From d428bf8c568c617bb3c3bd0ac3b326298e7b34b9 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 24 Aug 2000 23:24:18 +0000
Subject: [PATCH] New option to CA.pl to sign request using CA extensions. This
 allows intermediate CAs to be created more easily.

PKCS12_create() now checks private key matches certificate.

Fix typo in x509 app.

Update docs.

New function ASN1_STRING_to_UTF8() converts any ASN1_STRING
type to UTF8.
---
 apps/CA.pl.in           |  5 +++++
 apps/x509.c             |  2 +-
 crypto/asn1/a_mbstr.c   |  5 ++++-
 crypto/asn1/a_strex.c   | 21 +++++++++++++++++++++
 crypto/asn1/asn1.h      |  2 ++
 crypto/pkcs12/p12_crt.c |  2 ++
 doc/apps/CA.pl.pod      |  7 +++++++
 doc/apps/ca.pod         |  4 ++++
 doc/apps/x509.pod       |  8 ++++----
 9 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/apps/CA.pl.in b/apps/CA.pl.in
index 4eef57e6e3..7781067d6a 100644
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -116,6 +116,11 @@ foreach (@ARGV) {
 							"-infiles newreq.pem");
 	    $RET=$?;
 	    print "Signed certificate is in newcert.pem\n";
+	} elsif (/^(-signCA)$/) {
+	    system ("$CA -policy policy_anything -out newcert.pem " .
+					"-extensions v3_ca -infiles newreq.pem");
+	    $RET=$?;
+	    print "Signed CA certificate is in newcert.pem\n";
 	} elsif (/^-signcert$/) {
 	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
 								"-out tmp.pem");
diff --git a/apps/x509.c b/apps/x509.c
index a071b20f40..4da4feba70 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -611,7 +611,7 @@ bad:
 				}
 			else if (subject == i) 
 				{
-				print_name(STDout, "issuer= ",
+				print_name(STDout, "subject= ",
 					X509_get_subject_name(x), nmflag);
 				}
 			else if (serial == i)
diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c
index 42f5d3b01e..9842b653e6 100644
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -92,6 +92,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 {
 	int str_type;
 	int ret;
+	char free_out;
 	int outform, outlen;
 	ASN1_STRING *dest;
 	unsigned char *p;
@@ -180,6 +181,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	}
 	if(!out) return str_type;
 	if(*out) {
+		free_out = 0;
 		dest = *out;
 		if(dest->data) {
 			dest->length = 0;
@@ -188,6 +190,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		}
 		dest->type = str_type;
 	} else {
+		free_out = 1;
 		dest = ASN1_STRING_type_new(str_type);
 		if(!dest) {
 			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
@@ -229,7 +232,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		break;
 	}
 	if(!(p = OPENSSL_malloc(outlen + 1))) {
-		ASN1_STRING_free(dest);
+		if(free_out) ASN1_STRING_free(dest);
 		ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
 		return -1;
 	}
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
index 02fe2bad1c..af77b09194 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -509,3 +509,24 @@ int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
 {
 	return do_print_ex(send_fp_chars, fp, flags, str);
 }
+
+/* Utility function: convert any string type to UTF8, returns number of bytes
+ * in output string or a negative error code
+ */
+
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
+{
+	ASN1_STRING stmp, *str = &stmp;
+	int mbflag, type, ret;
+	if(!*out || !in) return -1;
+	type = in->type;
+	if((type < 0) || (type > 30)) return -1;
+	mbflag = tag2nbyte[type];
+	if(mbflag == -1) return -1;
+	mbflag |= MBSTRING_FLAG;
+	stmp.data = NULL;
+	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
+	if(ret < 0) return ret;
+	if(out) *out = stmp.data;
+	return stmp.length;
+}
diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
index 9189537f28..b2167561b5 100644
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -809,6 +809,8 @@ int ASN1_i2d_fp(int (*i2d)(),FILE *out,unsigned char *x);
 int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
 #endif
 
+int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
+
 #ifndef NO_BIO
 char *ASN1_d2i_bio(char *(*xnew)(),char *(*d2i)(),BIO *bp,unsigned char **x);
 int ASN1_i2d_bio(int (*i2d)(),BIO *out,unsigned char *x);
diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c
index a5f17c51a7..5641a00898 100644
--- a/crypto/pkcs12/p12_crt.c
+++ b/crypto/pkcs12/p12_crt.c
@@ -86,6 +86,8 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
 		return NULL;
 	}
 
+	if(!X509_check_private_key(cert, pkey)) return NULL;
+
 	if(!(bags = sk_PKCS12_SAFEBAG_new (NULL))) {
 		PKCS12err(PKCS12_F_PKCS12_CREATE,ERR_R_MALLOC_FAILURE);
 		return NULL;
diff --git a/doc/apps/CA.pl.pod b/doc/apps/CA.pl.pod
index 75aa2a1d26..63cd1320cc 100644
--- a/doc/apps/CA.pl.pod
+++ b/doc/apps/CA.pl.pod
@@ -72,6 +72,13 @@ to be in the file "newreq.pem". The new certificate is written to the file
 "newcert.pem" except in the case of the B<-xsign> option when it is written
 to standard output.
 
+
+=item B<-signCA>
+
+this option is the same as the B<-signreq> option except it uses the configuration
+file section B<v3_ca> and so makes the signed request a valid CA certificate. This
+is useful when creating intermediate CA from a root CA.
+
 =item B<-signcert>
 
 this option is the same as B<-sign> except it expects a self signed certificate
diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index 03209aa6b1..efe1b3c230 100644
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -342,6 +342,10 @@ Sign a certificate request:
 
  openssl ca -in req.pem -out newcert.pem
 
+Sign a certificate request, using CA extensions:
+
+ openssl ca -in req.pem -extensions v3_ca -out newcert.pem
+
 Generate a CRL
 
  openssl ca -gencrl -out crl.pem
diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod
index f8742f84fc..7f32eef000 100644
--- a/doc/apps/x509.pod
+++ b/doc/apps/x509.pod
@@ -382,7 +382,7 @@ and a space character at the beginning or end of a string.
 
 =item B<esc_ctrl>
 
-escape and control characters. That is those with ASCII values less than
+escape control characters. That is those with ASCII values less than
 0x20 (space) and the delete (0x7f) character. They are escaped using the
 RFC2253 \XX notation (where XX are two hex digits representing the
 character value).
@@ -456,7 +456,7 @@ indents the fields by four characters.
 =item B<dn_rev>
 
 reverse the fields of the DN. This is required by RFC2253. As a side
-effect this also reveress the order of multiple AVAs but this is
+effect this also reverses the order of multiple AVAs but this is
 permissible.
 
 =item B<nofname>, B<sname>, B<lname>, B<oid>
@@ -519,13 +519,13 @@ Convert a certificate to a certificate request:
 Convert a certificate request into a self signed certificate using
 extensions for a CA:
 
- openssl x509 -req -in careq.pem -config openssl.cnf -extensions v3_ca \
+ openssl x509 -req -in careq.pem -extfile openssl.cnf -extensions v3_ca \
 	-signkey key.pem -out cacert.pem
 
 Sign a certificate request using the CA certificate above and add user
 certificate extensions:
 
- openssl x509 -req -in req.pem -config openssl.cnf -extensions v3_usr \
+ openssl x509 -req -in req.pem -extfile openssl.cnf -extensions v3_usr \
 	-CA cacert.pem -CAkey key.pem -CAcreateserial
 
 
-- 
2.34.1