#define MIN_KEY_LENGTH 512
#define DEFAULT_DAYS 30 /* default cert validity period in days */
#define UNSET_DAYS -2 /* -1 may be used for testing expiration checks */
+#define EXT_COPY_UNSET -1
static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, X509_NAME *fsubj,
int mutlirdn, int attribs, unsigned long chtype);
OPT_VERIFY, OPT_NOENC, OPT_NODES, OPT_NOOUT, OPT_VERBOSE, OPT_UTF8,
OPT_NAMEOPT, OPT_REQOPT, OPT_SUBJ, OPT_SUBJECT, OPT_TEXT, OPT_X509,
OPT_CA, OPT_CAKEY,
- OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL, OPT_ADDEXT, OPT_EXTENSIONS,
+ OPT_MULTIVALUE_RDN, OPT_DAYS, OPT_SET_SERIAL,
+ OPT_COPY_EXTENSIONS, OPT_ADDEXT, OPT_EXTENSIONS,
OPT_REQEXTS, OPT_PRECERT, OPT_MD,
OPT_SECTION,
OPT_R_ENUM, OPT_PROV_ENUM
"Deprecated; multi-valued RDNs support is always on."},
{"days", OPT_DAYS, 'p', "Number of days cert is valid for"},
{"set_serial", OPT_SET_SERIAL, 's', "Serial number to use"},
+ {"copy_extensions", OPT_COPY_EXTENSIONS, 's',
+ "copy extensions from request when using -x509"},
{"addext", OPT_ADDEXT, 's',
"Additional cert extension key=value pair (may be given more than once)"},
{"extensions", OPT_EXTENSIONS, 's',
X509_REQ *req = NULL;
const EVP_CIPHER *cipher = NULL;
const EVP_MD *md_alg = NULL, *digest = NULL;
+ int ext_copy = EXT_COPY_UNSET;
BIO *addext_bio = NULL;
char *extensions = NULL;
const char *infile = NULL, *CAfile = NULL, *CAkeyfile = NULL;
case OPT_MULTIVALUE_RDN:
/* obsolete */
break;
+ case OPT_COPY_EXTENSIONS:
+ if (!set_ext_copy(&ext_copy, opt_arg())) {
+ BIO_printf(bio_err, "Invalid extension copy option: \"%s\"\n", opt_arg());
+ goto end;
+ }
+ break;
case OPT_ADDEXT:
p = opt_arg();
if (addexts == NULL) {
if (argc != 0)
goto opthelp;
- if (days != UNSET_DAYS && !gen_x509)
- BIO_printf(bio_err, "Ignoring -days; not generating a certificate\n");
+ if (!gen_x509) {
+ if (days != UNSET_DAYS)
+ BIO_printf(bio_err, "Ignoring -days without -x509; not generating a certificate\n");
+ if (ext_copy == EXT_COPY_NONE)
+ BIO_printf(bio_err, "Ignoring -copy_extensions 'none' when -x509 is not given\n");
+ }
if (gen_x509 && infile == NULL)
newreq = 1;
goto end;
if (!pub_key || !X509_set_pubkey(new_x509, pub_key))
goto end;
+ if (ext_copy == EXT_COPY_UNSET)
+ BIO_printf(bio_err, "Warning: No -copy_extensions given; ignoring any extensions in the request\n");
+ else if (!copy_extensions(new_x509, req, ext_copy)) {
+ BIO_printf(bio_err, "Error copying extensions from request\n");
+ goto end;
+ }
/* TODO: (optionally) copy X.509 extensions from req */
/* Set up V3 context struct */
[B<-days> I<n>]
[B<-set_serial> I<n>]
[B<-newhdr>]
+[B<-copy_extensions> I<arg>]
[B<-addext> I<ext>]
[B<-extensions> I<section>]
[B<-reqexts> I<section>]
Unless specified using the B<-set_serial> option,
a large random number will be used for the serial number.
+Unless the B<-copy_extensions> option is used,
X.509 extensions are not copied from any provided request input file.
X.509 extensions to be added can be specified in the configuration file
or using the B<-addext> option.
Serial number to use when outputting a self-signed certificate. This
may be specified as a decimal value or a hex value if preceded by C<0x>.
+=item B<-copy_extensions> I<arg>
+
+Determines how extensions in certificate requests should be handled when B<-x509> is given.
+If I<arg> is B<none> or this option is not present
+then extensions present in the request are ignored.
+If I<arg> is B<copy> or B<copyall> then
+any extensions present in the request are copied to the certificate.
+
+The main use of this option is to allow a certificate request to supply
+values for certain extensions such as subjectAltName.
+
=item B<-addext> I<ext>
Add a specific extension to the certificate (if the B<-x509> option is
--- /dev/null
+-----BEGIN CERTIFICATE REQUEST-----
+MIICzTCCAbcCAQAwVDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDENMAsGA1UEAwwEdGVz
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvdj9Ix
+sogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOzn1k5
+0DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/Wl9rF
+QtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0lYW5I
+NvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAcZGh7
+r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9CLNN
+sUcCAwEAAaA2MBYGCSqGSIb3DQEJAjEJDAdDb21wYW55MBwGCSqGSIb3DQEJDjEP
+MA0wCwYDVR0PBAQDAgeAMAsGCSqGSIb3DQEBCwOCAQEAYd4B+FkWRuVVDPYfrN8P
+UdZbLTggUGrpdhRibnoAsLNQ3cCS90OsCq5FLD6TVUCNb1gnp15Jp1WChQSyD3zC
+jb8VgivDeDOuk08Zy2Fl2+QvuwyQ9hKTAOTdAmP/bapAi7zniElSTP6BZ8vyEtuP
+FCEWJ5UjhvUYbZOG5WIHxhT+24CtYH3iHNir4OlDbsYrUBKEmQZIDj6WC01UT+4U
+/up2xKq1Y+rOUv2Xy3K9O/U1W/3AF7IvcDyd7+qQTGD8U2X3efzZYOffhTN+9Rvn
+5t82CnHLjFn4Co43RBiOcbjSDbvtaghtDiYB2tSUuqafHiuAJKx6zAm0Y2FR8X+z
+gg==
+-----END CERTIFICATE REQUEST-----
setup("test_req");
-plan tests => 38;
+plan tests => 42;
require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
my $expect = shift @_;
cert_contains($cert, "Authority Key Identifier", $expect);
}
+sub has_keyUsage {
+ my $cert = shift @_;
+ my $expect = shift @_;
+ cert_contains($cert, "Key Usage", $expect);
+}
sub strict_verify {
my $cert = shift @_;
my $expect = shift @_;
"-in", srctop_file(@certs, "x509-check.csr"));
cert_ext_has_n_different_lines($cert, 4, $SKID_AKID); # SKID != AKID
strict_verify($cert, 1);
+
+my $cert = "self-signed_CA_no_keyUsage.pem";
+generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"));
+has_keyUsage($cert, 0);
+my $cert = "self-signed_CA_with_keyUsages.pem";
+generate_cert($cert, "-in", srctop_file(@certs, "ext-check.csr"),
+ "-copy_extensions", "copy");
+has_keyUsage($cert, 1);