mirror of https://github.com/openssl/openssl
Added support for adding extensions to CRLs, also fix a memory leak and
make 'req' check the config file syntax before it adds extensions. Added info in the documentation as well.
This commit is contained in:
parent
116e315303
commit
1756d405cc
4
CHANGES
4
CHANGES
|
@ -5,6 +5,10 @@
|
|||
|
||||
Changes between 0.9.1c and 0.9.2
|
||||
|
||||
*) Permit extensions to be added to CRLs using crl_section in openssl.cnf.
|
||||
Currently only issuerAltName and AuthorityKeyIdentifier make any sense
|
||||
in CRLs.
|
||||
|
||||
*) Add a useful kludge to allow package maintainers to specify compiler and
|
||||
other platforms details on the command line without having to patch the
|
||||
Configure script everytime: One now can use ``perl Configure
|
||||
|
|
30
apps/ca.c
30
apps/ca.c
|
@ -105,6 +105,7 @@
|
|||
#define ENV_PRESERVE "preserve"
|
||||
#define ENV_POLICY "policy"
|
||||
#define ENV_EXTENSIONS "x509_extensions"
|
||||
#define ENV_CRLEXT "crl_extensions"
|
||||
#define ENV_MSIE_HACK "msie_hack"
|
||||
|
||||
#define ENV_DATABASE "database"
|
||||
|
@ -236,6 +237,7 @@ char **argv;
|
|||
char *outdir=NULL;
|
||||
char *serialfile=NULL;
|
||||
char *extensions=NULL;
|
||||
char *crl_ext=NULL;
|
||||
BIGNUM *serial=NULL;
|
||||
char *startdate=NULL;
|
||||
int days=0;
|
||||
|
@ -966,6 +968,17 @@ bad:
|
|||
/*****************************************************************/
|
||||
if (gencrl)
|
||||
{
|
||||
crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
|
||||
if(crl_ext) {
|
||||
/* Check syntax of file */
|
||||
if(!X509V3_EXT_check_conf(conf, crl_ext)) {
|
||||
BIO_printf(bio_err,
|
||||
"Error Loading CRL extension section %s\n",
|
||||
crl_ext);
|
||||
ret = 1;
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err;
|
||||
|
||||
if (!crldays && !crlhours)
|
||||
|
@ -1043,6 +1056,23 @@ bad:
|
|||
dgst=EVP_md5();
|
||||
}
|
||||
|
||||
/* Add any extensions asked for */
|
||||
|
||||
if(crl_ext) {
|
||||
X509V3_CTX crlctx;
|
||||
if (ci->version == NULL)
|
||||
if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
|
||||
ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
|
||||
crlctx.crl = crl;
|
||||
crlctx.issuer_cert = x509;
|
||||
crlctx.subject_cert = NULL;
|
||||
crlctx.subject_req = NULL;
|
||||
crlctx.flags = 0;
|
||||
|
||||
if(!X509V3_EXT_CRL_add_conf(conf, &crlctx,
|
||||
crl_ext, crl)) goto err;
|
||||
}
|
||||
|
||||
if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
|
||||
|
||||
PEM_write_bio_X509_CRL(Sout,crl);
|
||||
|
|
|
@ -35,6 +35,7 @@ private_key = $dir/private/cakey.pem# The private key
|
|||
RANDFILE = $dir/private/.rand # private random number file
|
||||
|
||||
x509_extensions = usr_cert # The extentions to add to the cert
|
||||
crl_extensions = crl_ext # Extensions to add to CRL
|
||||
default_days = 365 # how long to certify for
|
||||
default_crl_days= 30 # how long before next CRL
|
||||
default_md = md5 # which md to use.
|
||||
|
@ -188,3 +189,11 @@ issuerAltName=issuer:copy
|
|||
# 1.2.3.5=RAW:02:03
|
||||
# You can even override a supported extension:
|
||||
# basicConstraints= critical, RAW:30:03:01:01:FF
|
||||
|
||||
[ crl_ext ]
|
||||
|
||||
# CRL extensions.
|
||||
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
|
||||
|
||||
issuerAltName=issuer:copy
|
||||
authorityKeyIdentifier=keyid:always,issuer:always
|
||||
|
|
11
apps/req.c
11
apps/req.c
|
@ -264,11 +264,10 @@ char **argv;
|
|||
goto end;
|
||||
}
|
||||
|
||||
/* This will 'disapear'
|
||||
* when we free xtmp */
|
||||
dtmp=X509_get_pubkey(xtmp);
|
||||
if (dtmp->type == EVP_PKEY_DSA)
|
||||
dsa_params=DSAparams_dup(dtmp->pkey.dsa);
|
||||
EVP_PKEY_free(dtmp);
|
||||
X509_free(xtmp);
|
||||
if (dsa_params == NULL)
|
||||
{
|
||||
|
@ -437,6 +436,14 @@ bad:
|
|||
}
|
||||
|
||||
extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
|
||||
if(extensions) {
|
||||
/* Check syntax of file */
|
||||
if(!X509V3_EXT_check_conf(req_conf, extensions)) {
|
||||
BIO_printf(bio_err,
|
||||
"Error Loading extension section %s\n", extensions);
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
|
||||
in=BIO_new(BIO_s_file());
|
||||
out=BIO_new(BIO_s_file());
|
||||
|
|
|
@ -110,8 +110,11 @@ again:
|
|||
|
||||
/* Add some extra attributes */
|
||||
if (!add_signed_time(si)) goto err;
|
||||
#if 0
|
||||
/* Since these are made up attributes lets leave them out */
|
||||
if (!add_signed_string(si,"SIGNED STRING")) goto err;
|
||||
if (!add_signed_seq2string(si,"STRING1","STRING2")) goto err;
|
||||
#endif
|
||||
|
||||
/* we may want to add more */
|
||||
PKCS7_add_certificate(p7,x509);
|
||||
|
|
|
@ -264,6 +264,29 @@ X509 *cert;
|
|||
return 1;
|
||||
}
|
||||
|
||||
/* Same as above but for a CRL */
|
||||
|
||||
int X509V3_EXT_CRL_add_conf(conf, ctx, section, crl)
|
||||
LHASH *conf;
|
||||
X509V3_CTX *ctx;
|
||||
char *section;
|
||||
X509_CRL *crl;
|
||||
{
|
||||
X509_EXTENSION *ext;
|
||||
STACK *nval;
|
||||
CONF_VALUE *val;
|
||||
int i;
|
||||
if(!(nval = CONF_get_section(conf, section))) return 0;
|
||||
for(i = 0; i < sk_num(nval); i++) {
|
||||
val = (CONF_VALUE *)sk_value(nval, i);
|
||||
if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value)))
|
||||
return 0;
|
||||
if(crl) X509_CRL_add_ext(crl, ext, -1);
|
||||
X509_EXTENSION_free(ext);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* Just check syntax of config file as far as possible */
|
||||
int X509V3_EXT_check_conf(conf, section)
|
||||
LHASH *conf;
|
||||
|
|
|
@ -246,6 +246,7 @@ void X509V3_conf_free(CONF_VALUE *val);
|
|||
X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value);
|
||||
X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value);
|
||||
int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert);
|
||||
int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl);
|
||||
int X509V3_EXT_check_conf(LHASH *conf, char *section);
|
||||
int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool);
|
||||
int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint);
|
||||
|
@ -326,6 +327,7 @@ char *i2s_ASN1_INTEGER();
|
|||
char * i2s_ASN1_ENUMERATED();
|
||||
char * i2s_ASN1_ENUMERATED_TABLE();
|
||||
int X509V3_EXT_add();
|
||||
int X509V3_EXT_CRL_add_conf();
|
||||
int X509V3_EXT_add_alias();
|
||||
void X509V3_EXT_cleanup();
|
||||
|
||||
|
|
|
@ -3,4 +3,5 @@
|
|||
crypto.pod ...... Documentation of OpenSSL crypto.h+libcrypto.a
|
||||
ssl.pod ......... Documentation of OpenSSL ssl.h+libssl.a
|
||||
ssleay.txt ...... Assembled documentation files of ancestor SSLeay [obsolete}
|
||||
|
||||
ext-conf.txt .... Text documentation about configuring new extension code.
|
||||
buffer.txt ...... Text documentation about the buffer library.
|
||||
|
|
|
@ -14,8 +14,8 @@ PRINTING EXTENSIONS.
|
|||
|
||||
Extension values are automatically printed out for supported extensions.
|
||||
|
||||
x509 -in cert.pem -text
|
||||
crl -in crl.pem -text
|
||||
openssl x509 -in cert.pem -text
|
||||
openssl crl -in crl.pem -text
|
||||
|
||||
will give information in the extension printout, for example:
|
||||
|
||||
|
@ -43,6 +43,16 @@ indicates which section contains the extensions. In the case of 'req' the
|
|||
extension section is used when the -x509 option is present to create a
|
||||
self signed root certificate.
|
||||
|
||||
You can also add extensions to CRLs: a line
|
||||
|
||||
crl_extensions = crl_extension_section
|
||||
|
||||
will include extensions when the -gencrl option is used with the 'ca' utility.
|
||||
You can add any extension to a CRL but of the supported extensions only
|
||||
issuerAltName and authorityKeyIdentifier make any real sense. Note: these are
|
||||
CRL extensions NOT CRL *entry* extensions which cannot currently be generated.
|
||||
CRL entry extensions can be displayed.
|
||||
|
||||
EXTENSION SYNTAX.
|
||||
|
||||
Extensions have the basic form:
|
||||
|
|
Loading…
Reference in New Issue