apps/{req,x509,ca}.c: Clean up code setting X.509 cert version v3

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13614)

diff --git a/apps/ca.c b/apps/ca.c
index 0f21b4fa1c4946f435b70c050f24326ce4355134..f17acdcf73af11a985482f18b11b57316a65452f 100755 (executable)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1650,12 +1650,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     if ((ret = X509_new_ex(app_get0_libctx(), app_get0_propq())) == NULL)
         goto end;
 
-#ifdef X509_V3
-    /* Make it an X509 v3 certificate. */
-    if (!X509_set_version(ret, 2))
-        goto end;
-#endif
-
     if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
         goto end;
     if (selfsign) {
@@ -1739,15 +1733,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         goto end;
     }
 
-    {
-        const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret);
-
-        if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)
-            /* Make it an X509 v3 certificate. */
-            if (!X509_set_version(ret, 2))
-                goto end;
-    }
-
     if (verbose)
         BIO_printf(bio_err,
                    "The subject name appears to be ok, checking data base for clashes\n");

diff --git a/apps/req.c b/apps/req.c
index 713d8daf540b335a3622587befa73de293dd6d42..27cfbd6017cc95d3406f37ce49ed443a0f9e91a3 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -744,9 +744,6 @@ int req_main(int argc, char **argv)
                 goto end;
 
             /* Set version to V3 */
-            if ((extensions != NULL || addext_conf != NULL)
-                && !X509_set_version(x509ss, 2))
-                goto end;
             if (serial != NULL) {
                 if (!X509_set_serialNumber(x509ss, serial))
                     goto end;
@@ -1708,14 +1705,25 @@ static int do_sign_init(EVP_MD_CTX *ctx, EVP_PKEY *pkey,
         && do_pkey_ctx_init(pkctx, sigopts);
 }
 
-int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+/* Ensure RFC 5280 compliance and then sign the certificate info */
+int do_X509_sign(X509 *cert, EVP_PKEY *pkey, const EVP_MD *md,
                  STACK_OF(OPENSSL_STRING) *sigopts)
 {
-    int rv = 0;
+    const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(cert);
     EVP_MD_CTX *mctx = EVP_MD_CTX_new();
+    int rv = 0;
 
-    if (do_sign_init(mctx, pkey, md, sigopts) > 0)
-        rv = (X509_sign_ctx(x, mctx) > 0);
+    if (sk_X509_EXTENSION_num(exts /* may be NULL */) > 0) {
+        /* Prevent X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 */
+        if (!X509_set_version(cert, 2)) /* Make sure cert is X509 v3 */
+            goto end;
+
+        /* TODO any further measures for ensuring default RFC 5280 compliance */
+    }
+
+    if (mctx != NULL && do_sign_init(mctx, pkey, md, sigopts) > 0)
+        rv = (X509_sign_ctx(cert, mctx) > 0);
+ end:
     EVP_MD_CTX_free(mctx);
     return rv;
 }

diff --git a/apps/x509.c b/apps/x509.c
index ad627f4558dd947ad7c617e76be6d11e1eddd45e..303d19756975aa3185e577ca8f8878aa034397c5 100644 (file)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1034,7 +1034,7 @@ static int x509_certify(X509_STORE *ctx, const char *CAfile, const EVP_MD *diges
 
     if (conf != NULL) {
         X509V3_CTX ctx2;
-        X509_set_version(x, 2); /* version 3 certificate */
+
         X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx2, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@@ -1105,7 +1105,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *fkey,
     }
     if (conf != NULL) {
         X509V3_CTX ctx;
-        X509_set_version(x, 2); /* version 3 certificate */
+
         X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
         X509V3_set_nconf(&ctx, conf);
         if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))