Hi all,
I added a new feature in the ca tool wich (just like in the x509 one) adds
the possibility to indicate another configuration file to be used to load
extensions from.
The tag usage is:
$ openssl ca -cert ... -extfile exts.cnf
inside the exts.cnf you can put sections and use different ones using the
-extensions tag as usual.
I attach the ca.diff file, to apply the patch just copy it into the
openssl-0.9.6/apps directory, cd to that dir and type:
$ patch -p0 <ca.diff
Let me know if you find some problems and/or bugs when using it. Also
I would suggest to integrate it into the distribution (let me know if you
do so I must not distribute the patch with the OpenCA package).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
--- ca.c Mon Nov 6 01:08:04 2000
+++ ca.patched Mon Nov 6 01:07:27 2000
@@ -166,6 +166,7 @@
" -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
" -extensions .. - Extension section (override value in config file)\n",
+" -extfile file - Configuration file with X509v3 extentions to add\n",
" -crlexts .. - CRL extension section (override value in config file)\n",
NULL
};
@@ -207,6 +208,7 @@
static int do_revoke(X509 *x509, TXT_DB *db);
static int check_time_format(char *str);
static LHASH *conf=NULL;
+static LHASH *extconf=NULL;
static char *section=NULL;
static int preserve=0;
@@ -242,6 +244,7 @@
char *outdir=NULL;
char *serialfile=NULL;
char *extensions=NULL;
+ char *extfile=NULL;
char *crl_ext=NULL;
BIGNUM *serial=NULL;
char *startdate=NULL;
@@ -338,6 +341,11 @@
if (--argc < 1) goto bad;
passargin= *(++argv);
}
+ else if (strcmp(*argv,"-extfile") == 0)
+ {
+ if (--argc < 1) goto bad;
+ extfile= *(++argv);
+ }
else if (strcmp(*argv,"-key") == 0)
{
if (--argc < 1) goto bad;
@@ -718,6 +726,34 @@
}
/*****************************************************************/
+ /* We neeed to lookup for extra extentions config file */
+ if (extfile)
+ {
+ long errorline;
+ if (!(extconf=CONF_load(NULL,extfile,&errorline)))
+ {
+ if (errorline <= 0)
+ BIO_printf(bio_err,
+ "ERROR: loading the config file '%s'\n",
+ extfile);
+ else
+ BIO_printf(bio_err,
+ "ERROR: on line %ld of config file '%s'\n",
+ errorline,extfile);
+ ret = 1;
+ goto err;
+ }
+
+ if( verbose )
+ BIO_printf( bio_err,
+ "Succesfully loaded extensions file %s\n", extfile );
+
+ if (!extensions && !(extensions = CONF_get_string(extconf,
+ "default", "extensions")))
+ extensions = "default";
+ }
+
+ /*****************************************************************/
if (req || gencrl)
{
if (outfile != NULL)
@@ -772,20 +808,27 @@
lookup_fail(section,ENV_SERIAL);
goto err;
}
- if(!extensions)
- extensions=CONF_get_string(conf,section,ENV_EXTENSIONS);
- if(extensions) {
- /* Check syntax of file */
- X509V3_CTX ctx;
- X509V3_set_ctx_test(&ctx);
- X509V3_set_conf_lhash(&ctx, conf);
- if(!X509V3_EXT_add_conf(conf, &ctx, extensions, NULL)) {
- BIO_printf(bio_err,
- "Error Loading extension section %s\n",
+ if(!extconf)
+ {
+ if(!extensions)
+ extensions=CONF_get_string(conf,section,
+ ENV_EXTENSIONS);
+ if(extensions)
+ {
+ /* Check syntax of file */
+ X509V3_CTX ctx;
+ X509V3_set_ctx_test(&ctx);
+ X509V3_set_conf_lhash(&ctx, conf);
+ if(!X509V3_EXT_add_conf(conf, &ctx, extensions,
+ NULL))
+ {
+ BIO_printf(bio_err,
+ "Error Loading extension section %s\n",
extensions);
- ret = 1;
- goto err;
- }
+ ret = 1;
+ goto err;
+ }
+ }
}
if (startdate == NULL)
@@ -1812,13 +1855,18 @@
if (!i) goto err;
/* Lets add the extensions, if there are any */
- if (ext_sect)
+ /*Added by madwolf - enables the use of an external extensions file*/
+ if( extconf || ext_sect )
{
+ /* New Context Structure */
X509V3_CTX ctx;
+
if (ci->version == NULL)
if ((ci->version=ASN1_INTEGER_new()) == NULL)
goto err;
- ASN1_INTEGER_set(ci->version,2); /* version 3 certificate */
+
+ /* version 3 certificate */
+ ASN1_INTEGER_set(ci->version,2);
/* Free the current entries if any, there should not
* be any I believe */
@@ -1828,13 +1876,53 @@
ci->extensions = NULL;
+ /* Initialize the context structure */
X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
- X509V3_set_conf_lhash(&ctx, lconf);
- if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) goto err;
+ if( extconf )
+ {
+ if( verbose )
+ BIO_printf( bio_err, "Extra Configuration file
+found\n" );
- }
+ /* Use the extconf configuratio db LHASH */
+ X509V3_set_conf_lhash(&ctx, extconf);
+ /* Test the structure (needed?) */
+ /* X509V3_set_ctx_test(&ctx); */
+
+ /* Adds extentions contained in the configuratio file */
+ if (!X509V3_EXT_add_conf(extconf, &ctx, ext_sect,ret))
+ {
+ BIO_printf(bio_err,
+ "ERROR: adding extensions in section %s\n",
+ ext_sect);
+ ERR_print_errors(bio_err);
+ goto err;
+ }
+ if( verbose )
+ BIO_printf(bio_err,
+ "Successfully added extentions from file.\n");
+ }
+ else if (ext_sect)
+ {
+ /* We found extensions to be set from config file */
+ X509V3_set_conf_lhash(&ctx, lconf);
+
+ if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret))
+ {
+ BIO_printf(bio_err,
+ "ERROR: adding extensions in section %s\n",
+ ext_sect);
+ ERR_print_errors(bio_err);
+ goto err;
+ }
+
+ if( verbose )
+ BIO_printf( bio_err,
+ "Successfully added extentions from config\n" );
+
+ }
+ }
if (!batch)
{
S/MIME Cryptographic Signature
