wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow multiple entries without a Subject even if unique_subject == yes

Browse source 
It is quite likely for there to be multiple certificates with empty
subjects, which are still distinct because of subjectAltName. Therefore
we allow multiple certificates with an empty Subject even if
unique_subject is set to yes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
This commit is contained in:
Matt Caswell 2018-02-23 19:48:11 +00:00
parent 2cedf79474
commit 5af88441f4
2 changed files with 23 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
apps/ca.c
View file

@ -1721,6 +1721,20 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto end; goto end;
} }
if (row[DB_name][0] == '\0') {
/*
* An empty subject! We'll use the serial number instead. If
* unique_subject is in use then we don't want different entries with
* empty subjects matching each other.
*/
OPENSSL_free(row[DB_name]);
row[DB_name] = OPENSSL_strdup(row[DB_serial]);
if (row[DB_name] == NULL) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
}
if (db->attributes.unique_subject) { if (db->attributes.unique_subject) {
OPENSSL_STRING *crow = row; OPENSSL_STRING *crow = row;
@ -2034,6 +2048,11 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
else else
row[DB_serial] = BN_bn2hex(bn); row[DB_serial] = BN_bn2hex(bn);
BN_free(bn); BN_free(bn);
if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
/* Entries with empty Subjects actually use the serial number instead */
OPENSSL_free(row[DB_name]);
row[DB_name] = OPENSSL_strdup(row[DB_serial]);
}
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n"); BIO_printf(bio_err, "Memory allocation failure\n");
goto end; goto end;

4
doc/man1/ca.pod
View file

@ -469,6 +469,10 @@ versions of OpenSSL. However, to make CA certificate roll-over easier,
it's recommended to use the value B<no>, especially if combined with it's recommended to use the value B<no>, especially if combined with
the B<-selfsign> command line option. the B<-selfsign> command line option.
Note that it is valid in some circumstances for certificates to be created
without any subject. In the case where there are multiple certificates without
subjects this does not count as a duplicate.
=item B<serial> =item B<serial>
A text file containing the next serial number to use in hex. Mandatory. A text file containing the next serial number to use in hex. Mandatory.