More X509 V3 stuff. Add support for extensions in the 'req' application
authorDr. Stephen Henson <steve@openssl.org>
Mon, 25 Jan 1999 01:09:21 +0000 (01:09 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 25 Jan 1999 01:09:21 +0000 (01:09 +0000)
so that: openssl req -x509 -new -out cert.pem
will take extensions from openssl.cnf a sample for a CA is included.
Also change the directory order so pem is nearer the end. Otherwise 'make links'
wont work because pem.h can't be built.

CHANGES
Makefile.org
apps/openssl.cnf
apps/req.c
crypto/x509v3/v3_bitstr.c
crypto/x509v3/x509v3.h

diff --git a/CHANGES b/CHANGES
index 8f567ff..1efdfb1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,8 +5,14 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
+     and add a sample to openssl.cnf so req -x509 now adds appropriate
+     CA extensions.
+     [Steve Henson]
+
   *) Continued X509 V3 changes. Add to other makefiles, integrate with the
      error code, add initial support to X509_print() and x509 application.
+     [Steve Henson]
 
   *) Takes a deep breath and start addding X509 V3 extension support code. Add
      files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
index 1783db3..b5621f2 100644 (file)
@@ -156,8 +156,8 @@ SDIRS=  \
        md2 md5 sha mdc2 hmac ripemd \
        des rc2 rc4 rc5 idea bf cast \
        bn rsa dsa dh \
-       buffer bio stack lhash rand pem err objects \
-       evp asn1 x509 x509v3 conf txt_db pkcs7 comp
+       buffer bio stack lhash rand err objects \
+       evp asn1 x509 x509v3 conf pem txt_db pkcs7 comp
 
 # If you change the INSTALLTOP, make sure to also change the values
 # in crypto/location.h
index c070835..fbc328f 100644 (file)
@@ -63,6 +63,7 @@ default_bits          = 1024
 default_keyfile        = privkey.pem
 distinguished_name     = req_distinguished_name
 attributes             = req_attributes
+x509_extensions        = v3_ca # The extentions to add to the cert
 
 [ req_distinguished_name ]
 countryName                    = Country Name (2 letter code)
@@ -117,3 +118,11 @@ nsCertType                 = 0x40
 #nsCertExt
 #nsDataType
 
+[ v3_ca]
+
+# Extensions for a typical CA
+
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+
+
index f37616f..523139e 100644 (file)
@@ -71,6 +71,7 @@
 #include "err.h"
 #include "asn1.h"
 #include "x509.h"
+#include "x509v3.h"
 #include "objects.h"
 #include "pem.h"
 
@@ -80,6 +81,7 @@
 #define KEYFILE                "default_keyfile"
 #define DISTINGUISHED_NAME     "distinguished_name"
 #define ATTRIBUTES     "attributes"
+#define V3_EXTENSIONS  "x509_extensions"
 
 #define DEFAULT_KEY_LENGTH     512
 #define MIN_KEY_LENGTH         384
@@ -147,6 +149,7 @@ char **argv;
        int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
        int nodes=0,kludge=0;
        char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+       char *extensions = NULL;
        EVP_CIPHER *cipher=NULL;
        int modulus=0;
        char *p;
@@ -357,6 +360,7 @@ bad:
                }
 
        ERR_load_crypto_strings();
+       X509V3_add_standard_extensions();
 
 #ifndef MONOLITH
        /* Lets load up our environment a little */
@@ -427,6 +431,8 @@ bad:
                        digest=md_alg;
                }
 
+       extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+
        in=BIO_new(BIO_s_file());
        out=BIO_new(BIO_s_file());
        if ((in == NULL) || (out == NULL))
@@ -628,12 +634,11 @@ loop:
                if (x509)
                        {
                        EVP_PKEY *tmppkey;
+                       X509V3_CTX ext_ctx;
                        if ((x509ss=X509_new()) == NULL) goto end;
 
-                       /* don't set the version number, for starters
-                        * the field is null and second, null is v0 
-                        * if (!ASN1_INTEGER_set(ci->version,0L)) goto end;
-                        */
+                       /* Set version to V3 */
+                       if(!X509_set_version(x509ss, 2)) goto end;
                        ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L);
 
                        X509_set_issuer_name(x509ss,
@@ -647,6 +652,16 @@ loop:
                        X509_set_pubkey(x509ss,tmppkey);
                        EVP_PKEY_free(tmppkey);
 
+                       /* Set up V3 context struct */
+
+                       ext_ctx.issuer_cert = x509ss;
+                       ext_ctx.subject_cert = x509ss;
+                       ext_ctx.subject_req = NULL;
+
+                       /* Add extensions */
+                       if(extensions && !X509V3_EXT_add_conf(req_conf, 
+                                       &ext_ctx, extensions, x509ss)) goto end;
+
                        if (!(i=X509_sign(x509ss,pkey,digest)))
                                goto end;
                        }
index 46d8836..10ce8f0 100644 (file)
@@ -94,7 +94,7 @@ static BIT_STRING_BITNAME key_usage_type_table[] = {
 {3, "Data Encipherment", "dataEncipherment"},
 {4, "Key Agreement", "keyAgreement"},
 {5, "Certificate Sign", "keyCertSign"},
-{6, "CRL Sign", "cRLCertSign"},
+{6, "CRL Sign", "cRLSign"},
 {7, "Encipher Only", "encipherOnly"},
 {8, "Decipher Only", "decipherOnly"},
 {-1, NULL, NULL}
index 79bb903..276e3ac 100644 (file)
@@ -106,7 +106,7 @@ char *usr_data;     /* Any extension specific data */
 };
 
 /* Context specific info */
-struct v3_ctx_struct {
+struct v3_ext_ctx {
 X509 *issuer_cert;
 X509 *subject_cert;
 X509_REQ *subject_req;