From 260f977861b8c8960010f074ba44ebe33c7ec44c Mon Sep 17 00:00:00 2001
From: Anthony Hu <anthony@wolfssl.com>
Date: Thu, 31 Oct 2024 17:08:54 -0400
Subject: [PATCH 1/2] Fix for setting wrong version in CSRs.

---
 src/x509/clu_request_setup.c | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/src/x509/clu_request_setup.c b/src/x509/clu_request_setup.c
index 922a49f6..da5a8577 100644
--- a/src/x509/clu_request_setup.c
+++ b/src/x509/clu_request_setup.c
@@ -424,38 +424,45 @@ static int _X509_name_print(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name,
 }
 
 
-/* human readable print out of x509 version
+/* human readable print out of x509 or CSR version
  * return WOLFSSL_SUCCESS on success
  */
 static int _wolfSSL_X509_version_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509,
-        int indent)
+                                       int indent, byte isCSR)
 {
     int version;
+    byte version_value;
     char scratch[MAX_WIDTH];
 
     if ((version = wolfSSL_X509_version(x509)) < 0) {
         return WOLFSSL_FAILURE;
     }
 
+    if (isCSR) {
+        version_value = (byte)wolfSSL_X509_REQ_get_version(x509);
+    } else {
+        version_value = (byte)wolfSSL_X509_get_version(x509);
+    }
+
     XSNPRINTF(scratch, MAX_WIDTH, "%*s%s", indent, "", "Version:");
     if (wolfSSL_BIO_write(bio, scratch, (int)XSTRLEN(scratch)) <= 0) {
         return WOLFSSL_FAILURE;
     }
 
-    XSNPRINTF(scratch, MAX_WIDTH, " %d (0x%x)\n", version, (byte)version-1);
+    XSNPRINTF(scratch, MAX_WIDTH, " %d (0x%x)\n", version, version_value);
     if (wolfSSL_BIO_write(bio, scratch, (int)XSTRLEN(scratch)) <= 0) {
         return WOLFSSL_FAILURE;
     }
     return WOLFSSL_SUCCESS;
 }
 
-
 /* This should work its way into wolfSSL master @TODO
  * For now placing the implementation here so that wolfCLU can be used with
  * the current wolfSSL release.
  * return WOLFSSL_SUCCESS on success
  */
-static int wolfSSL_X509_REQ_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509)
+static int wolfSSL_X509_REQ_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509,
+                                  byte isCSR)
 {
     char subjType[] = "Subject: ";
 
@@ -474,7 +481,7 @@ static int wolfSSL_X509_REQ_print(WOLFSSL_BIO* bio, WOLFSSL_X509* x509)
     }
 
     /* print version of cert */
-    if (_wolfSSL_X509_version_print(bio, x509, 8) != WOLFSSL_SUCCESS) {
+    if (_wolfSSL_X509_version_print(bio, x509, 8, isCSR) != WOLFSSL_SUCCESS) {
         return WOLFSSL_FAILURE;
     }
 
@@ -569,7 +576,9 @@ int wolfCLU_requestSetup(int argc, char** argv)
     byte reSign    = 0; /* flag for if resigning req is needed */
     byte noOut     = 0;
     byte useDes    = 1;
-
+#ifdef NO_WOLFSSL_REQ_PRINT
+    byte isCSR     = 1;
+#endif
     opterr = 0; /* do not display unrecognized options */
     optind = 0; /* start at indent 0 */
     while ((option = wolfCLU_GetOpt(argc, argv, "", req_options,
@@ -897,7 +906,7 @@ int wolfCLU_requestSetup(int argc, char** argv)
 
     /* default to version 1 when generating CSR */
     if (ret == WOLFCLU_SUCCESS) {
-        if (wolfSSL_X509_set_version(x509, WOLFSSL_X509_V1) !=
+        if (wolfSSL_X509_REQ_set_version(x509, WOLFSSL_X509_V1) !=
                 WOLFSSL_SUCCESS) {
             wolfCLU_LogError("Error setting CSR version");
             ret = WOLFCLU_FATAL_ERROR;
@@ -933,6 +942,9 @@ int wolfCLU_requestSetup(int argc, char** argv)
     /* sign the req/cert */
     if (ret == WOLFCLU_SUCCESS && (reqIn == NULL || reSign)) {
         if (genX509) {
+#ifdef NO_WOLFSSL_REQ_PRINT
+            isCSR = 0;
+#endif
             /* default to version 3 which supports extensions */
             if (wolfSSL_X509_set_version(x509, WOLFSSL_X509_V3) !=
                     WOLFSSL_SUCCESS) {
@@ -982,7 +994,11 @@ int wolfCLU_requestSetup(int argc, char** argv)
     }
 
     if (ret == WOLFCLU_SUCCESS && doTextOut) {
+#ifdef NO_WOLFSSL_REQ_PRINT
+        wolfSSL_X509_REQ_print(bioOut, x509, isCSR);
+#else
         wolfSSL_X509_REQ_print(bioOut, x509);
+#endif
     }
 
     if (ret == WOLFCLU_SUCCESS && !noOut) {

From e5d463a5e0066513dbf18cfe1e365645c5b70843 Mon Sep 17 00:00:00 2001
From: Anthony Hu <anthony@wolfssl.com>
Date: Mon, 18 Nov 2024 16:40:20 -0500
Subject: [PATCH 2/2] Add test as suggested in review.

---
 tests/x509/x509-req-test.sh | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/tests/x509/x509-req-test.sh b/tests/x509/x509-req-test.sh
index af6a32b7..9fe75876 100755
--- a/tests/x509/x509-req-test.sh
+++ b/tests/x509/x509-req-test.sh
@@ -292,8 +292,32 @@ if [ $? -eq 0 ]; then
         echo "no surname attribute found"
         exit 99
     fi
+
+fi
+
+# test csr version
+run_success "req -new -key ./certs/server-key.pem -config ./test.conf -out tmp.csr"
+RESULT=`./wolfssl req -text -noout -in tmp.csr`
+if [ $? -eq 0 ]; then
+    # also check that the version is fine.
+    echo $RESULT | grep "Version" | grep "1" | grep "0x0"
+    if [ $? -ne 0 ]; then
+        echo "Printing wrong version number"
+        exit 99
+    fi
 fi
 
+# now make sure that openssl also sees what we see.
+RESULT=`openssl req -text -noout -in tmp.csr`
+if [ $? -eq 0 ]; then
+    echo $RESULT | grep "Version" | grep "1" | grep "0x0"
+    if [ $? -ne 0 ]; then
+        echo "Printing wrong version number"
+        exit 99
+    fi
+fi
+rm -f tmp.cert
+
 echo "Done"
 exit 0