diff options
| author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-14 10:51:48 +0100 |
|---|---|---|
| committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2019-12-23 19:54:48 +0100 |
| commit | c35490f0a3d01aeb387c2de127110c8b1ec3c750 (patch) | |
| tree | 1b084c98e0b3e72a5df8f1c29d39e72ec56a2534 | |
| parent | 2923c812cc054bbbb376433d5ca9021d19ebf804 (diff) | |
| download | gnutls-c35490f0a3d01aeb387c2de127110c8b1ec3c750.tar.gz | |
certtool: always set extensions from template
Previously we would only set these extensions specific with add_extension
when generating using --generate-certificate. The change makes sure these
options are considered even when generating an extension from a certificate
request. Issue reported on the mailing list.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
| -rw-r--r-- | NEWS | 11 | ||||
| -rw-r--r-- | src/certtool.c | 3 |
2 files changed, 9 insertions, 5 deletions
@@ -24,15 +24,18 @@ See the end for copying conditions. for all certificate verifications, not only under TLS. The configuration can be overriden using the GNUTLS_SYSTEM_PRIORITY_FILE environment variable. -** certtool: Added the --verify-profile option to set a certificate - verification profile. Use '--verify-profile low' for certificate verification - to apply the 'NORMAL' verification profile. - ** libgnutls: If a CA is found in the trusted list, check in addition to time validity, whether the algorithms comply to the expected level prior to accepting it. This addresses the problem of accepting CAs which would have been marked as insecure otherwise (#877). +** certtool: Added the --verify-profile option to set a certificate + verification profile. Use '--verify-profile low' for certificate verification + to apply the 'NORMAL' verification profile. + +** certtool: The add_extension template option is considered even when generating + a certificate from a certificate request. + ** API and ABI modifications: gnutls_ocsp_req_const_t: Added diff --git a/src/certtool.c b/src/certtool.c index 447f02f765..35438daafa 100644 --- a/src/certtool.c +++ b/src/certtool.c @@ -373,7 +373,6 @@ generate_certificate(gnutls_privkey_t * ret_key, get_oid_crt_set(crt); get_key_purpose_set(TYPE_CRT, crt); - get_extensions_crt_set(TYPE_CRT, crt); if (!batch) fprintf(stderr, @@ -467,6 +466,8 @@ generate_certificate(gnutls_privkey_t * ret_key, } } + get_extensions_crt_set(TYPE_CRT, crt); + /* append additional extensions */ if (cinfo->v1_cert == 0) { |