diff options
| -rwxr-xr-x | apps/ca.c | 15 | ||||
| -rw-r--r-- | apps/req.c | 22 | ||||
| -rw-r--r-- | apps/x509.c | 4 |
3 files changed, 17 insertions, 24 deletions
@@ -1650,12 +1650,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, if ((ret = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL) goto end; -#ifdef X509_V3 - /* Make it an X509 v3 certificate. */ - if (!X509_set_version(ret, 2)) - goto end; -#endif - if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL) goto end; if (selfsign) { @@ -1739,15 +1733,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } - { - const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret); - - if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) - /* Make it an X509 v3 certificate. */ - if (!X509_set_version(ret, 2)) - goto end; - } - if (verbose) BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n"); diff --git a/apps/req.c b/apps/req.c index 713d8daf54..27cfbd6017 100644 --- a/apps/req.c +++ b/apps/req.c @@ -744,9 +744,6 @@ int req_main(int argc, char **argv) goto end; /* Set version to V3 */ - if ((extensions != NULL || addext_conf != NULL) - && !X509_set_version(x509ss, 2)) - goto end; if (serial != NULL) { if (!X509_set_serialNumber(x509ss, serial)) goto end; @@ -1708,14 +1705,25 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey, && do_pkey_ctx_init(pkctx, sigopts); } -int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md, +/* Ensure RFC 5280 compliance and then sign the certificate info */ +int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { - int rv = 0; + const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert); EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + int rv = 0; - if (do_sign_init(mctx, pkey, md, sigopts) > 0) - rv = (X509_sign_ctx(x, mctx) > 0); + if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) { + /* Prevent X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 */ + if (!X509_set_version(cert, 2)) /* Make sure cert is X509 v3 */ + goto end; + + /* TODO any further measures for ensuring default RFC 5280 compliance */ + } + + if (mctx != NULL && do_sign_init(mctx, pkey, md, sigopts) > 0) + rv = (X509_sign_ctx(cert, mctx) > 0); + end: EVP_MD_CTX_free(mctx); return rv; } diff --git a/apps/x509.c b/apps/x509.c index ad627f4558..303d197569 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1034,7 +1034,7 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges if (conf != NULL) { X509V3_CTX ctx2; - X509_set_version(x, 2); /* version 3 certificate */ + X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0); X509V3_set_nconf(&ctx2, conf); if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x)) @@ -1105,7 +1105,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey, } if (conf != NULL) { X509V3_CTX ctx; - X509_set_version(x, 2); /* version 3 certificate */ + X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0); X509V3_set_nconf(&ctx, conf); if (!X509V3_EXT_add_nconf(conf, &ctx, section, x)) |