From: Matt Caswell Date: Fri, 23 Feb 2018 19:48:11 +0000 (+0000) Subject: Allow multiple entries without a Subject even if unique_subject == yes X-Git-Tag: OpenSSL_1_1_0h~32 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=23324ce79c5fdc1ccd042c43ee1ef88aa1f294bc;p=oweals%2Fopenssl.git Allow multiple entries without a Subject even if unique_subject == yes It is quite likely for there to be multiple certificates with empty subjects, which are still distinct because of subjectAltName. Therefore we allow multiple certificates with an empty Subject even if unique_subject is set to yes. Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/5627) --- diff --git a/apps/ca.c b/apps/ca.c index 82572a19b6..8596b5f520 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1724,6 +1724,20 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } + if (row[DB_name][0] == '\0') { + /* + * An empty subject! We'll use the serial number instead. If + * unique_subject is in use then we don't want different entries with + * empty subjects matching each other. + */ + OPENSSL_free(row[DB_name]); + row[DB_name] = OPENSSL_strdup(row[DB_serial]); + if (row[DB_name] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + } + if (db->attributes.unique_subject) { OPENSSL_STRING *crow = row; @@ -2038,6 +2052,11 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value) else row[DB_serial] = BN_bn2hex(bn); BN_free(bn); + if (row[DB_name] != NULL && row[DB_name][0] == '\0') { + /* Entries with empty Subjects actually use the serial number instead */ + OPENSSL_free(row[DB_name]); + row[DB_name] = OPENSSL_strdup(row[DB_serial]); + } if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); goto end; diff --git a/doc/apps/ca.pod b/doc/apps/ca.pod index 944e57723d..b6578f1091 100644 --- a/doc/apps/ca.pod +++ b/doc/apps/ca.pod @@ -443,6 +443,10 @@ versions of OpenSSL. However, to make CA certificate roll-over easier, it's recommended to use the value B, especially if combined with the B<-selfsign> command line option. +Note that it is valid in some circumstances for certificates to be created +without any subject. In the case where there are multiple certificates without +subjects this does not count as a duplicate. + =item B a text file containing the next serial number to use in hex. Mandatory.