apps: allow empty attribute values with -subj

Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`.  Commit
db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value.  As a result, such strings are now treated as
hard errors and the operation fails.

Restore the check to skip empty attribute values and restore
the historical behavior.

Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.

(cherry picked from commit 3d362f190306b62a17aa2fd475b2bc8b3faa8142)
(cherry picked from commit a7ee1ef61b1893038008691a4a6979cf2da91439)

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7368)

diff --git a/apps/apps.c b/apps/apps.c
index a162b160600e5518a36fcfbf717ac1744d5777d9..94efa5ac05dd284cccaf56001eeba05e6476174b 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -1770,6 +1770,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti)
                       opt_getprog(), typestr);
             continue;
         }
+        if (*valstr == '\0') {
+            BIO_printf(bio_err,
+                       "%s: No value provided for Subject Attribute %s, skipped\n",
+                       opt_getprog(), typestr);
+            continue;
+        }
         if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
                                         valstr, strlen((char *)valstr),
                                         -1, ismulti ? -1 : 0))

diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod
index 9918a1364a5921db6dbae4f385a120629d744fbc..9885bb2392a6b75152d9d95811ab85e986a9bada 100644 (file)
--- a/doc/apps/ca.pod
+++ b/doc/apps/ca.pod
@@ -243,8 +243,10 @@ for all available algorithms.
 =item B<-subj arg>
 
 supersedes subject name given in the request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by \ (backslash), no spaces are skipped.
+The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+Empty values are permitted, but the corresponding type will not be included
+in the resulting certificate.
 
 =item B<-utf8>
 

diff --git a/doc/apps/req.pod b/doc/apps/req.pod
index 0a28aea7073193698eec1a1a9f14054544846559..00ec1a82bbb8276cb56911099b721c0d89a48ce8 100644 (file)
--- a/doc/apps/req.pod
+++ b/doc/apps/req.pod
@@ -213,8 +213,10 @@ see L<openssl(1)/COMMAND SUMMARY>.
 
 sets subject name for new request or supersedes the subject name
 when processing a request.
-The arg must be formatted as I</type0=value0/type1=value1/type2=...>,
-characters may be escaped by \ (backslash), no spaces are skipped.
+The arg must be formatted as I</type0=value0/type1=value1/type2=...>.
+Keyword characters may be escaped by \ (backslash), and whitespace is retained.
+Empty values are permitted, but the corresponding type will not be included
+in the request.
 
 =item B<-multivalue-rdn>