diff options
author | Richard Levitte <levitte@openssl.org> | 2017-09-26 10:45:05 +0200 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2017-09-26 11:04:01 +0200 |
commit | ed0245e08fdf374cd6351a1ae8117d7382115a21 (patch) | |
tree | 9ac0c95225d1f6e7dfc339b890ea4fc796408265 /apps | |
parent | 859a42531acf2c3547711f642bcfd7fd52eb2338 (diff) |
Make sure that a cert with extensions gets version number 2 (v3)
Fixes #4419
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4421)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/ca.c | 13 |
1 files changed, 9 insertions, 4 deletions
@@ -1985,10 +1985,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, /* Lets add the extensions, if there are any */ if (ext_sect) { X509V3_CTX ctx; - if (ci->version == NULL) - if ((ci->version = ASN1_INTEGER_new()) == NULL) - goto err; - ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */ /* * Free the current entries if any, there should not be any I believe @@ -2051,6 +2047,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto err; } + { + STACK_OF(X509_EXTENSION) *exts = ci->extensions; + + if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0) + /* Make it an X509 v3 certificate. */ + if (!X509_set_version(ret, 2)) + goto err; + } + /* Set the right value for the noemailDN option */ if (email_dn == 0) { if (!X509_set_subject_name(ret, dn_subject)) |