diff options
| -rw-r--r-- | CHANGES | 4 | ||||
| -rw-r--r-- | apps/ca.c | 30 | ||||
| -rw-r--r-- | apps/openssl.cnf | 9 | ||||
| -rw-r--r-- | apps/req.c | 11 | ||||
| -rw-r--r-- | crypto/pkcs7/sign.c | 3 | ||||
| -rw-r--r-- | crypto/x509v3/v3_conf.c | 23 | ||||
| -rw-r--r-- | crypto/x509v3/x509v3.h | 2 | ||||
| -rw-r--r-- | doc/README | 3 | ||||
| -rw-r--r-- | doc/ext-conf.txt | 14 |
9 files changed, 94 insertions, 5 deletions
@@ -5,6 +5,10 @@ Changes between 0.9.1c and 0.9.2 + *) Permit extensions to be added to CRLs using crl_section in openssl.cnf. + Currently only issuerAltName and AuthorityKeyIdentifier make any sense + in CRLs. + *) Add a useful kludge to allow package maintainers to specify compiler and other platforms details on the command line without having to patch the Configure script everytime: One now can use ``perl Configure @@ -105,6 +105,7 @@ #define ENV_PRESERVE "preserve" #define ENV_POLICY "policy" #define ENV_EXTENSIONS "x509_extensions" +#define ENV_CRLEXT "crl_extensions" #define ENV_MSIE_HACK "msie_hack" #define ENV_DATABASE "database" @@ -236,6 +237,7 @@ char **argv; char *outdir=NULL; char *serialfile=NULL; char *extensions=NULL; + char *crl_ext=NULL; BIGNUM *serial=NULL; char *startdate=NULL; int days=0; @@ -966,6 +968,17 @@ bad: /*****************************************************************/ if (gencrl) { + crl_ext=CONF_get_string(conf,section,ENV_CRLEXT); + if(crl_ext) { + /* Check syntax of file */ + if(!X509V3_EXT_check_conf(conf, crl_ext)) { + BIO_printf(bio_err, + "Error Loading CRL extension section %s\n", + crl_ext); + ret = 1; + goto err; + } + } if ((hex=BIO_new(BIO_s_mem())) == NULL) goto err; if (!crldays && !crlhours) @@ -1043,6 +1056,23 @@ bad: dgst=EVP_md5(); } + /* Add any extensions asked for */ + + if(crl_ext) { + X509V3_CTX crlctx; + if (ci->version == NULL) + if ((ci->version=ASN1_INTEGER_new()) == NULL) goto err; + ASN1_INTEGER_set(ci->version,1); /* version 2 CRL */ + crlctx.crl = crl; + crlctx.issuer_cert = x509; + crlctx.subject_cert = NULL; + crlctx.subject_req = NULL; + crlctx.flags = 0; + + if(!X509V3_EXT_CRL_add_conf(conf, &crlctx, + crl_ext, crl)) goto err; + } + if (!X509_CRL_sign(crl,pkey,dgst)) goto err; PEM_write_bio_X509_CRL(Sout,crl); diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 49cff56f35..ac442a732b 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -35,6 +35,7 @@ private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert +crl_extensions = crl_ext # Extensions to add to CRL default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # which md to use. @@ -188,3 +189,11 @@ issuerAltName=issuer:copy # 1.2.3.5=RAW:02:03 # You can even override a supported extension: # basicConstraints= critical, RAW:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always,issuer:always diff --git a/apps/req.c b/apps/req.c index dad1a50c46..cb9d9d16fa 100644 --- a/apps/req.c +++ b/apps/req.c @@ -264,11 +264,10 @@ char **argv; goto end; } - /* This will 'disapear' - * when we free xtmp */ dtmp=X509_get_pubkey(xtmp); if (dtmp->type == EVP_PKEY_DSA) dsa_params=DSAparams_dup(dtmp->pkey.dsa); + EVP_PKEY_free(dtmp); X509_free(xtmp); if (dsa_params == NULL) { @@ -437,6 +436,14 @@ bad: } extensions = CONF_get_string(req_conf, SECTION, V3_EXTENSIONS); + if(extensions) { + /* Check syntax of file */ + if(!X509V3_EXT_check_conf(req_conf, extensions)) { + BIO_printf(bio_err, + "Error Loading extension section %s\n", extensions); + goto end; + } + } in=BIO_new(BIO_s_file()); out=BIO_new(BIO_s_file()); diff --git a/crypto/pkcs7/sign.c b/crypto/pkcs7/sign.c index 6ad88d4688..772863be0f 100644 --- a/crypto/pkcs7/sign.c +++ b/crypto/pkcs7/sign.c @@ -110,8 +110,11 @@ again: /* Add some extra attributes */ if (!add_signed_time(si)) goto err; +#if 0 + /* Since these are made up attributes lets leave them out */ if (!add_signed_string(si,"SIGNED STRING")) goto err; if (!add_signed_seq2string(si,"STRING1","STRING2")) goto err; +#endif /* we may want to add more */ PKCS7_add_certificate(p7,x509); diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509v3/v3_conf.c index 78dd9954ae..5e0fa0b23f 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509v3/v3_conf.c @@ -264,6 +264,29 @@ X509 *cert; return 1; } +/* Same as above but for a CRL */ + +int X509V3_EXT_CRL_add_conf(conf, ctx, section, crl) +LHASH *conf; +X509V3_CTX *ctx; +char *section; +X509_CRL *crl; +{ + X509_EXTENSION *ext; + STACK *nval; + CONF_VALUE *val; + int i; + if(!(nval = CONF_get_section(conf, section))) return 0; + for(i = 0; i < sk_num(nval); i++) { + val = (CONF_VALUE *)sk_value(nval, i); + if(!(ext = X509V3_EXT_conf(conf, ctx, val->name, val->value))) + return 0; + if(crl) X509_CRL_add_ext(crl, ext, -1); + X509_EXTENSION_free(ext); + } + return 1; +} + /* Just check syntax of config file as far as possible */ int X509V3_EXT_check_conf(conf, section) LHASH *conf; diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h index 282732e8ef..1f5f797858 100644 --- a/crypto/x509v3/x509v3.h +++ b/crypto/x509v3/x509v3.h @@ -246,6 +246,7 @@ void X509V3_conf_free(CONF_VALUE *val); X509_EXTENSION *X509V3_EXT_conf_nid(LHASH *conf, X509V3_CTX *ctx, int ext_nid, char *value); X509_EXTENSION *X509V3_EXT_conf(LHASH *conf, X509V3_CTX *ctx, char *name, char *value); int X509V3_EXT_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509 *cert); +int X509V3_EXT_CRL_add_conf(LHASH *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl); int X509V3_EXT_check_conf(LHASH *conf, char *section); int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool); int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint); @@ -326,6 +327,7 @@ char *i2s_ASN1_INTEGER(); char * i2s_ASN1_ENUMERATED(); char * i2s_ASN1_ENUMERATED_TABLE(); int X509V3_EXT_add(); +int X509V3_EXT_CRL_add_conf(); int X509V3_EXT_add_alias(); void X509V3_EXT_cleanup(); diff --git a/doc/README b/doc/README index 81c59803fd..669106854b 100644 --- a/doc/README +++ b/doc/README @@ -3,4 +3,5 @@ crypto.pod ...... Documentation of OpenSSL crypto.h+libcrypto.a ssl.pod ......... Documentation of OpenSSL ssl.h+libssl.a ssleay.txt ...... Assembled documentation files of ancestor SSLeay [obsolete} - + ext-conf.txt .... Text documentation about configuring new extension code. + buffer.txt ...... Text documentation about the buffer library. diff --git a/doc/ext-conf.txt b/doc/ext-conf.txt index b9cf5a5ab9..1d0f6fb3c3 100644 --- a/doc/ext-conf.txt +++ b/doc/ext-conf.txt @@ -14,8 +14,8 @@ PRINTING EXTENSIONS. Extension values are automatically printed out for supported extensions. -x509 -in cert.pem -text -crl -in crl.pem -text +openssl x509 -in cert.pem -text +openssl crl -in crl.pem -text will give information in the extension printout, for example: @@ -43,6 +43,16 @@ indicates which section contains the extensions. In the case of 'req' the extension section is used when the -x509 option is present to create a self signed root certificate. +You can also add extensions to CRLs: a line + +crl_extensions = crl_extension_section + +will include extensions when the -gencrl option is used with the 'ca' utility. +You can add any extension to a CRL but of the supported extensions only +issuerAltName and authorityKeyIdentifier make any real sense. Note: these are +CRL extensions NOT CRL *entry* extensions which cannot currently be generated. +CRL entry extensions can be displayed. + EXTENSION SYNTAX. Extensions have the basic form: |