New '-extfile' option for 'openssl ca'.

This allows keeping extensions in a separate configuration file. Submitted by: Massimiliano Pala <madwolf@comune.modena.it>

New '-extfile' option for 'openssl ca'.
This allows keeping extensions in a separate configuration file. Submitted by: Massimiliano Pala <madwolf@comune.modena.it>
dfebac32 · Bodo Möller · ab5db007 · dfebac32 · dfebac32 · dfebac32
隐藏空白更改
内联并排

Showing with 114 addition and 22 deletion

CHANGES CHANGES +7 -0

apps/ca.c apps/ca.c +96 -19

doc/apps/ca.pod doc/apps/ca.pod +11 -3

未找到文件。
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,13 @@
 Changes between 0.9.6 and 0.9.7  [xx XXX 2000]
+  *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
+     extensions from a separate configuration file.
+     As when reading extensions from the main configuration file,
+     the '-extensions ...' option may be used for specifying the
+     section to use.
+     [Massimiliano Pala <madwolf@comune.modena.it>]
  *) Change PKCS12_key_gen_asc() so it can cope with non null
     terminated strings whose length is passed in the passlen
     parameter, for example from PEM callbacks. This was done

--- a/apps/ca.c
+++ b/apps/ca.c
@@ -169,6 +169,7 @@ static char *ca_usage[]={
 " -msie_hack      - msie modifications to handle all those universal strings\n",
 " -revoke file    - Revoke a certificate (given in file)\n",
 " -extensions ..  - Extension section (override value in config file)\n",
+" -extfile file   - Configuration file with X509v3 extentions to add\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
 " -engine e       - use engine e, possibly a hardware device.\n",
 " -status serial  - Shows certificate status given the serial number\n",
@@ -215,6 +216,7 @@ static int get_certificate_status(const char *ser_status, TXT_DB *db);
 static int do_updatedb(TXT_DB *db);
 static int check_time_format(char *str);
 static LHASH *conf=NULL;
+static LHASH *extconf=NULL;
 static char *section=NULL;
 static int preserve=0;
@@ -260,6 +262,7 @@ int MAIN(int argc, char **argv)
 	char *outdir=NULL;
 	char *serialfile=NULL;
 	char *extensions=NULL;
+	char *extfile=NULL;
 	char *crl_ext=NULL;
 	BIGNUM *serial=NULL;
 	char *startdate=NULL;
@@ -438,6 +441,11 @@ EF_ALIGNMENT=0;
 			if (--argc < 1) goto bad;
 			extensions= *(++argv);
 			}
+		else if (strcmp(*argv,"-extfile") == 0)
+			{
+			if (--argc < 1) goto bad;
+			extfile= *(++argv);
+			}
 		else if (strcmp(*argv,"-status") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -910,12 +918,36 @@ bad:
 			goto err;
 	  	}
+ 	/*****************************************************************/
+	/* Read extentions config file                                   */
+	if (extfile)
+		{
+		long errorline;
+		if (!(extconf=CONF_load(NULL,extfile,&errorline)))
+			{
+			if (errorline <= 0)
+				BIO_printf(bio_err, "ERROR: loading the config file '%s'\n",
+					extfile);
+			else
+				BIO_printf(bio_err, "ERROR: on line %ld of config file '%s'\n",
+					errorline,extfile);
+			ret = 1;
+			goto err;
+			}
+		if (verbose)
+			BIO_printf(bio_err, "Succesfully loaded extensions file %s\n", extfile);
+		/* We can have sections in the ext file */
+		if (!extensions && !(extensions = CONF_get_string(extconf, "default", "extensions")))
+			extensions = "default";
+                }
 	/*****************************************************************/
 	if (req || gencrl)
 		{
 		if (outfile != NULL)
 			{
 			if (BIO_write_filename(Sout,outfile) <= 0)
 				{
 				perror(outfile);
@@ -965,25 +997,33 @@ bad:
 			lookup_fail(section,ENV_SERIAL);
 			goto err;
 			}
-		if (!extensions)
+		if (!extconf)
 			{
-			extensions=CONF_get_string(conf,section,ENV_EXTENSIONS);
+			/* no '-extfile' option, so we look for extensions
+			 * in the main configuration file */
 			if (!extensions)
-				ERR_clear_error();
-			}
-		if (extensions)
-			{
-			/* Check syntax of file */
-			X509V3_CTX ctx;
-			X509V3_set_ctx_test(&ctx);
-			X509V3_set_conf_lhash(&ctx, conf);
-			if (!X509V3_EXT_add_conf(conf, &ctx, extensions, NULL))
 				{
-				BIO_printf(bio_err,
+				extensions=CONF_get_string(conf,section,
-				 "Error Loading extension section %s\n",
+								ENV_EXTENSIONS);
+				if (!extensions)
+					ERR_clear_error();
+				}
+			if (extensions)
+				{
+				/* Check syntax of file */
+				X509V3_CTX ctx;
+				X509V3_set_ctx_test(&ctx);
+				X509V3_set_conf_lhash(&ctx, conf);
+				if (!X509V3_EXT_add_conf(conf, &ctx, extensions,
+								NULL))
+					{
+					BIO_printf(bio_err,
+				 	"Error Loading extension section %s\n",
 								 extensions);
-				ret = 1;
+					ret = 1;
-				goto err;
+					goto err;
+					}
 				}
 			}
@@ -2039,11 +2079,47 @@ again2:
 		ci->extensions = NULL;
+		/* Initialize the context structure */
 		X509V3_set_ctx(&ctx, x509, ret, req, NULL, 0);
-		X509V3_set_conf_lhash(&ctx, lconf);
-		if (!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret)) goto err;
+		if (extconf)
+			{
+			if (verbose)
+				BIO_printf(bio_err, "Extra configuration file found\n");
+			/* Use the extconf configuration db LHASH */
+			X509V3_set_conf_lhash(&ctx, extconf);
+			/* Test the structure (needed?) */
+			/* X509V3_set_ctx_test(&ctx); */
+			/* Adds exts contained in the configuration file */
+			if (!X509V3_EXT_add_conf(extconf, &ctx, ext_sect,ret))
+				{
+				BIO_printf(bio_err,
+				    "ERROR: adding extensions in section %s\n",
+								ext_sect);
+				ERR_print_errors(bio_err);
+				goto err;
+				}
+			if (verbose)
+				BIO_printf(bio_err, "Successfully added extensions from file.\n");
+			}
+		else if (ext_sect)
+			{
+			/* We found extensions to be set from config file */
+			X509V3_set_conf_lhash(&ctx, lconf);
+			if(!X509V3_EXT_add_conf(lconf, &ctx, ext_sect, ret))
+				{
+				BIO_printf(bio_err, "ERROR: adding extensions in section %s\n", ext_sect);
+				ERR_print_errors(bio_err);
+				goto err;
+				}
+			if (verbose) 
+				BIO_printf(bio_err, "Successfully added extensions from config\n");
+			}
 		}
@@ -2481,7 +2557,8 @@ static int get_certificate_status(const char *serial, TXT_DB *db)
 	/* Make it Upper Case */
 	for (i=0; row[DB_serial][i] != '\0'; i++)
-		row[DB_serial][i] = toupper((unsigned char)row[DB_serial][i]);
+		row[DB_serial][i] = toupper(row[DB_serial][i]);
 	ok=1;

--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -36,6 +36,7 @@ B<openssl> B<ca>
 [B<-batch>]
 [B<-msie_hack>]
 [B<-extensions section>]
+[B<-extfile section>]
 =head1 DESCRIPTION
@@ -162,9 +163,16 @@ and all certificates will be certified automatically.
 =item B<-extensions section>
 the section of the configuration file containing certificate extensions
-to be added when a certificate is issued. If no extension section is
+to be added when a certificate is issued (defaults to B<x509_extensions>
-present then a V1 certificate is created. If the extension section
+unless the B<-extfile> option is used). If no extension section is
-is present (even if it is empty) then a V3 certificate is created.
+present then, a V1 certificate is created. If the extension section
+is present (even if it is empty), then a V3 certificate is created.
+=item B<-extfile file>
+an additional configuration file to read certificate extensions from
+(using the default section unless the B<-extensions> option is also
+used).
 =back