noise.bin \
 -n "RootCA" \
 -s "CN=Root CA Signing Certificate,O=ROOT" \
 -t "CT,C,C" \
 -m $RANDOM\
 -k rsa \
 -g 2048 \
 -Z SHA256 \
 -2 \
 -3 \
 --extAIA \
 --extSKID \
 --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation' %(rootca_skid, rootca_skid, ocsp)

2. Install ExternalCA into it.Make sure skid for ExternalCA is empty.


ca_skid = '', rootca_skid = "0xf738a050e0ff8e1078c8fd7ac75ff0a2ba397072"
        ocsp = "http://localhost:8080/ca/ocsp"
        cmd = 'echo -e "y\n\ny\ny\n%s\n\n\n\n%s\n\n2\n7\n%s\n\n\n\n" | \
 certutil -C \
 -d /opt/pkitest/certdb \
 -f password.txt \
 -m $RANDOM \
 -a \
 -i /tmp/test_dir/ca_signing.csr \
 -o /tmp/test_dir/ca_signing.crt \
 -c "RootCA" \
 -2 \
 -3 \
 --extAIA \
 --extSKID \
 --keyUsage critical,certSigning,crlSigning,digitalSignature,nonRepudiation' %(rootca_skid, ca_skid, ocsp)


Actual results:

Failed installation.

Expected results:

Getting right reason for failure from user perspective.

Additional info:

1. Installation failed with exception:

[28/Nov/2017:12:38:46][http-bio-8443-exec-3]: CertInfoProfile: Unable to populate certificate: Unable to get ca certificate: java.io.IOException: short read on DerValue buffer
Unable to get ca certificate: java.io.IOException: short read on DerValue buffer
	at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
	at com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
	at com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:539)
	at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2766)
	at com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2590)
	at org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:476)
	at org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
	at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166)
	at org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
	at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
	at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
	at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
	at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
	at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: short read on DerValue buffer
	at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1618)
	at com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:315)
	... 70 more
Caused by: java.security.cert.CertificateParsingException: java.io.IOException: short read on DerValue buffer
	at netscape.security.x509.X509CertInfo.<init>(X509CertInfo.java:175)
	at netscape.security.x509.X509CertImpl.parse(X509CertImpl.java:1153)
	at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:183)
	at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:160)
	at com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1610)
	... 71 more
Caused by: java.io.IOException: short read on DerValue buffer
	at netscape.security.util.DerValue.getOctetString(DerValue.java:386)
	at netscape.security.x509.KeyIdentifier.<init>(KeyIdentifier.java:54)
	at netscape.security.x509.SubjectKeyIdentifierExtension.<init>(SubjectKeyIdentifierExtension.java:123)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
	at netscape.security.x509.CertificateExtensions.parseExtension(CertificateExtensions.java:86)
	at netscape.security.x509.CertificateExtensions.<init>(CertificateExtensions.java:128)
	at netscape.security.x509.X509CertInfo.parse(X509CertInfo.java:751)
	at netscape.security.x509.X509CertInfo.<init>(X509CertInfo.java:173)
	... 75 more
[28/Nov/2017:12:38:46][http-bio-8443-exec-3]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED


Test case 2: When path for certificate(pki_ca_signing_cert_path) is incorrectly mentioned , Installation failed with :

[24/Nov/2017:15:39:09][http-bio-8443-exec-3]: CertInfoProfile: Unable
to populate certificate: Unable to get ca certificate: Unable to
initialize, java.io.IOException: DerInput.getLength(): lengthTag=9,
too big.
Unable to get ca certificate: Unable to initialize,
java.io.IOException: DerInput.getLength(): lengthTag=9, too big.
    at
com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:323)
    at
com.netscape.certsrv.profile.CertInfoProfile.populate(CertInfoProfile.java:100)
    at
com.netscape.cms.servlet.csadmin.CertUtil.createLocalCert(CertUtil.java:539)
    at
com.netscape.cms.servlet.csadmin.ConfigurationUtils.configLocalCert(ConfigurationUtils.java:2766)
    at
com.netscape.cms.servlet.csadmin.ConfigurationUtils.configCert(ConfigurationUtils.java:2590)
    at
org.dogtagpki.server.rest.SystemConfigService.processCert(SystemConfigService.java:476)
    at
org.dogtagpki.server.rest.SystemConfigService.processCerts(SystemConfigService.java:303)
    at
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:166)
    at
org.dogtagpki.server.rest.SystemConfigService.configure(SystemConfigService.java:101)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
    at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221)
    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
    at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
    at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297)
    at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288)
    at
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
    at
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320)
    at
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260)
    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
    at
org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191)
    at
org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187)
    at java.security.AccessController.doPrivileged(Native Method)
    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186)
    at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
    at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
    at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
    at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
    at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
    at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
    at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1087)
    at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
    at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
    at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)
Caused by: Unable to initialize, java.io.IOException:
DerInput.getLength(): lengthTag=9, too big.
    at
com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1618)
    at
com.netscape.cms.profile.def.ValidityDefault.populate(ValidityDefault.java:315)
    ... 70 more
Caused by: java.security.cert.CertificateException: Unable to
initialize, java.io.IOException: DerInput.getLength(): lengthTag=9,
too big.
    at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:186)
    at netscape.security.x509.X509CertImpl.<init>(X509CertImpl.java:160)
    at
com.netscape.ca.CertificateAuthority.getCACert(CertificateAuthority.java:1610)
    ... 71 more
[24/Nov/2017:15:39:09][http-bio-8443-exec-3]: SignedAuditLogger: event
ACCESS_SESSION_TERMINATED

Comment 2 Matthew Harmsen 2017-11-30 21:59:31 UTC

During the PKI Team Meeting of 20171130, it was determined that this issue would be move to RHEL 7.6.

Comment 3 Matthew Harmsen 2018-07-04 00:31:42 UTC

Moved to RHEL 7.7.

Comment 4 Christina Fu 2020-02-09 18:49:44 UTC

Hi Geetika,
Could you please explain what's the purpose of adding an empty SKI to a CA cert request?  Thanks.

Comment 5 Geetika Kapoor 2020-02-10 04:19:19 UTC

Hi Christina,

While testing this bugzilla , I have gone through this rfc : https://tools.ietf.org/html/rfc5280 
This rfc talks about 2 cases: empty and non-empty for most of the extensions so while testing this , one of my test case was empty value and non-empty value. All i wanted to make sure is if we have empty skid, either it generates random by itself or throws a user friendly error.

Here for SKI rfc says :

this extension MUST
   appear in all conforming CA certificates, that is, all certificates
   including the basic constraints extension (Section 4.2.1.9) where the
   value of cA is TRUE

So , SKID is a MUST extension if CA=true. i was expecting a user friendly error if this kind of situation arises. Probability of this to happen is very less and almost negligible but as a tester i wanted to cover every test case.

Thanks
Geetika

Comment 6 Christina Fu 2020-03-13 21:29:13 UTC

I am not aware of any allowance for empty SKI.  My understanding is that you either have an SKI (for CA certs), or you don't (non-CA certs).
I"m only aware of empty or non-empty references for the "Subject Name" of a certificate.

I'm going to suggest closing this bug as not a bug.  If there is any objection or issues arise at later time, it could be reopen.

Comment 10 Alex Scheel 2021-01-06 20:26:25 UTC

I agree with Christina's earlier assessment. Reading the RFC, it doesn't mention empty SKID values; the extensions should be elided if it is empty IMO. Notably, it appears OpenSSL does not handle empty SKID values either: https://github.com/openssl/openssl/issues/13603#issuecomment-738678435

Note You need to log in before you can comment on or make changes to this bug.