diff options
author | Richard Levitte <levitte@openssl.org> | 2017-09-26 10:46:10 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2017-09-26 10:47:43 +0200 |
commit | 4881d849da23528e19b7312f963d28916d9804b1 (patch) | |
tree | 878b8da40844a5a3052d51d20f51eba73b3a07b9 /apps/ca.c | |
parent | 28c0a61b3084ca05d1c590113332501e96b6175d (diff) |
Make sure that a cert with extensions gets version number 2 (v3)
Fixes #4419
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4420)
Diffstat (limited to 'apps/ca.c')
-rw-r--r-- | apps/ca.c | 10 |
1 files changed, 9 insertions, 1 deletions
@@ -1735,7 +1735,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Lets add the extensions, if there are any */ if (ext_sect) { X509V3_CTX ctx; - X509_set_version(ret, 2); /* Initialize the context structure */ if (selfsign) @@ -1790,6 +1789,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } + { + const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret); + + if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) + /* Make it an X509 v3 certificate. */ + if (!X509_set_version(ret, 2)) + goto end; + } + /* Set the right value for the noemailDN option */ if (email_dn == 0) { if (!X509_set_subject_name(ret, dn_subject)) |