certtool: always set extensions from template

Previously we would only set these extensions specific with add_extension
when generating using --generate-certificate. The change makes sure these
options are considered even when generating an extension from a certificate
request. Issue reported on the mailing list.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

diff --git a/NEWS b/NEWS
index 2e168050078aa8ceeaf7a899b51560718b5b4679..67051289ab9b6988816092db1bd4e3f83df8fcb7 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -24,15 +24,18 @@ See the end for copying conditions.
    for all certificate verifications, not only under TLS. The configuration can
    be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable.
 
-** certtool: Added the --verify-profile option to set a certificate
-   verification profile. Use '--verify-profile low' for certificate verification
-   to apply the 'NORMAL' verification profile.
-
 ** libgnutls: If a CA is found in the trusted list, check in addition to
    time validity, whether the algorithms comply to the expected level prior
    to accepting it. This addresses the problem of accepting CAs which would
    have been marked as insecure otherwise (#877).
 
+** certtool: Added the --verify-profile option to set a certificate
+   verification profile. Use '--verify-profile low' for certificate verification
+   to apply the 'NORMAL' verification profile.
+
+** certtool: The add_extension template option is considered even when generating
+   a certificate from a certificate request.
+
 ** API and ABI modifications:
 gnutls_ocsp_req_const_t: Added
 

diff --git a/src/certtool.c b/src/certtool.c
index 447f02f765c11aebc469da6d0dfed6455ab131b4..35438daafa853c5a540c25614e7590e86942814d 100644 (file)
--- a/src/certtool.c
+++ b/src/certtool.c
@@ -373,7 +373,6 @@ generate_certificate(gnutls_privkey_t * ret_key,
 
                        get_oid_crt_set(crt);
                        get_key_purpose_set(TYPE_CRT, crt);
-                       get_extensions_crt_set(TYPE_CRT, crt);
 
                        if (!batch)
                                fprintf(stderr,
@@ -467,6 +466,8 @@ generate_certificate(gnutls_privkey_t * ret_key,
                }
        }
 
+       get_extensions_crt_set(TYPE_CRT, crt);
+
        /* append additional extensions */
        if (cinfo->v1_cert == 0) {