Changes between 0.9.1c and 0.9.2
+ *) Permit extensions to be added to CRLs using crl_section in openssl.cnf.
+ Currently only issuerAltName and AuthorityKeyIdentifier make any sense
+ in CRLs.
+
*) Add a useful kludge to allow package maintainers to specify compiler and
other platforms details on the command line without having to patch the
Configure script everytime: One now can use ``perl Configure
#define ENV_PRESERVE "preserve"
#define ENV_POLICY "policy"
#define ENV_EXTENSIONS "x509_extensions"
+#define ENV_CRLEXT "crl_extensions"
#define ENV_MSIE_HACK "msie_hack"
#define ENV_DATABASE "database"
char *outdir=NULL;
char *serialfile=NULL;
char *extensions=NULL;
+ char *crl_ext=NULL;
BIGNUM *serial=NULL;
char *startdate=NULL;
int days=0;
/*****************************************************************/
if (gencrl)
{
+ crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
+ if(crl_ext) {
+ /* Check syntax of file */
+ if(!X509V3_EXT_check_conf(conf, crl_ext)) {
+ BIO_printf(bio_err,
+ "Error Loading CRL extension section %s\n",
+ crl_ext);
+ ret = 1;
+ goto err;
+ }
+ }
if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err;
if (!crldays && !crlhours)
dgst=EVP_md5();
}
+ /* Add any extensions asked for */
+
+ if(crl_ext) {
+ X509V3_CTX crlctx;
+ if (ci->version == NULL)
+ if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
+ ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
+ crlctx.crl = crl;
+ crlctx.issuer_cert = x509;
+ crlctx.subject_cert = NULL;
+ crlctx.subject_req = NULL;
+ crlctx.flags = 0;
+
+ if(!X509V3_EXT_CRL_add_conf(conf, &crlctx,
+ crl_ext, crl)) goto err;
+ }
+
if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
PEM_write_bio_X509_CRL(Sout,crl);
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
+crl_extensions = crl_ext # Extensions to add to CRL
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # which md to use.
# 1.2.3.5=RAW:02:03
# You can even override a supported extension:
# basicConstraints= critical, RAW:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
goto end;
}
- /* This will 'disapear'
- * when we free xtmp */
dtmp=X509_get_pubkey(xtmp);
if (dtmp->type == EVP_PKEY_DSA)
dsa_params=DSAparams_dup(dtmp->pkey.dsa);
+ EVP_PKEY_free(dtmp);
X509_free(xtmp);
if (dsa_params == NULL)
{
}
extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+ if(extensions) {
+ /* Check syntax of file */
+ if(!X509V3_EXT_check_conf(req_conf, extensions)) {
+ BIO_printf(bio_err,
+ "Error Loading extension section %s\n", extensions);
+ goto end;
+ }
+ }
in=BIO_new(BIO_s_file());
out=BIO_new(BIO_s_file());
/* Add some extra attributes */
if (!add_signed_time(si)) goto err;
+#if 0
+ /* Since these are made up attributes lets leave them out */
if (!add_signed_string(si,"SIGNED STRING")) goto err;
if (!add_signed_seq2string(si,"STRING1","STRING2")) goto err;
+#endif
/* we may want to add more */
PKCS7_add_certificate(p7,x509);
return 1;
}
+/* Same as above but for a CRL */
+
+int X509V3_EXT_CRL_add_conf(conf, ctx, section, crl)
+LHASH *conf;
+X509V3_CTX *ctx;
+char *section;
+X509_CRL *crl;
+{
+ X509_EXTENSION *ext;
+ STACK *nval;
+ CONF_VALUE *val;
+ int i;
+ if(!(nval = CONF_get_section(conf, section))) return 0;
+ for(i = 0; i < sk_num(nval); i++) {
+ val = (CONF_VALUE *)sk_value(nval, i);
+ if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
+ return 0;
+ if(crl) X509_CRL_add_ext(crl, ext, -1);
+ X509_EXTENSION_free(ext);
+ }
+ return 1;
+}
+
/* Just check syntax of config file as far as possible */
int X509V3_EXT_check_conf(conf, section)
LHASH *conf;
X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
+int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
int X509V3_EXT_check_conf(LHASH *conf, char *section);
int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
char * i2s_ASN1_ENUMERATED();
char * i2s_ASN1_ENUMERATED_TABLE();
int X509V3_EXT_add();
+int X509V3_EXT_CRL_add_conf();
int X509V3_EXT_add_alias();
void X509V3_EXT_cleanup();
crypto.pod ...... Documentation of OpenSSL crypto.h+libcrypto.a
ssl.pod ......... Documentation of OpenSSL ssl.h+libssl.a
ssleay.txt ...... Assembled documentation files of ancestor SSLeay [obsolete}
-
+ ext-conf.txt .... Text documentation about configuring new extension code.
+ buffer.txt ...... Text documentation about the buffer library.
Extension values are automatically printed out for supported extensions.
-x509 -in cert.pem -text
-crl -in crl.pem -text
+openssl x509 -in cert.pem -text
+openssl crl -in crl.pem -text
will give information in the extension printout, for example:
extension section is used when the -x509 option is present to create a
self signed root certificate.
+You can also add extensions to CRLs: a line
+
+crl_extensions = crl_extension_section
+
+will include extensions when the -gencrl option is used with the 'ca' utility.
+You can add any extension to a CRL but of the supported extensions only
+issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
+CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
+CRL entry extensions can be displayed.
+
EXTENSION SYNTAX.
Extensions have the basic form:
projects / oweals / openssl.git / commitdiff