Make sure that a cert with extensions gets version number 2 (v3)

Fixes #4419 Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4421)
author: Richard Levitte <levitte@openssl.org> 2017-09-26 10:45:05 +0200
committer: Richard Levitte <levitte@openssl.org> 2017-09-26 11:04:01 +0200
commit: ed0245e08fdf374cd6351a1ae8117d7382115a21 (patch)
tree: 9ac0c95225d1f6e7dfc339b890ea4fc796408265 /apps
parent: 859a42531acf2c3547711f642bcfd7fd52eb2338 (diff)
1 files changed, 9 insertions, 4 deletions
diff --git a/apps/ca.c b/apps/ca.c
index f90f033bae..9a839969a2 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1985,10 +1985,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     /* Lets add the extensions, if there are any */
     if (ext_sect) {
         X509V3_CTX ctx;
-        if (ci->version == NULL)
-            if ((ci->version = ASN1_INTEGER_new()) == NULL)
-                goto err;
-        ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */
 
         /*
          * Free the current entries if any, there should not be any I believe
@@ -2051,6 +2047,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         goto err;
     }
 
+    {
+        STACK_OF(X509_EXTENSION) *exts = ci->extensions;
+
+        if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)
+            /* Make it an X509 v3 certificate. */
+            if (!X509_set_version(ret, 2))
+                goto err;
+    }
+
     /* Set the right value for the noemailDN option */
     if (email_dn == 0) {
         if (!X509_set_subject_name(ret, dn_subject))
author	Richard Levitte <levitte@openssl.org>	2017-09-26 10:45:05 +0200
committer	Richard Levitte <levitte@openssl.org>	2017-09-26 11:04:01 +0200
commit	ed0245e08fdf374cd6351a1ae8117d7382115a21 (patch)
tree	9ac0c95225d1f6e7dfc339b890ea4fc796408265 /apps
parent	859a42531acf2c3547711f642bcfd7fd52eb2338 (diff)