summaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
authorDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-12-04 11:01:08 +0100
committerDr. David von Oheimb <David.von.Oheimb@siemens.com>2020-12-10 15:19:55 +0100
commitd858e743a9efa9d6282fdb84f3160b485bafc866 (patch)
tree4059e9d83119ad7b8787e429d4f690b4a3fafae2 /apps
parentx509v3_config.pod: Clarify semantics of subjectKeyIdentifier and authorityKey... (diff)
downloadopenssl-d858e743a9efa9d6282fdb84f3160b485bafc866.tar.xz
openssl-d858e743a9efa9d6282fdb84f3160b485bafc866.zip
apps/{req,x509,ca}.c: Clean up code setting X.509 cert version v3
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/13614)
Diffstat (limited to 'apps')
-rwxr-xr-xapps/ca.c15
-rw-r--r--apps/req.c22
-rw-r--r--apps/x509.c4
3 files changed, 17 insertions, 24 deletions
diff --git a/apps/ca.c b/apps/ca.c
index 0f21b4fa1c..f17acdcf73 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1650,12 +1650,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
if ((ret = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
goto end;
-#ifdef X509_V3
- /* Make it an X509 v3 certificate. */
- if (!X509_set_version(ret, 2))
- goto end;
-#endif
-
if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
goto end;
if (selfsign) {
@@ -1739,15 +1733,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto end;
}
- {
- const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret);
-
- if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)
- /* Make it an X509 v3 certificate. */
- if (!X509_set_version(ret, 2))
- goto end;
- }
-
if (verbose)
BIO_printf(bio_err,
"The subject name appears to be ok, checking data base for clashes\n");
diff --git a/apps/req.c b/apps/req.c
index 713d8daf54..27cfbd6017 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -744,9 +744,6 @@ int req_main(int argc, char **argv)
goto end;
/* Set version to V3 */
- if ((extensions != NULL || addext_conf != NULL)
- && !X509_set_version(x509ss, 2))
- goto end;
if (serial != NULL) {
if (!X509_set_serialNumber(x509ss, serial))
goto end;
@@ -1708,14 +1705,25 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
&& do_pkey_ctx_init(pkctx, sigopts);
}
-int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+/* Ensure RFC 5280 compliance and then sign the certificate info */
+int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md,
STACK_OF(OPENSSL_STRING) *sigopts)
{
- int rv = 0;
+ const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert);
EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+ int rv = 0;
- if (do_sign_init(mctx, pkey, md, sigopts) > 0)
- rv = (X509_sign_ctx(x, mctx) > 0);
+ if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) {
+ /* Prevent X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 */
+ if (!X509_set_version(cert, 2)) /* Make sure cert is X509 v3 */
+ goto end;
+
+ /* TODO any further measures for ensuring default RFC 5280 compliance */
+ }
+
+ if (mctx != NULL && do_sign_init(mctx, pkey, md, sigopts) > 0)
+ rv = (X509_sign_ctx(cert, mctx) > 0);
+ end:
EVP_MD_CTX_free(mctx);
return rv;
}
diff --git a/apps/x509.c b/apps/x509.c
index ad627f4558..303d197569 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1034,7 +1034,7 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
if (conf != NULL) {
X509V3_CTX ctx2;
- X509_set_version(x, 2); /* version 3 certificate */
+
X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx2, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1105,7 +1105,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey,
}
if (conf != NULL) {
X509V3_CTX ctx;
- X509_set_version(x, 2); /* version 3 certificate */
+
X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))