More X509 V3 stuff. Add support for extensions in the 'req' application
so that: openssl req -x509 -new -out cert.pem
will take extensions from openssl.cnf a sample for a CA is included.
Also change the directory order so pem is nearer the end. Otherwise 'make links'
wont work because pem.h can't be built.
diff --git a/CHANGES b/CHANGES
index 8f567ff..1efdfb1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,8 +5,14 @@
Changes between 0.9.1c and 0.9.2
+ *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
+ and add a sample to openssl.cnf so req -x509 now adds appropriate
+ CA extensions.
+ [Steve Henson]
+
*) Continued X509 V3 changes. Add to other makefiles, integrate with the
error code, add initial support to X509_print() and x509 application.
+ [Steve Henson]
*) Takes a deep breath and start addding X509 V3 extension support code. Add
files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
diff --git a/Makefile.org b/Makefile.org
index 1783db3..b5621f2 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -156,8 +156,8 @@
md2 md5 sha mdc2 hmac ripemd \
des rc2 rc4 rc5 idea bf cast \
bn rsa dsa dh \
- buffer bio stack lhash rand pem err objects \
- evp asn1 x509 x509v3 conf txt_db pkcs7 comp
+ buffer bio stack lhash rand err objects \
+ evp asn1 x509 x509v3 conf pem txt_db pkcs7 comp
# If you change the INSTALLTOP, make sure to also change the values
# in crypto/location.h
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index c070835..fbc328f 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -63,6 +63,7 @@
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
+x509_extensions = v3_ca # The extentions to add to the cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
@@ -117,3 +118,11 @@
#nsCertExt
#nsDataType
+[ v3_ca]
+
+# Extensions for a typical CA
+
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+
+
diff --git a/apps/req.c b/apps/req.c
index f37616f..523139e 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -71,6 +71,7 @@
#include "err.h"
#include "asn1.h"
#include "x509.h"
+#include "x509v3.h"
#include "objects.h"
#include "pem.h"
@@ -80,6 +81,7 @@
#define KEYFILE "default_keyfile"
#define DISTINGUISHED_NAME "distinguished_name"
#define ATTRIBUTES "attributes"
+#define V3_EXTENSIONS "x509_extensions"
#define DEFAULT_KEY_LENGTH 512
#define MIN_KEY_LENGTH 384
@@ -147,6 +149,7 @@
int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
int nodes=0,kludge=0;
char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+ char *extensions = NULL;
EVP_CIPHER *cipher=NULL;
int modulus=0;
char *p;
@@ -357,6 +360,7 @@
}
ERR_load_crypto_strings();
+ X509V3_add_standard_extensions();
#ifndef MONOLITH
/* Lets load up our environment a little */
@@ -427,6 +431,8 @@
digest=md_alg;
}
+ extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+
in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
if ((in == NULL) || (out == NULL))
@@ -628,12 +634,11 @@
if (x509)
{
EVP_PKEY *tmppkey;
+ X509V3_CTX ext_ctx;
if ((x509ss=X509_new()) == NULL) goto end;
- /* don't set the version number, for starters
- * the field is null and second, null is v0
- * if (!ASN1_INTEGER_set(ci->version,0L)) goto end;
- */
+ /* Set version to V3 */
+ if(!X509_set_version(x509ss, 2)) goto end;
ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L);
X509_set_issuer_name(x509ss,
@@ -647,6 +652,16 @@
X509_set_pubkey(x509ss,tmppkey);
EVP_PKEY_free(tmppkey);
+ /* Set up V3 context struct */
+
+ ext_ctx.issuer_cert = x509ss;
+ ext_ctx.subject_cert = x509ss;
+ ext_ctx.subject_req = NULL;
+
+ /* Add extensions */
+ if(extensions && !X509V3_EXT_add_conf(req_conf,
+ &ext_ctx, extensions, x509ss)) goto end;
+
if (!(i=X509_sign(x509ss,pkey,digest)))
goto end;
}
diff --git a/crypto/x509v3/v3_bitstr.c b/crypto/x509v3/v3_bitstr.c
index 46d8836..10ce8f0 100644
--- a/crypto/x509v3/v3_bitstr.c
+++ b/crypto/x509v3/v3_bitstr.c
@@ -94,7 +94,7 @@
{3, "Data Encipherment", "dataEncipherment"},
{4, "Key Agreement", "keyAgreement"},
{5, "Certificate Sign", "keyCertSign"},
-{6, "CRL Sign", "cRLCertSign"},
+{6, "CRL Sign", "cRLSign"},
{7, "Encipher Only", "encipherOnly"},
{8, "Decipher Only", "decipherOnly"},
{-1, NULL, NULL}
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 79bb903..276e3ac 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -106,7 +106,7 @@
};
/* Context specific info */
-struct v3_ctx_struct {
+struct v3_ext_ctx {
X509 *issuer_cert;
X509 *subject_cert;
X509_REQ *subject_req;
