[openssl-commits] [openssl] master update

Richard Levitte levitte at openssl.org
Tue Sep 26 09:05:58 UTC 2017


The branch master has been updated
       via  4881d849da23528e19b7312f963d28916d9804b1 (commit)
      from  28c0a61b3084ca05d1c590113332501e96b6175d (commit)


- Log -----------------------------------------------------------------
commit 4881d849da23528e19b7312f963d28916d9804b1
Author: Richard Levitte <levitte at openssl.org>
Date:   Tue Sep 26 10:46:10 2017 +0200

    Make sure that a cert with extensions gets version number 2 (v3)
    
    Fixes #4419
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/4420)

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/apps/ca.c b/apps/ca.c
index 976f6bb..3bcbcbb 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1735,7 +1735,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     /* Lets add the extensions, if there are any */
     if (ext_sect) {
         X509V3_CTX ctx;
-        X509_set_version(ret, 2);
 
         /* Initialize the context structure */
         if (selfsign)
@@ -1790,6 +1789,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         goto end;
     }
 
+    {
+        const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret);
+
+        if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)
+            /* Make it an X509 v3 certificate. */
+            if (!X509_set_version(ret, 2))
+                goto end;
+    }
+
     /* Set the right value for the noemailDN option */
     if (email_dn == 0) {
         if (!X509_set_subject_name(ret, dn_subject))


More information about the openssl-commits mailing list