Using serial number instead as subject if it is empty in openssl(1) ca

This allows multiple entries without a subject even if unique_subject == yes. Referred to OpenSSL commit 5af88441 and arranged for our codebase. ok tb@
author: inoguchi <> 2021-09-05 01:55:54 +0000
committer: inoguchi <> 2021-09-05 01:55:54 +0000
commit: 83ebf782e22a8260f1b7351fad667dea16e564e0 (patch)
tree: 2bea90f7763639386d4bddf8a150702b05a996b0 /src/usr.bin/openssl/ca.c
parent: 7134aa2bffb65c1e99f76a6de8c4e8376d134e93 (diff)
download: openbsd-83ebf782e22a8260f1b7351fad667dea16e564e0.tar.gz
openbsd-83ebf782e22a8260f1b7351fad667dea16e564e0.tar.bz2
openbsd-83ebf782e22a8260f1b7351fad667dea16e564e0.zip
1 files changed, 30 insertions, 1 deletions
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index 1d28532ed3..b24febd9f6 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.47 2021/09/05 01:49:42 inoguchi Exp $ */
+/* $OpenBSD: ca.c,v 1.48 2021/09/05 01:55:54 inoguchi Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2124,6 +2124,21 @@ do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
                BIO_printf(bio_err, "Memory allocation failure\n");
                goto err;
        }
+        if (row[DB_name][0] == '\0') {
+                /*
+                 * An empty subject! We'll use the serial number instead. If
+                 * unique_subject is in use then we don't want different
+                 * entries with empty subjects matching each other.
+                 */
+                free(row[DB_name]);
+                row[DB_name] = strdup(row[DB_serial]);
+                if (row[DB_name] == NULL) {
+                        BIO_printf(bio_err, "Memory allocation failure\n");
+                        goto err;
+                }
+        }
        if (db->attributes.unique_subject) {
                OPENSSL_STRING *crow = row;
@@ -2469,6 +2484,20 @@ do_revoke(X509 *x509, CA_DB *db, int type, char *value)
        else
                row[DB_serial] = BN_bn2hex(bn);
        BN_free(bn);
+        if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
+                /*
+                 * Entries with empty Subjects actually use the serial number
+                 * instead
+                 */
+                free(row[DB_name]);
+                row[DB_name] = strdup(row[DB_serial]);
+                if (row[DB_name] == NULL) {
+                        BIO_printf(bio_err, "Memory allocation failure\n");
+                        goto err;
+                }
+        }
        if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
                BIO_printf(bio_err, "Memory allocation failure\n");
                goto err;
author	inoguchi <>	2021-09-05 01:55:54 +0000
committer	inoguchi <>	2021-09-05 01:55:54 +0000
commit	83ebf782e22a8260f1b7351fad667dea16e564e0 (patch)
tree	2bea90f7763639386d4bddf8a150702b05a996b0 /src/usr.bin/openssl/ca.c
parent	7134aa2bffb65c1e99f76a6de8c4e8376d134e93 (diff)
download	openbsd-83ebf782e22a8260f1b7351fad667dea16e564e0.tar.gz openbsd-83ebf782e22a8260f1b7351fad667dea16e564e0.tar.bz2 openbsd-83ebf782e22a8260f1b7351fad667dea16e564e0.zip

diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c index 1d28532ed3..b24febd9f6 100644 --- a/src/usr.bin/openssl/ca.c +++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ca.c,v 1.47 2021/09/05 01:49:42 inoguchi Exp $ */	1	/* $OpenBSD: ca.c,v 1.48 2021/09/05 01:55:54 inoguchi Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -2124,6 +2124,21 @@ do_body(X509 *xret, EVP_PKEY pkey, X509 x509, const EVP_MD dgst,
2124	BIO_printf(bio_err, "Memory allocation failure\n");	2124	BIO_printf(bio_err, "Memory allocation failure\n");
2125	goto err;	2125	goto err;
2126	}	2126	}
		2127
		2128	if (row[DB_name][0] == '\0') {
		2129	/*
		2130	* An empty subject! We'll use the serial number instead. If
		2131	* unique_subject is in use then we don't want different
		2132	* entries with empty subjects matching each other.
		2133	*/
		2134	free(row[DB_name]);
		2135	row[DB_name] = strdup(row[DB_serial]);
		2136	if (row[DB_name] == NULL) {
		2137	BIO_printf(bio_err, "Memory allocation failure\n");
		2138	goto err;
		2139	}
		2140	}
		2141
2127	if (db->attributes.unique_subject) {	2142	if (db->attributes.unique_subject) {
2128	OPENSSL_STRING *crow = row;	2143	OPENSSL_STRING *crow = row;
2129		2144
@@ -2469,6 +2484,20 @@ do_revoke(X509 x509, CA_DB db, int type, char *value)
2469	else	2484	else
2470	row[DB_serial] = BN_bn2hex(bn);	2485	row[DB_serial] = BN_bn2hex(bn);
2471	BN_free(bn);	2486	BN_free(bn);
		2487
		2488	if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
		2489	/*
		2490	* Entries with empty Subjects actually use the serial number
		2491	* instead
		2492	*/
		2493	free(row[DB_name]);
		2494	row[DB_name] = strdup(row[DB_serial]);
		2495	if (row[DB_name] == NULL) {
		2496	BIO_printf(bio_err, "Memory allocation failure\n");
		2497	goto err;
		2498	}
		2499	}
		2500
2472	if ((row[DB_name] == NULL) \|\| (row[DB_serial] == NULL)) {	2501	if ((row[DB_name] == NULL) \|\| (row[DB_serial] == NULL)) {
2473	BIO_printf(bio_err, "Memory allocation failure\n");	2502	BIO_printf(bio_err, "Memory allocation failure\n");
2474	goto err;	2503	goto err;