Using serial number instead as subject if it is empty in openssl(1) ca

This allows multiple entries without a subject even if unique_subject == yes.
Referred to OpenSSL commit 5af88441 and arranged for our codebase.

ok tb@

diff --git a/usr.bin/openssl/ca.c b/usr.bin/openssl/ca.c
index 1d28532..b24febd 100644 (file)
--- a/usr.bin/openssl/ca.c
+++ b/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.47 2021/09/05 01:49:42 inoguchi Exp $ */
+/* $OpenBSD: ca.c,v 1.48 2021/09/05 01:55:54 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2124,6 +2124,21 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
                BIO_printf(bio_err, "Memory allocation failure\n");
                goto err;
        }
+
+       if (row[DB_name][0] == '\0') {
+               /*
+                * An empty subject! We'll use the serial number instead. If
+                * unique_subject is in use then we don't want different
+                * entries with empty subjects matching each other.
+                */
+               free(row[DB_name]);
+               row[DB_name] = strdup(row[DB_serial]);
+               if (row[DB_name] == NULL) {
+                       BIO_printf(bio_err, "Memory allocation failure\n");
+                       goto err;
+               }
+       }
+
        if (db->attributes.unique_subject) {
                OPENSSL_STRING *crow = row;
 
@@ -2469,6 +2484,20 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value)
        else
                row[DB_serial] = BN_bn2hex(bn);
        BN_free(bn);
+
+       if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
+               /*
+                * Entries with empty Subjects actually use the serial number
+                * instead
+                */
+               free(row[DB_name]);
+               row[DB_name] = strdup(row[DB_serial]);
+               if (row[DB_name] == NULL) {
+                       BIO_printf(bio_err, "Memory allocation failure\n");
+                       goto err;
+               }
+       }
+
        if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
                BIO_printf(bio_err, "Memory allocation failure\n");
                goto err;

diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 9d9f5ca..e698c33 100644 (file)
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.130 2021/08/29 12:33:15 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.131 2021/09/05 01:55:54 inoguchi Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: August 29 2021 $
+.Dd $Mdocdate: September 5 2021 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -843,6 +843,10 @@ is given,
 several valid certificate entries may have the exact same subject.
 The default value is
 .Cm yes .
+.Pp
+Note that it is valid in some circumstances for certificates to be created
+without any subject. In the case where there are multiple certificates without
+subjects this does not count as a duplicate.
 .It Cm x509_extensions
 The same as
 .Fl extensions .