Move subject check process after the subject edit process

Referred to OpenSSL commit 2cedf794 and arranged for our codebase. ok tb@
author: inoguchi <> 2021-09-02 11:07:56 +0000
committer: inoguchi <> 2021-09-02 11:07:56 +0000
commit: 6ea6811dcb65ce2b479375e968f90b9acd57461a (patch)
tree: 12858b9bb728e3ee89f727198a4a56afb7d29a03
parent: 6f87de04622fcde11242db697d6022a8a3513cbd (diff)
download: openbsd-6ea6811dcb65ce2b479375e968f90b9acd57461a.tar.gz
openbsd-6ea6811dcb65ce2b479375e968f90b9acd57461a.tar.bz2
openbsd-6ea6811dcb65ce2b479375e968f90b9acd57461a.zip
1 files changed, 106 insertions, 105 deletions
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index 1c383d40af..dcfa67ae56 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.43 2021/08/30 12:25:54 inoguchi Exp $ */
+/* $OpenBSD: ca.c,v 1.44 2021/09/02 11:07:56 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -1954,106 +1954,7 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
                if (subject == NULL)
                        goto err;
        }
-        if (verbose)
-                BIO_printf(bio_err,
-                    "The subject name appears to be ok, checking data base for clashes\n");
-        /* Build the correct Subject if no email is wanted in the subject */
-        /*
-         * and add it later on because of the method extensions are added
-         * (altName)
-         */
-        if (email_dn)
-                dn_subject = subject;
-        else {
-                X509_NAME_ENTRY *tmpne;
-                /*
-                 * Its best to dup the subject DN and then delete any email
-                 * addresses because this retains its structure.
-                 */
-                if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
-                        BIO_printf(bio_err, "Memory allocation failure\n");
-                        goto err;
-                }
-                while ((i = X509_NAME_get_index_by_NID(dn_subject,
-                    NID_pkcs9_emailAddress, -1)) >= 0) {
-                        tmpne = X509_NAME_get_entry(dn_subject, i);
-                        if (tmpne == NULL)
-                                goto err;
-                        if (X509_NAME_delete_entry(dn_subject, i) == NULL) {
-                                X509_NAME_ENTRY_free(tmpne);
-                                goto err;
-                        }
-                        X509_NAME_ENTRY_free(tmpne);
-                }
-        }
-        if (BN_is_zero(serial))
-                row[DB_serial] = strdup("00");
-        else
-                row[DB_serial] = BN_bn2hex(serial);
-        if (row[DB_serial] == NULL) {
-                BIO_printf(bio_err, "Memory allocation failure\n");
-                goto err;
-        }
-        if (db->attributes.unique_subject) {
-                OPENSSL_STRING *crow = row;
-                rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
-                if (rrow != NULL) {
-                        BIO_printf(bio_err,
-                            "ERROR:There is already a certificate for %s\n",
-                            row[DB_name]);
-                }
-        }
-        if (rrow == NULL) {
-                rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
-                if (rrow != NULL) {
-                        BIO_printf(bio_err,
-                            "ERROR:Serial number %s has already been issued,\n",
-                            row[DB_serial]);
-                        BIO_printf(bio_err,
-                            "      check the database/serial_file for corruption\n");
-                }
-        }
-        if (rrow != NULL) {
-                BIO_printf(bio_err,
-                    "The matching entry has the following details\n");
-                if (rrow[DB_type][0] == 'E')
-                        p = "Expired";
-                else if (rrow[DB_type][0] == 'R')
-                        p = "Revoked";
-                else if (rrow[DB_type][0] == 'V')
-                        p = "Valid";
-                else
-                        p = "\ninvalid type, Data base error\n";
-                BIO_printf(bio_err, "Type         :%s\n", p);
-                if (rrow[DB_type][0] == 'R') {
-                        p = rrow[DB_exp_date];
-                        if (p == NULL)
-                                p = "undef";
-                        BIO_printf(bio_err, "Was revoked on:%s\n", p);
-                }
-                p = rrow[DB_exp_date];
-                if (p == NULL)
-                        p = "undef";
-                BIO_printf(bio_err, "Expires on    :%s\n", p);
-                p = rrow[DB_serial];
-                if (p == NULL)
-                        p = "undef";
-                BIO_printf(bio_err, "Serial Number :%s\n", p);
-                p = rrow[DB_file];
-                if (p == NULL)
-                        p = "undef";
-                BIO_printf(bio_err, "File name     :%s\n", p);
-                p = rrow[DB_name];
-                if (p == NULL)
-                        p = "undef";
-                BIO_printf(bio_err, "Subject Name  :%s\n", p);
-                ok = -1;        /* This is now a 'bad' error. */
-                goto err;
-        }
        /* We are now totally happy, lets make and sign the certificate */
        if (verbose)
                BIO_printf(bio_err,
@@ -2179,11 +2080,113 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
                ERR_print_errors(bio_err);
                goto err;
        }
-        /* Set the right value for the noemailDN option */
-        if (email_dn == 0) {
+        if (verbose)
+                BIO_printf(bio_err,
+                    "The subject name appears to be ok, checking data base for clashes\n");
+        /* Build the correct Subject if no email is wanted in the subject */
+        if (!email_dn) {
+                X509_NAME_ENTRY *tmpne;
+                /*
+                 * Its best to dup the subject DN and then delete any email
+                 * addresses because this retains its structure.
+                 */
+                if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
+                        BIO_printf(bio_err, "Memory allocation failure\n");
+                        goto err;
+                }
+                while ((i = X509_NAME_get_index_by_NID(dn_subject,
+                    NID_pkcs9_emailAddress, -1)) >= 0) {
+                        tmpne = X509_NAME_get_entry(dn_subject, i);
+                        if (tmpne == NULL)
+                                goto err;
+                        if (X509_NAME_delete_entry(dn_subject, i) == NULL) {
+                                X509_NAME_ENTRY_free(tmpne);
+                                goto err;
+                        }
+                        X509_NAME_ENTRY_free(tmpne);
+                }
                if (!X509_set_subject_name(ret, dn_subject))
                        goto err;
+                X509_NAME_free(dn_subject);
+                dn_subject = NULL;
+        }
+        row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
+        if (row[DB_name] == NULL) {
+                BIO_printf(bio_err, "Memory allocation failure\n");
+                goto err;
+        }
+        if (BN_is_zero(serial))
+                row[DB_serial] = strdup("00");
+        else
+                row[DB_serial] = BN_bn2hex(serial);
+        if (row[DB_serial] == NULL) {
+                BIO_printf(bio_err, "Memory allocation failure\n");
+                goto err;
+        }
+        if (db->attributes.unique_subject) {
+                OPENSSL_STRING *crow = row;
+                rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
+                if (rrow != NULL) {
+                        BIO_printf(bio_err,
+                            "ERROR:There is already a certificate for %s\n",
+                            row[DB_name]);
+                }
+        }
+        if (rrow == NULL) {
+                rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
+                if (rrow != NULL) {
+                        BIO_printf(bio_err,
+                            "ERROR:Serial number %s has already been issued,\n",
+                            row[DB_serial]);
+                        BIO_printf(bio_err,
+                            "      check the database/serial_file for corruption\n");
+                }
        }
+        if (rrow != NULL) {
+                BIO_printf(bio_err,
+                    "The matching entry has the following details\n");
+                if (rrow[DB_type][0] == 'E')
+                        p = "Expired";
+                else if (rrow[DB_type][0] == 'R')
+                        p = "Revoked";
+                else if (rrow[DB_type][0] == 'V')
+                        p = "Valid";
+                else
+                        p = "\ninvalid type, Data base error\n";
+                BIO_printf(bio_err, "Type         :%s\n", p);
+                if (rrow[DB_type][0] == 'R') {
+                        p = rrow[DB_exp_date];
+                        if (p == NULL)
+                                p = "undef";
+                        BIO_printf(bio_err, "Was revoked on:%s\n", p);
+                }
+                p = rrow[DB_exp_date];
+                if (p == NULL)
+                        p = "undef";
+                BIO_printf(bio_err, "Expires on    :%s\n", p);
+                p = rrow[DB_serial];
+                if (p == NULL)
+                        p = "undef";
+                BIO_printf(bio_err, "Serial Number :%s\n", p);
+                p = rrow[DB_file];
+                if (p == NULL)
+                        p = "undef";
+                BIO_printf(bio_err, "File name     :%s\n", p);
+                p = rrow[DB_name];
+                if (p == NULL)
+                        p = "undef";
+                BIO_printf(bio_err, "Subject Name  :%s\n", p);
+                ok = -1;        /* This is now a 'bad' error. */
+                goto err;
+        }
        if (!default_op) {
                BIO_printf(bio_err, "Certificate Details:\n");
                /*
@@ -2250,7 +2253,6 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        /* row[DB_serial] done already */
        row[DB_file] = malloc(8);
-        row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
        if ((row[DB_type] == NULL) || (row[DB_file] == NULL) ||
            (row[DB_name] == NULL)) {
@@ -2288,8 +2290,7 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
        X509_NAME_free(CAname);
        X509_NAME_free(subject);
-        if (!email_dn)
+        X509_NAME_free(dn_subject);
-                X509_NAME_free(dn_subject);
        ASN1_UTCTIME_free(tmptm);
        X509_free(ret);
author	inoguchi <>	2021-09-02 11:07:56 +0000
committer	inoguchi <>	2021-09-02 11:07:56 +0000
commit	6ea6811dcb65ce2b479375e968f90b9acd57461a (patch)
tree	12858b9bb728e3ee89f727198a4a56afb7d29a03
parent	6f87de04622fcde11242db697d6022a8a3513cbd (diff)
download	openbsd-6ea6811dcb65ce2b479375e968f90b9acd57461a.tar.gz openbsd-6ea6811dcb65ce2b479375e968f90b9acd57461a.tar.bz2 openbsd-6ea6811dcb65ce2b479375e968f90b9acd57461a.zip

diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c index 1c383d40af..dcfa67ae56 100644 --- a/src/usr.bin/openssl/ca.c +++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ca.c,v 1.43 2021/08/30 12:25:54 inoguchi Exp $ */	1	/* $OpenBSD: ca.c,v 1.44 2021/09/02 11:07:56 inoguchi Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -1954,106 +1954,7 @@ do_body(X509 *xret, EVP_PKEY pkey, X509 x509, const EVP_MD dgst,
1954	if (subject == NULL)	1954	if (subject == NULL)
1955	goto err;	1955	goto err;
1956	}	1956	}
1957	if (verbose)
1958	BIO_printf(bio_err,
1959	"The subject name appears to be ok, checking data base for clashes\n");
1960
1961	/* Build the correct Subject if no email is wanted in the subject */
1962	/*
1963	* and add it later on because of the method extensions are added
1964	* (altName)
1965	*/
1966
1967	if (email_dn)
1968	dn_subject = subject;
1969	else {
1970	X509_NAME_ENTRY *tmpne;
1971	/*
1972	* Its best to dup the subject DN and then delete any email
1973	* addresses because this retains its structure.
1974	*/
1975	if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
1976	BIO_printf(bio_err, "Memory allocation failure\n");
1977	goto err;
1978	}
1979	while ((i = X509_NAME_get_index_by_NID(dn_subject,
1980	NID_pkcs9_emailAddress, -1)) >= 0) {
1981	tmpne = X509_NAME_get_entry(dn_subject, i);
1982	if (tmpne == NULL)
1983	goto err;
1984	if (X509_NAME_delete_entry(dn_subject, i) == NULL) {
1985	X509_NAME_ENTRY_free(tmpne);
1986	goto err;
1987	}
1988	X509_NAME_ENTRY_free(tmpne);
1989	}
1990	}
1991		1957
1992	if (BN_is_zero(serial))
1993	row[DB_serial] = strdup("00");
1994	else
1995	row[DB_serial] = BN_bn2hex(serial);
1996	if (row[DB_serial] == NULL) {
1997	BIO_printf(bio_err, "Memory allocation failure\n");
1998	goto err;
1999	}
2000	if (db->attributes.unique_subject) {
2001	OPENSSL_STRING *crow = row;
2002
2003	rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
2004	if (rrow != NULL) {
2005	BIO_printf(bio_err,
2006	"ERROR:There is already a certificate for %s\n",
2007	row[DB_name]);
2008	}
2009	}
2010	if (rrow == NULL) {
2011	rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
2012	if (rrow != NULL) {
2013	BIO_printf(bio_err,
2014	"ERROR:Serial number %s has already been issued,\n",
2015	row[DB_serial]);
2016	BIO_printf(bio_err,
2017	" check the database/serial_file for corruption\n");
2018	}
2019	}
2020	if (rrow != NULL) {
2021	BIO_printf(bio_err,
2022	"The matching entry has the following details\n");
2023	if (rrow[DB_type][0] == 'E')
2024	p = "Expired";
2025	else if (rrow[DB_type][0] == 'R')
2026	p = "Revoked";
2027	else if (rrow[DB_type][0] == 'V')
2028	p = "Valid";
2029	else
2030	p = "\ninvalid type, Data base error\n";
2031	BIO_printf(bio_err, "Type :%s\n", p);
2032	if (rrow[DB_type][0] == 'R') {
2033	p = rrow[DB_exp_date];
2034	if (p == NULL)
2035	p = "undef";
2036	BIO_printf(bio_err, "Was revoked on:%s\n", p);
2037	}
2038	p = rrow[DB_exp_date];
2039	if (p == NULL)
2040	p = "undef";
2041	BIO_printf(bio_err, "Expires on :%s\n", p);
2042	p = rrow[DB_serial];
2043	if (p == NULL)
2044	p = "undef";
2045	BIO_printf(bio_err, "Serial Number :%s\n", p);
2046	p = rrow[DB_file];
2047	if (p == NULL)
2048	p = "undef";
2049	BIO_printf(bio_err, "File name :%s\n", p);
2050	p = rrow[DB_name];
2051	if (p == NULL)
2052	p = "undef";
2053	BIO_printf(bio_err, "Subject Name :%s\n", p);
2054	ok = -1; /* This is now a 'bad' error. */
2055	goto err;
2056	}
2057	/* We are now totally happy, lets make and sign the certificate */	1958	/* We are now totally happy, lets make and sign the certificate */
2058	if (verbose)	1959	if (verbose)
2059	BIO_printf(bio_err,	1960	BIO_printf(bio_err,
@@ -2179,11 +2080,113 @@ do_body(X509 *xret, EVP_PKEY pkey, X509 x509, const EVP_MD dgst,
2179	ERR_print_errors(bio_err);	2080	ERR_print_errors(bio_err);
2180	goto err;	2081	goto err;
2181	}	2082	}
2182	/* Set the right value for the noemailDN option */	2083
2183	if (email_dn == 0) {	2084	if (verbose)
		2085	BIO_printf(bio_err,
		2086	"The subject name appears to be ok, checking data base for clashes\n");
		2087
		2088	/* Build the correct Subject if no email is wanted in the subject */
		2089	if (!email_dn) {
		2090	X509_NAME_ENTRY *tmpne;
		2091	/*
		2092	* Its best to dup the subject DN and then delete any email
		2093	* addresses because this retains its structure.
		2094	*/
		2095	if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
		2096	BIO_printf(bio_err, "Memory allocation failure\n");
		2097	goto err;
		2098	}
		2099	while ((i = X509_NAME_get_index_by_NID(dn_subject,
		2100	NID_pkcs9_emailAddress, -1)) >= 0) {
		2101	tmpne = X509_NAME_get_entry(dn_subject, i);
		2102	if (tmpne == NULL)
		2103	goto err;
		2104	if (X509_NAME_delete_entry(dn_subject, i) == NULL) {
		2105	X509_NAME_ENTRY_free(tmpne);
		2106	goto err;
		2107	}
		2108	X509_NAME_ENTRY_free(tmpne);
		2109	}
		2110
2184	if (!X509_set_subject_name(ret, dn_subject))	2111	if (!X509_set_subject_name(ret, dn_subject))
2185	goto err;	2112	goto err;
		2113
		2114	X509_NAME_free(dn_subject);
		2115	dn_subject = NULL;
		2116	}
		2117
		2118	row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
		2119	if (row[DB_name] == NULL) {
		2120	BIO_printf(bio_err, "Memory allocation failure\n");
		2121	goto err;
		2122	}
		2123
		2124	if (BN_is_zero(serial))
		2125	row[DB_serial] = strdup("00");
		2126	else
		2127	row[DB_serial] = BN_bn2hex(serial);
		2128	if (row[DB_serial] == NULL) {
		2129	BIO_printf(bio_err, "Memory allocation failure\n");
		2130	goto err;
		2131	}
		2132	if (db->attributes.unique_subject) {
		2133	OPENSSL_STRING *crow = row;
		2134
		2135	rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
		2136	if (rrow != NULL) {
		2137	BIO_printf(bio_err,
		2138	"ERROR:There is already a certificate for %s\n",
		2139	row[DB_name]);
		2140	}
		2141	}
		2142	if (rrow == NULL) {
		2143	rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
		2144	if (rrow != NULL) {
		2145	BIO_printf(bio_err,
		2146	"ERROR:Serial number %s has already been issued,\n",
		2147	row[DB_serial]);
		2148	BIO_printf(bio_err,
		2149	" check the database/serial_file for corruption\n");
		2150	}
2186	}	2151	}
		2152	if (rrow != NULL) {
		2153	BIO_printf(bio_err,
		2154	"The matching entry has the following details\n");
		2155	if (rrow[DB_type][0] == 'E')
		2156	p = "Expired";
		2157	else if (rrow[DB_type][0] == 'R')
		2158	p = "Revoked";
		2159	else if (rrow[DB_type][0] == 'V')
		2160	p = "Valid";
		2161	else
		2162	p = "\ninvalid type, Data base error\n";
		2163	BIO_printf(bio_err, "Type :%s\n", p);
		2164	if (rrow[DB_type][0] == 'R') {
		2165	p = rrow[DB_exp_date];
		2166	if (p == NULL)
		2167	p = "undef";
		2168	BIO_printf(bio_err, "Was revoked on:%s\n", p);
		2169	}
		2170	p = rrow[DB_exp_date];
		2171	if (p == NULL)
		2172	p = "undef";
		2173	BIO_printf(bio_err, "Expires on :%s\n", p);
		2174	p = rrow[DB_serial];
		2175	if (p == NULL)
		2176	p = "undef";
		2177	BIO_printf(bio_err, "Serial Number :%s\n", p);
		2178	p = rrow[DB_file];
		2179	if (p == NULL)
		2180	p = "undef";
		2181	BIO_printf(bio_err, "File name :%s\n", p);
		2182	p = rrow[DB_name];
		2183	if (p == NULL)
		2184	p = "undef";
		2185	BIO_printf(bio_err, "Subject Name :%s\n", p);
		2186	ok = -1; /* This is now a 'bad' error. */
		2187	goto err;
		2188	}
		2189
2187	if (!default_op) {	2190	if (!default_op) {
2188	BIO_printf(bio_err, "Certificate Details:\n");	2191	BIO_printf(bio_err, "Certificate Details:\n");
2189	/*	2192	/*
@@ -2250,7 +2253,6 @@ do_body(X509 *xret, EVP_PKEY pkey, X509 x509, const EVP_MD dgst,
2250		2253
2251	/* row[DB_serial] done already */	2254	/* row[DB_serial] done already */
2252	row[DB_file] = malloc(8);	2255	row[DB_file] = malloc(8);
2253	row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
2254		2256
2255	if ((row[DB_type] == NULL) \|\| (row[DB_file] == NULL) \|\|	2257	if ((row[DB_type] == NULL) \|\| (row[DB_file] == NULL) \|\|
2256	(row[DB_name] == NULL)) {	2258	(row[DB_name] == NULL)) {
@@ -2288,8 +2290,7 @@ do_body(X509 *xret, EVP_PKEY pkey, X509 x509, const EVP_MD dgst,
2288		2290
2289	X509_NAME_free(CAname);	2291	X509_NAME_free(CAname);
2290	X509_NAME_free(subject);	2292	X509_NAME_free(subject);
2291	if (!email_dn)	2293	X509_NAME_free(dn_subject);
2292	X509_NAME_free(dn_subject);
2293	ASN1_UTCTIME_free(tmptm);	2294	ASN1_UTCTIME_free(tmptm);
2294	X509_free(ret);	2295	X509_free(ret);
2295		2296