From: inoguchi Date: Sun, 5 Sep 2021 01:55:54 +0000 (+0000) Subject: Using serial number instead as subject if it is empty in openssl(1) ca X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=00f68246308c6a598053a3353eead2dcd365d71c;p=openbsd Using serial number instead as subject if it is empty in openssl(1) ca This allows multiple entries without a subject even if unique_subject == yes. Referred to OpenSSL commit 5af88441 and arranged for our codebase. ok tb@ --- diff --git a/usr.bin/openssl/ca.c b/usr.bin/openssl/ca.c index 1d28532ed34..b24febd9f64 100644 --- a/usr.bin/openssl/ca.c +++ b/usr.bin/openssl/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.47 2021/09/05 01:49:42 inoguchi Exp $ */ +/* $OpenBSD: ca.c,v 1.48 2021/09/05 01:55:54 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2124,6 +2124,21 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst, BIO_printf(bio_err, "Memory allocation failure\n"); goto err; } + + if (row[DB_name][0] == '\0') { + /* + * An empty subject! We'll use the serial number instead. If + * unique_subject is in use then we don't want different + * entries with empty subjects matching each other. + */ + free(row[DB_name]); + row[DB_name] = strdup(row[DB_serial]); + if (row[DB_name] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto err; + } + } + if (db->attributes.unique_subject) { OPENSSL_STRING *crow = row; @@ -2469,6 +2484,20 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value) else row[DB_serial] = BN_bn2hex(bn); BN_free(bn); + + if (row[DB_name] != NULL && row[DB_name][0] == '\0') { + /* + * Entries with empty Subjects actually use the serial number + * instead + */ + free(row[DB_name]); + row[DB_name] = strdup(row[DB_serial]); + if (row[DB_name] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto err; + } + } + if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); goto err; diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1 index 9d9f5ca580b..e698c33a0a4 100644 --- a/usr.bin/openssl/openssl.1 +++ b/usr.bin/openssl/openssl.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: openssl.1,v 1.130 2021/08/29 12:33:15 tb Exp $ +.\" $OpenBSD: openssl.1,v 1.131 2021/09/05 01:55:54 inoguchi Exp $ .\" ==================================================================== .\" Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. .\" @@ -110,7 +110,7 @@ .\" copied and put under another distribution licence .\" [including the GNU Public Licence.] .\" -.Dd $Mdocdate: August 29 2021 $ +.Dd $Mdocdate: September 5 2021 $ .Dt OPENSSL 1 .Os .Sh NAME @@ -843,6 +843,10 @@ is given, several valid certificate entries may have the exact same subject. The default value is .Cm yes . +.Pp +Note that it is valid in some circumstances for certificates to be created +without any subject. In the case where there are multiple certificates without +subjects this does not count as a duplicate. .It Cm x509_extensions The same as .Fl extensions .