diff options
author | Dr. Stephen Henson <steve@openssl.org> | 1999-03-06 19:33:29 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 1999-03-06 19:33:29 +0000 |
commit | 1756d405cc0d5bf8fd0a40b8d103ee9314522171 (patch) | |
tree | fb862f3f0c53144b518ebf0eec245a10a355fa90 /apps | |
parent | 116e315303d87c1974500a89dc3ff2fe7f88e59d (diff) | |
download | openssl-1756d405cc0d5bf8fd0a40b8d103ee9314522171.tar.gz |
Added support for adding extensions to CRLs, also fix a memory leak and
make 'req' check the config file syntax before it adds extensions. Added
info in the documentation as well.
Diffstat (limited to 'apps')
-rw-r--r-- | apps/ca.c | 30 | ||||
-rw-r--r-- | apps/openssl.cnf | 9 | ||||
-rw-r--r-- | apps/req.c | 11 |
3 files changed, 48 insertions, 2 deletions
@@ -105,6 +105,7 @@ #define ENV_PRESERVE "preserve" #define ENV_POLICY "policy" #define ENV_EXTENSIONS "x509_extensions" +#define ENV_CRLEXT "crl_extensions" #define ENV_MSIE_HACK "msie_hack" #define ENV_DATABASE "database" @@ -236,6 +237,7 @@ char **argv; char *outdir=NULL; char *serialfile=NULL; char *extensions=NULL; + char *crl_ext=NULL; BIGNUM *serial=NULL; char *startdate=NULL; int days=0; @@ -966,6 +968,17 @@ bad: /*****************************************************************/ if (gencrl) { + crl_ext=CONF_get_string(conf,section,ENV_CRLEXT); + if(crl_ext) { + /* Check syntax of file */ + if(!X509V3_EXT_check_conf(conf, crl_ext)) { + BIO_printf(bio_err, + "Error Loading CRL extension section %s\n", + crl_ext); + ret = 1; + goto err; + } + } if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err; if (!crldays && !crlhours) @@ -1043,6 +1056,23 @@ bad: dgst=EVP_md5(); } + /* Add any extensions asked for */ + + if(crl_ext) { + X509V3_CTX crlctx; + if (ci->version == NULL) + if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; + ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */ + crlctx.crl = crl; + crlctx.issuer_cert = x509; + crlctx.subject_cert = NULL; + crlctx.subject_req = NULL; + crlctx.flags = 0; + + if(!X509V3_EXT_CRL_add_conf(conf, &crlctx, + crl_ext, crl)) goto err; + } + if (!X509_CRL_sign(crl,pkey,dgst)) goto err; PEM_write_bio_X509_CRL(Sout,crl); diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 49cff56f35..ac442a732b 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -35,6 +35,7 @@ private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert +crl_extensions = crl_ext # Extensions to add to CRL default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. @@ -188,3 +189,11 @@ issuerAltName=issuer:copy # 1.2.3.5=RAW:02:03 # You can even override a supported extension: # basicConstraints= critical, RAW:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/apps/req.c b/apps/req.c index dad1a50c46..cb9d9d16fa 100644 --- a/apps/req.c +++ b/apps/req.c @@ -264,11 +264,10 @@ char **argv; goto end; } - /* This will 'disapear' - * when we free xtmp */ dtmp=X509_get_pubkey(xtmp); if (dtmp->type == EVP_PKEY_DSA) dsa_params=DSAparams_dup(dtmp->pkey.dsa); + EVP_PKEY_free(dtmp); X509_free(xtmp); if (dsa_params == NULL) { @@ -437,6 +436,14 @@ bad: } extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS); + if(extensions) { + /* Check syntax of file */ + if(!X509V3_EXT_check_conf(req_conf, extensions)) { + BIO_printf(bio_err, + "Error Loading extension section %s\n", extensions); + goto end; + } + } in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); |