Make sure that a cert with extensions gets version number 2 (v3)

Fixes #4419 Reviewed-by: N Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4420)

Make sure that a cert with extensions gets version number 2 (v3)
Fixes #4419 Reviewed-by: N Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4420)
4881d849 · Richard Levitte · 28c0a61b · 4881d849
隐藏空白更改
内联并排

Showing with 9 addition and 1 deletion

apps/ca.c apps/ca.c +9 -1

未找到文件。
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1735,7 +1735,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
    /* Lets add the extensions, if there are any */
    if (ext_sect) {
        X509V3_CTX ctx;
-        X509_set_version(ret, 2);

        /* Initialize the context structure */
        if (selfsign)
@@ -1790,6 +1789,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
        goto end;
    }

+    {
+        const STACK_OF(X509_EXTENSION) *exts = X509_get0_extensions(ret);
+
+        if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)
+            /* Make it an X509 v3 certificate. */
+            if (!X509_set_version(ret, 2))
+                goto end;
+    }
+
    /* Set the right value for the noemailDN option */
    if (email_dn == 0) {
        if (!X509_set_subject_name(ret, dn_subject))