From f317aa4c9cb03dd680247bdcf6a22c1b799890e7 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Mon, 25 Jan 1999 01:09:21 +0000
Subject: [PATCH] More X509 V3 stuff. Add support for extensions in the 'req'
 application so that: openssl req -x509 -new -out cert.pem will take
 extensions from openssl.cnf a sample for a CA is included. Also change the
 directory order so pem is nearer the end. Otherwise 'make links' wont work
 because pem.h can't be built.

---
 CHANGES                   |  6 ++++++
 Makefile.org              |  4 ++--
 apps/openssl.cnf          |  9 +++++++++
 apps/req.c                | 23 +++++++++++++++++++----
 crypto/x509v3/v3_bitstr.c |  2 +-
 crypto/x509v3/x509v3.h    |  2 +-
 6 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8f567ffe25..1efdfb17e2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,8 +5,14 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req'
+     and add a sample to openssl.cnf so req -x509 now adds appropriate
+     CA extensions.
+     [Steve Henson]
+
   *) Continued X509 V3 changes. Add to other makefiles, integrate with the
      error code, add initial support to X509_print() and x509 application.
+     [Steve Henson]
 
   *) Takes a deep breath and start addding X509 V3 extension support code. Add
      files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this
diff --git a/Makefile.org b/Makefile.org
index 1783db349b..b5621f2454 100644
--- a/Makefile.org
+++ b/Makefile.org
@@ -156,8 +156,8 @@ SDIRS=  \
 	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
 	bn rsa dsa dh \
-	buffer bio stack lhash rand pem err objects \
-	evp asn1 x509 x509v3 conf txt_db pkcs7 comp
+	buffer bio stack lhash rand err objects \
+	evp asn1 x509 x509v3 conf pem txt_db pkcs7 comp
 
 # If you change the INSTALLTOP, make sure to also change the values
 # in crypto/location.h
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index c07083566f..fbc328fad4 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -63,6 +63,7 @@ default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the cert
 
 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
@@ -117,3 +118,11 @@ nsCertType			= 0x40
 #nsCertExt
 #nsDataType
 
+[ v3_ca]
+
+# Extensions for a typical CA
+
+basicConstraints = CA:true
+keyUsage = cRLSign, keyCertSign
+
+
diff --git a/apps/req.c b/apps/req.c
index f37616feff..523139ecda 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -71,6 +71,7 @@
 #include "err.h"
 #include "asn1.h"
 #include "x509.h"
+#include "x509v3.h"
 #include "objects.h"
 #include "pem.h"
 
@@ -80,6 +81,7 @@
 #define KEYFILE		"default_keyfile"
 #define DISTINGUISHED_NAME	"distinguished_name"
 #define ATTRIBUTES	"attributes"
+#define V3_EXTENSIONS	"x509_extensions"
 
 #define DEFAULT_KEY_LENGTH	512
 #define MIN_KEY_LENGTH		384
@@ -147,6 +149,7 @@ char **argv;
 	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
 	int nodes=0,kludge=0;
 	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
+	char *extensions = NULL;
 	EVP_CIPHER *cipher=NULL;
 	int modulus=0;
 	char *p;
@@ -357,6 +360,7 @@ bad:
 		}
 
 	ERR_load_crypto_strings();
+	X509V3_add_standard_extensions();
 
 #ifndef MONOLITH
 	/* Lets load up our environment a little */
@@ -427,6 +431,8 @@ bad:
 			digest=md_alg;
 		}
 
+	extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
@@ -628,12 +634,11 @@ loop:
 		if (x509)
 			{
 			EVP_PKEY *tmppkey;
+			X509V3_CTX ext_ctx;
 			if ((x509ss=X509_new()) == NULL) goto end;
 
-			/* don't set the version number, for starters
-			 * the field is null and second, null is v0 
-			 * if (!ASN1_INTEGER_set(ci->version,0L)) goto end;
-			 */
+			/* Set version to V3 */
+			if(!X509_set_version(x509ss, 2)) goto end;
 			ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L);
 
 			X509_set_issuer_name(x509ss,
@@ -647,6 +652,16 @@ loop:
 			X509_set_pubkey(x509ss,tmppkey);
 			EVP_PKEY_free(tmppkey);
 
+			/* Set up V3 context struct */
+
+			ext_ctx.issuer_cert = x509ss;
+			ext_ctx.subject_cert = x509ss;
+			ext_ctx.subject_req = NULL;
+
+			/* Add extensions */
+			if(extensions && !X509V3_EXT_add_conf(req_conf, 
+				 	&ext_ctx, extensions, x509ss)) goto end;
+
 			if (!(i=X509_sign(x509ss,pkey,digest)))
 				goto end;
 			}
diff --git a/crypto/x509v3/v3_bitstr.c b/crypto/x509v3/v3_bitstr.c
index 46d8836cd6..10ce8f04ef 100644
--- a/crypto/x509v3/v3_bitstr.c
+++ b/crypto/x509v3/v3_bitstr.c
@@ -94,7 +94,7 @@ static BIT_STRING_BITNAME key_usage_type_table[] = {
 {3, "Data Encipherment", "dataEncipherment"},
 {4, "Key Agreement", "keyAgreement"},
 {5, "Certificate Sign", "keyCertSign"},
-{6, "CRL Sign", "cRLCertSign"},
+{6, "CRL Sign", "cRLSign"},
 {7, "Encipher Only", "encipherOnly"},
 {8, "Decipher Only", "decipherOnly"},
 {-1, NULL, NULL}
diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index 79bb903ccf..276e3ac2ef 100644
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -106,7 +106,7 @@ char *usr_data;	/* Any extension specific data */
 };
 
 /* Context specific info */
-struct v3_ctx_struct {
+struct v3_ext_ctx {
 X509 *issuer_cert;
 X509 *subject_cert;
 X509_REQ *subject_req;
-- 
2.34.1