Commit ed0245e0 authored by Richard Levitte's avatar Richard Levitte
Browse files

Make sure that a cert with extensions gets version number 2 (v3) 



Fixes #4419

Reviewed-by: default avatarTim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4421)
parent 859a4253

apps/ca.c

+9 −4
Original line number Diff line number Diff line
@@ -1985,10 +1985,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 
    /* Lets add the extensions, if there are any */

    if (ext_sect) {

        X509V3_CTX ctx;

        if (ci->version == NULL)

            if ((ci->version = ASN1_INTEGER_new()) == NULL)

                goto err;

        ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */



        /*

         * Free the current entries if any, there should not be any I believe
@@ -2051,6 +2047,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, 
        goto err;

    }



    {

        STACK_OF(X509_EXTENSION) *exts = ci->extensions;



        if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)

            /* Make it an X509 v3 certificate. */

            if (!X509_set_version(ret, 2))

                goto err;

    }



    /* Set the right value for the noemailDN option */

    if (email_dn == 0) {

        if (!X509_set_subject_name(ret, dn_subject))