Added support for adding extensions to CRLs, also fix a memory leak and

make 'req' check the config file syntax before it adds extensions. Added
info in the documentation as well.

3 files changed, 48 insertions, 2 deletions

diff --git a/apps/ca.c b/apps/ca.c
index ce4181e889..1ac9ae4dbe 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -105,6 +105,7 @@
 #define ENV_PRESERVE		"preserve"
 #define ENV_POLICY      	"policy"
 #define ENV_EXTENSIONS      	"x509_extensions"
+#define ENV_CRLEXT      	"crl_extensions"
 #define ENV_MSIE_HACK		"msie_hack"
 
 #define ENV_DATABASE		"database"
@@ -236,6 +237,7 @@ char **argv;
 	char *outdir=NULL;
 	char *serialfile=NULL;
 	char *extensions=NULL;
+	char *crl_ext=NULL;
 	BIGNUM *serial=NULL;
 	char *startdate=NULL;
 	int days=0;
@@ -966,6 +968,17 @@ bad:
 	/*****************************************************************/
 	if (gencrl)
 		{
+		crl_ext=CONF_get_string(conf,section,ENV_CRLEXT);
+		if(crl_ext) {
+			/* Check syntax of file */
+			if(!X509V3_EXT_check_conf(conf, crl_ext)) {
+				BIO_printf(bio_err,
+				 "Error Loading CRL extension section %s\n",
+								 crl_ext);
+				ret = 1;
+				goto err;
+			}
+		}
 		if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err;
 
 		if (!crldays && !crlhours)
@@ -1043,6 +1056,23 @@ bad:
 			dgst=EVP_md5();
 		    }
 
+		/* Add any extensions asked for */
+
+		if(crl_ext) {
+		    X509V3_CTX crlctx;
+		    if (ci->version == NULL)
+		    if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err;
+		    ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */
+		    crlctx.crl = crl;
+		    crlctx.issuer_cert = x509;
+		    crlctx.subject_cert = NULL;
+		    crlctx.subject_req = NULL;
+		    crlctx.flags = 0;
+
+		    if(!X509V3_EXT_CRL_add_conf(conf, &crlctx,
+						 crl_ext, crl)) goto err;
+		}
+
 		if (!X509_CRL_sign(crl,pkey,dgst)) goto err;
 
 		PEM_write_bio_X509_CRL(Sout,crl);
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 49cff56f35..ac442a732b 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -35,6 +35,7 @@ private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
 
 x509_extensions	= usr_cert		# The extentions to add to the cert
+crl_extensions	= crl_ext		# Extensions to add to CRL
 default_days	= 365			# how long to certify for
 default_crl_days= 30			# how long before next CRL
 default_md	= md5			# which md to use.
@@ -188,3 +189,11 @@ issuerAltName=issuer:copy
 # 1.2.3.5=RAW:02:03
 # You can even override a supported extension:
 # basicConstraints= critical, RAW:30:03:01:01:FF
+
+[ crl_ext ]
+
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always,issuer:always
diff --git a/apps/req.c b/apps/req.c
index dad1a50c46..cb9d9d16fa 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -264,11 +264,10 @@ char **argv;
 						goto end;
 						}
 
-					/* This will 'disapear'
-					 * when we free xtmp */
 					dtmp=X509_get_pubkey(xtmp);
 					if (dtmp->type == EVP_PKEY_DSA)
 						dsa_params=DSAparams_dup(dtmp->pkey.dsa);
+					EVP_PKEY_free(dtmp);
 					X509_free(xtmp);
 					if (dsa_params == NULL)
 						{
@@ -437,6 +436,14 @@ bad:
 		}
 
 	extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS);
+	if(extensions) {
+		/* Check syntax of file */
+		if(!X509V3_EXT_check_conf(req_conf, extensions)) {
+			BIO_printf(bio_err,
+			 "Error Loading extension section %s\n", extensions);
+			goto end;
+		}
+	}
 
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());