From f2982ad79c9eeac4d8ee4225056f971eadf9302b Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 19 Jan 2018 14:34:56 +0000 Subject: [PATCH] Don't allow an empty Subject when creating a Certificate Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5114) (cherry picked from commit e505f1e86874acfd98826d64c53bf2ddfd9c1399) --- apps/ca.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/apps/ca.c b/apps/ca.c index 2648549b4c..d323ca0f18 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1405,6 +1405,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, "The Subject's Distinguished Name is as follows\n"); name = X509_REQ_get_subject_name(req); + if (X509_NAME_entry_count(name) == 0) { + BIO_printf(bio_err, "Error: The supplied Subject is empty\n"); + goto end; + } for (i = 0; i < X509_NAME_entry_count(name); i++) { ne = X509_NAME_get_entry(name, i); str = X509_NAME_ENTRY_get_data(ne); @@ -1570,6 +1574,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } + if (X509_NAME_entry_count(subject) == 0) { + BIO_printf(bio_err, + "Error: After applying policy the Subject is empty\n"); + goto end; + } + if (verbose) BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n"); -- 2.25.1