Added support for adding extensions to CRLs, also fix a memory leak and
authorDr. Stephen Henson <steve@openssl.org>
Sat, 6 Mar 1999 19:33:29 +0000 (19:33 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sat, 6 Mar 1999 19:33:29 +0000 (19:33 +0000)
make 'req' check the config file syntax before it adds extensions. Added
info in the documentation as well.

CHANGES
apps/ca.c
apps/openssl.cnf
apps/req.c
crypto/pkcs7/sign.c
crypto/x509v3/v3_conf.c
crypto/x509v3/x509v3.h
doc/README
doc/ext-conf.txt

diff --git a/CHANGES b/CHANGES
index a1b85c6..74c224f 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,10 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) Permit extensions to be added to CRLs using crl_section in openssl.cnf.
+     Currently only issuerAltName and AuthorityKeyIdentifier make any sense
+     in CRLs.
+
   *) Add a useful kludge to allow package maintainers to specify compiler and
      other platforms details on the command line without having to patch the
      Configure script everytime: One now can use ``perl Configure
index ce4181e..1ac9ae4 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
 #define ENV_PRESERVE           "preserve"
 #define ENV_POLICY             "policy"
 #define ENV_EXTENSIONS         "x509_extensions"
+#define ENV_CRLEXT             "crl_extensions"
 #define ENV_MSIE_HACK          "msie_hack"
 
 #define ENV_DATABASE           "database"
@@ -236,6 +237,7 @@ char **argv;
        char *outdir=NULL;
        char *serialfile=NULL;
        char *extensions=NULL;
+       char *crl_ext=NULL;
        BIGNUM *serial=NULL;
        char *startdate=NULL;
        int days=0;
@@ -966,6 +968,17 @@ bad:
        /*****************************************************************/
        if (gencrl)
                {
+               crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
+               if(crl_ext) {
+                       /* Check syntax of file */
+                       if(!X509V3_EXT_check_conf(conf, crl_ext)) {
+                               BIO_printf(bio_err,
+                                "Error Loading CRL extension section %s\n",
+                                                                crl_ext);
+                               ret = 1;
+                               goto err;
+                       }
+               }
                if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err;
 
                if (!crldays && !crlhours)
@@ -1043,6 +1056,23 @@ bad:
                        dgst=EVP_md5();
                    }
 
+               /* Add any extensions asked for */
+
+               if(crl_ext) {
+                   X509V3_CTX crlctx;
+                   if (ci->version == NULL)
+                   if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
+                   ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
+                   crlctx.crl = crl;
+                   crlctx.issuer_cert = x509;
+                   crlctx.subject_cert = NULL;
+                   crlctx.subject_req = NULL;
+                   crlctx.flags = 0;
+
+                   if(!X509V3_EXT_CRL_add_conf(conf, &crlctx,
+                                                crl_ext, crl)) goto err;
+               }
+
                if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
 
                PEM_write_bio_X509_CRL(Sout,crl);
index 49cff56..ac442a7 100644 (file)
@@ -35,6 +35,7 @@ private_key   = $dir/private/cakey.pem# The private key
 RANDFILE       = $dir/private/.rand    # private random number file
 
 x509_extensions        = usr_cert              # The extentions to add to the cert
+crl_extensions = crl_ext               # Extensions to add to CRL
 default_days   = 365                   # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = md5                   # which md to use.
@@ -188,3 +189,11 @@ issuerAltName=issuer:copy
 # 1.2.3.5=RAW:02:03
 # You can even override a supported extension:
 # basicConstraints= critical, RAW:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
index dad1a50..cb9d9d1 100644 (file)
@@ -264,11 +264,10 @@ char **argv;
                                                goto end;
                                                }
 
-                                       /* This will 'disapear'
-                                        * when we free xtmp */
                                        dtmp=X509_get_pubkey(xtmp);
                                        if (dtmp->type == EVP_PKEY_DSA)
                                                dsa_params=DSAparams_dup(dtmp->pkey.dsa);
+                                       EVP_PKEY_free(dtmp);
                                        X509_free(xtmp);
                                        if (dsa_params == NULL)
                                                {
@@ -437,6 +436,14 @@ bad:
                }
 
        extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+       if(extensions) {
+               /* Check syntax of file */
+               if(!X509V3_EXT_check_conf(req_conf, extensions)) {
+                       BIO_printf(bio_err,
+                        "Error Loading extension section %s\n", extensions);
+                       goto end;
+               }
+       }
 
        in=BIO_new(BIO_s_file());
        out=BIO_new(BIO_s_file());
index 6ad88d4..772863b 100644 (file)
@@ -110,8 +110,11 @@ again:
 
        /* Add some extra attributes */
        if (!add_signed_time(si)) goto err;
+#if 0
+       /* Since these are made up attributes lets leave them out */
        if (!add_signed_string(si,"SIGNED STRING")) goto err;
        if (!add_signed_seq2string(si,"STRING1","STRING2")) goto err;
+#endif
 
        /* we may want to add more */
        PKCS7_add_certificate(p7,x509);
index 78dd995..5e0fa0b 100644 (file)
@@ -264,6 +264,29 @@ X509 *cert;
        return 1;
 }
 
+/* Same as above but for a CRL */
+
+int X509V3_EXT_CRL_add_conf(conf, ctx, section, crl)
+LHASH *conf;
+X509V3_CTX *ctx;
+char *section;
+X509_CRL *crl;
+{
+       X509_EXTENSION *ext;
+       STACK *nval;
+       CONF_VALUE *val;        
+       int i;
+       if(!(nval = CONF_get_section(conf, section))) return 0;
+       for(i = 0; i < sk_num(nval); i++) {
+               val = (CONF_VALUE *)sk_value(nval, i);
+               if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+                                                               return 0;
+               if(crl) X509_CRL_add_ext(crl, ext, -1);
+               X509_EXTENSION_free(ext);
+       }
+       return 1;
+}
+
 /* Just check syntax of config file as far as possible */
 int X509V3_EXT_check_conf(conf, section)
 LHASH *conf;
index 282732e..1f5f797 100644 (file)
@@ -246,6 +246,7 @@ void X509V3_conf_free(CONF_VALUE *val);
 X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
 X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
 int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
 int X509V3_EXT_check_conf(LHASH *conf, char *section);
 int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
 int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
@@ -326,6 +327,7 @@ char *i2s_ASN1_INTEGER();
 char * i2s_ASN1_ENUMERATED();
 char * i2s_ASN1_ENUMERATED_TABLE();
 int X509V3_EXT_add();
+int X509V3_EXT_CRL_add_conf();
 int X509V3_EXT_add_alias();
 void X509V3_EXT_cleanup();
 
index 81c5980..6691068 100644 (file)
@@ -3,4 +3,5 @@
  crypto.pod ...... Documentation of OpenSSL crypto.h+libcrypto.a
  ssl.pod ......... Documentation of OpenSSL ssl.h+libssl.a
  ssleay.txt ...... Assembled documentation files of ancestor SSLeay [obsolete}
-
+ ext-conf.txt .... Text documentation about configuring new extension code.
+ buffer.txt ...... Text documentation about the buffer library.
index b9cf5a5..1d0f6fb 100644 (file)
@@ -14,8 +14,8 @@ PRINTING EXTENSIONS.
 
 Extension values are automatically printed out for supported extensions.
 
-x509 -in cert.pem -text
-crl -in crl.pem -text
+openssl x509 -in cert.pem -text
+openssl crl -in crl.pem -text
 
 will give information in the extension printout, for example:
 
@@ -43,6 +43,16 @@ indicates which section contains the extensions. In the case of 'req' the
 extension section is used when the -x509 option is present to create a
 self signed root certificate.
 
+You can also add extensions to CRLs: a line
+
+crl_extensions = crl_extension_section
+
+will include extensions when the -gencrl option is used with the 'ca' utility.
+You can add any extension to a CRL but of the supported extensions only
+issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
+CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
+CRL entry extensions can be displayed.
+
 EXTENSION SYNTAX.
 
 Extensions have the basic form: