From: Dr. Stephen Henson Date: Mon, 25 Jan 1999 01:09:21 +0000 (+0000) Subject: More X509 V3 stuff. Add support for extensions in the 'req' application X-Git-Tag: OpenSSL_0_9_2b~231 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f317aa4c9cb03dd680247bdcf6a22c1b799890e7;p=oweals%2Fopenssl.git More X509 V3 stuff. Add support for extensions in the 'req' application so that: openssl req -x509 -new -out cert.pem will take extensions from openssl.cnf a sample for a CA is included. Also change the directory order so pem is nearer the end. Otherwise 'make links' wont work because pem.h can't be built. --- diff --git a/CHANGES b/CHANGES index 8f567ffe25..1efdfb17e2 100644 --- a/CHANGES +++ b/CHANGES @@ -5,8 +5,14 @@ Changes between 0.9.1c and 0.9.2 + *) More X509 V3 changes. Fix typo in v3_bitstr.c. Add support to 'req' + and add a sample to openssl.cnf so req -x509 now adds appropriate + CA extensions. + [Steve Henson] + *) Continued X509 V3 changes. Add to other makefiles, integrate with the error code, add initial support to X509_print() and x509 application. + [Steve Henson] *) Takes a deep breath and start addding X509 V3 extension support code. Add files in crypto/x509v3. Move original stuff to crypto/x509v3/old. All this diff --git a/Makefile.org b/Makefile.org index 1783db349b..b5621f2454 100644 --- a/Makefile.org +++ b/Makefile.org @@ -156,8 +156,8 @@ SDIRS= \ md2 md5 sha mdc2 hmac ripemd \ des rc2 rc4 rc5 idea bf cast \ bn rsa dsa dh \ - buffer bio stack lhash rand pem err objects \ - evp asn1 x509 x509v3 conf txt_db pkcs7 comp + buffer bio stack lhash rand err objects \ + evp asn1 x509 x509v3 conf pem txt_db pkcs7 comp # If you change the INSTALLTOP, make sure to also change the values # in crypto/location.h diff --git a/apps/openssl.cnf b/apps/openssl.cnf index c07083566f..fbc328fad4 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -63,6 +63,7 @@ default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes +x509_extensions = v3_ca # The extentions to add to the cert [ req_distinguished_name ] countryName = Country Name (2 letter code) @@ -117,3 +118,11 @@ nsCertType = 0x40 #nsCertExt #nsDataType +[ v3_ca] + +# Extensions for a typical CA + +basicConstraints = CA:true +keyUsage = cRLSign, keyCertSign + + diff --git a/apps/req.c b/apps/req.c index f37616feff..523139ecda 100644 --- a/apps/req.c +++ b/apps/req.c @@ -71,6 +71,7 @@ #include "err.h" #include "asn1.h" #include "x509.h" +#include "x509v3.h" #include "objects.h" #include "pem.h" @@ -80,6 +81,7 @@ #define KEYFILE "default_keyfile" #define DISTINGUISHED_NAME "distinguished_name" #define ATTRIBUTES "attributes" +#define V3_EXTENSIONS "x509_extensions" #define DEFAULT_KEY_LENGTH 512 #define MIN_KEY_LENGTH 384 @@ -147,6 +149,7 @@ char **argv; int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM; int nodes=0,kludge=0; char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL; + char *extensions = NULL; EVP_CIPHER *cipher=NULL; int modulus=0; char *p; @@ -357,6 +360,7 @@ bad: } ERR_load_crypto_strings(); + X509V3_add_standard_extensions(); #ifndef MONOLITH /* Lets load up our environment a little */ @@ -427,6 +431,8 @@ bad: digest=md_alg; } + extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS); + in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); if ((in == NULL) || (out == NULL)) @@ -628,12 +634,11 @@ loop: if (x509) { EVP_PKEY *tmppkey; + X509V3_CTX ext_ctx; if ((x509ss=X509_new()) == NULL) goto end; - /* don't set the version number, for starters - * the field is null and second, null is v0 - * if (!ASN1_INTEGER_set(ci->version,0L)) goto end; - */ + /* Set version to V3 */ + if(!X509_set_version(x509ss, 2)) goto end; ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L); X509_set_issuer_name(x509ss, @@ -647,6 +652,16 @@ loop: X509_set_pubkey(x509ss,tmppkey); EVP_PKEY_free(tmppkey); + /* Set up V3 context struct */ + + ext_ctx.issuer_cert = x509ss; + ext_ctx.subject_cert = x509ss; + ext_ctx.subject_req = NULL; + + /* Add extensions */ + if(extensions && !X509V3_EXT_add_conf(req_conf, + &ext_ctx, extensions, x509ss)) goto end; + if (!(i=X509_sign(x509ss,pkey,digest))) goto end; } diff --git a/crypto/x509v3/v3_bitstr.c b/crypto/x509v3/v3_bitstr.c index 46d8836cd6..10ce8f04ef 100644 --- a/crypto/x509v3/v3_bitstr.c +++ b/crypto/x509v3/v3_bitstr.c @@ -94,7 +94,7 @@ static BIT_STRING_BITNAME key_usage_type_table[] = { {3, "Data Encipherment", "dataEncipherment"}, {4, "Key Agreement", "keyAgreement"}, {5, "Certificate Sign", "keyCertSign"}, -{6, "CRL Sign", "cRLCertSign"}, +{6, "CRL Sign", "cRLSign"}, {7, "Encipher Only", "encipherOnly"}, {8, "Decipher Only", "decipherOnly"}, {-1, NULL, NULL} diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 79bb903ccf..276e3ac2ef 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -106,7 +106,7 @@ char *usr_data; /* Any extension specific data */ }; /* Context specific info */ -struct v3_ctx_struct { +struct v3_ext_ctx { X509 *issuer_cert; X509 *subject_cert; X509_REQ *subject_req;