diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 1999-02-10 01:12:59 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 1999-02-10 01:12:59 +0000 |
| commit | 175b0942ec7e82f86831916d325922817872e657 (patch) | |
| tree | 44262b09075d8ca2b46b4819069f4a5df304ae89 /apps | |
| parent | c45beb91b3ddf18b29c65b64b9e0ee74497a7f27 (diff) | |
| download | openssl-175b0942ec7e82f86831916d325922817872e657.tar.gz | |
More extension code. Incomplete support for subject and issuer alt
name, issuer and authority key id. Change the i2v function parameters
and add an extra 'crl' parameter in the X509V3_CTX structure: guess
what that's for :-) Fix to ASN1 macro which messed up
IMPLICIT tag and add f_enum.c which adds a2i, i2a for ENUMERATED.
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/ca.c | 12 | ||||
| -rw-r--r-- | apps/openssl.cnf | 5 | ||||
| -rw-r--r-- | apps/req.c | 2 |
3 files changed, 16 insertions, 3 deletions
@@ -690,9 +690,8 @@ bad: extensions=CONF_get_string(conf,section,ENV_EXTENSIONS); if(extensions) { - /* Check syntax of file */ - if(!X509V3_EXT_add_conf(conf, NULL, extensions, NULL)) { + if(!X509V3_EXT_check_conf(conf, extensions)) { BIO_printf(bio_err, "Error Loading extension section %s\n", extensions); @@ -1669,6 +1668,7 @@ again2: /* Lets add the extensions, if there are any */ if (ext_sect) { + X509V3_CTX ctx; if (ci->version == NULL) if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; @@ -1681,7 +1681,13 @@ again2: ci->extensions = NULL; - if(!X509V3_EXT_add_conf(conf, NULL, ext_sect, ret)) goto err; + ctx.subject_cert = ret; + ctx.issuer_cert = x509; + ctx.subject_req = req; + ctx.crl = NULL; + ctx.flags = 0; + + if(!X509V3_EXT_add_conf(conf, &ctx, ext_sect, ret)) goto err; } diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 27abc08bad..81dee57055 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -127,6 +127,7 @@ basicConstraints=CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier=hash #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem #nsBaseUrl @@ -142,6 +143,10 @@ nsComment = "OpenSSL Generated Certificate" # It's a CA certificate basicConstraints = CA:true +# PKIX recommendation. + +subjectKeyIdentifier=hash + # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true diff --git a/apps/req.c b/apps/req.c index 3407cd0ee3..b2c1bb2578 100644 --- a/apps/req.c +++ b/apps/req.c @@ -657,6 +657,8 @@ loop: ext_ctx.issuer_cert = x509ss; ext_ctx.subject_cert = x509ss; ext_ctx.subject_req = NULL; + ext_ctx.crl = NULL; + ext_ctx.flags = 0; /* Add extensions */ if(extensions && !X509V3_EXT_add_conf(req_conf, |