Using serial number instead as subject if it is empty in openssl(1) ca

This allows multiple entries without a subject even if unique_subject == yes.
Referred to OpenSSL commit 5af88441 and arranged for our codebase.

ok tb@

2 files changed, 36 insertions, 3 deletions

diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index 1d28532ed3..b24febd9f6 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.47 2021/09/05 01:49:42 inoguchi Exp $ */
+/* $OpenBSD: ca.c,v 1.48 2021/09/05 01:55:54 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2124,6 +2124,21 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
                 BIO_printf(bio_err, "Memory allocation failure\n");
                 goto err;
         }
+
+        if (row[DB_name][0] == '\0') {
+                /*
+                 * An empty subject! We'll use the serial number instead. If
+                 * unique_subject is in use then we don't want different
+                 * entries with empty subjects matching each other.
+                 */
+                free(row[DB_name]);
+                row[DB_name] = strdup(row[DB_serial]);
+                if (row[DB_name] == NULL) {
+                        BIO_printf(bio_err, "Memory allocation failure\n");
+                        goto err;
+                }
+        }
+
         if (db->attributes.unique_subject) {
                 OPENSSL_STRING *crow = row;
 
@@ -2469,6 +2484,20 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value)
         else
                 row[DB_serial] = BN_bn2hex(bn);
         BN_free(bn);
+
+        if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
+                /*
+                 * Entries with empty Subjects actually use the serial number
+                 * instead
+                 */
+                free(row[DB_name]);
+                row[DB_name] = strdup(row[DB_serial]);
+                if (row[DB_name] == NULL) {
+                        BIO_printf(bio_err, "Memory allocation failure\n");
+                        goto err;
+                }
+        }
+
         if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
                 BIO_printf(bio_err, "Memory allocation failure\n");
                 goto err;
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 9d9f5ca580..e698c33a0a 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.130 2021/08/29 12:33:15 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.131 2021/09/05 01:55:54 inoguchi Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: August 29 2021 $
+.Dd $Mdocdate: September 5 2021 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -843,6 +843,10 @@ is given,
 several valid certificate entries may have the exact same subject.
 The default value is
 .Cm yes .
+.Pp
+Note that it is valid in some circumstances for certificates to be created
+without any subject. In the case where there are multiple certificates without
+subjects this does not count as a duplicate.
 .It Cm x509_extensions
 The same as
 .Fl extensions .