Allow multiple entries without a Subject even if unique_subject == yes

It is quite likely for there to be multiple certificates with empty
subjects, which are still distinct because of subjectAltName. Therefore
we allow multiple certificates with an empty Subject even if
unique_subject is set to yes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)

diff --git a/apps/ca.c b/apps/ca.c
index 1fdc2e417d26bf889220910bdf068db25176e83f..743e48185b8a67676c4ff9aa436d7af2f9c0a528 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1721,6 +1721,20 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         goto end;
     }
 
         goto end;
     }
 

+    if (row[DB_name][0] == '\0') {
+        /*
+         * An empty subject! We'll use the serial number instead. If
+         * unique_subject is in use then we don't want different entries with
+         * empty subjects matching each other.
+         */
+        OPENSSL_free(row[DB_name]);
+        row[DB_name] = OPENSSL_strdup(row[DB_serial]);
+        if (row[DB_name] == NULL) {
+            BIO_printf(bio_err, "Memory allocation failure\n");
+            goto end;
+        }
+    }
+

     if (db->attributes.unique_subject) {
         OPENSSL_STRING *crow = row;
 
     if (db->attributes.unique_subject) {
         OPENSSL_STRING *crow = row;
 


@@ -2034,6 +2048,11 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
     else
         row[DB_serial] = BN_bn2hex(bn);
     BN_free(bn);
     else
         row[DB_serial] = BN_bn2hex(bn);
     BN_free(bn);

+    if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
+        /* Entries with empty Subjects actually use the serial number instead */
+        OPENSSL_free(row[DB_name]);
+        row[DB_name] = OPENSSL_strdup(row[DB_serial]);
+    }

     if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
         BIO_printf(bio_err, "Memory allocation failure\n");
         goto end;
     if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
         BIO_printf(bio_err, "Memory allocation failure\n");
         goto end;

diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod
index 9c5af4a8913fc9e4275c56719ebfbc0ac9e08cce..c09f98e96fb13bf25cc227993b61d1ffa1c8e7b5 100644 (file)
--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
@@ -469,6 +469,10 @@ versions of OpenSSL.  However, to make CA certificate roll-over easier,
 it's recommended to use the value B<no>, especially if combined with
 the B<-selfsign> command line option.
 
 it's recommended to use the value B<no>, especially if combined with
 the B<-selfsign> command line option.
 

+Note that it is valid in some circumstances for certificates to be created
+without any subject. In the case where there are multiple certificates without
+subjects this does not count as a duplicate. 
+

 =item B<serial>
 
 A text file containing the next serial number to use in hex. Mandatory.
 =item B<serial>
 
 A text file containing the next serial number to use in hex. Mandatory.