Fix openssl req with -addext subjectAltName=dirName

The syntax check of the -addext fails because the
X509V3_CTX is used to lookup the referenced section,
but the wrong configuration file is used, where only
a default section with all passed in -addext lines is available.
Thus it was not possible to use the subjectAltName=dirName:section
as an -addext parameter.  Probably other extensions as well.

This change affects only the syntax check, the real extension
was already created with correct parameters.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23669)

(cherry picked from commit 387418893e45e588d1cbd4222549b5113437c9ab)

diff --git a/apps/req.c b/apps/req.c
index c7d4c7822cda91f601a11278519b9f1274de63ca..2fc53d4bfcfa232cd897e28e5c6ffeecaced1512 100644 (file)
--- a/apps/req.c
+++ b/apps/req.c
@@ -569,7 +569,7 @@ int req_main(int argc, char **argv)
         X509V3_CTX ctx;
 
         X509V3_set_ctx_test(&ctx);
-        X509V3_set_nconf(&ctx, addext_conf);
+        X509V3_set_nconf(&ctx, req_conf);
         if (!X509V3_EXT_add_nconf(addext_conf, &ctx, "default", NULL)) {
             BIO_printf(bio_err, "Error checking extensions defined using -addext\n");
             goto end;

diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index d7301748160f9119a7670eb782f8c969777d5521..f0a69bad7fdac33d58eec4682f9508be36798fb3 100644 (file)
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_req");
 
-plan tests => 49;
+plan tests => 50;
 
 require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
 
@@ -53,6 +53,7 @@ ok(!run(app([@addext_args, "-addext", $val, "-addext", $val2])));
 ok(!run(app([@addext_args, "-addext", $val, "-addext", $val3])));
 ok(!run(app([@addext_args, "-addext", $val2, "-addext", $val3])));
 ok(run(app([@addext_args, "-addext", "SXNetID=1:one, 2:two, 3:three"])));
+ok(run(app([@addext_args, "-addext", "subjectAltName=dirName:dirname_sec"])));
 
 # If a CSR is provided with neither of -key or -CA/-CAkey, this should fail.
 ok(!run(app(["openssl", "req", "-x509",

diff --git a/test/test.cnf b/test/test.cnf
index 8b2f92ad8e241db8ac475c6fc1e969204e9a8241..8f68982a9fa1fc76642d733c58e68fcb5a779554 100644 (file)
--- a/test/test.cnf
+++ b/test/test.cnf
@@ -72,3 +72,9 @@ commonName                    = CN field
 commonName_value               = Eric Young
 emailAddress                   = email field
 emailAddress_value             = eay@mincom.oz.au
+
+[ dirname_sec ]
+C  = UK
+O  = My Organization
+OU = My Unit
+CN = My Name