The branch master has been updated
via 01985122ae2b144cdd3a2061640e76bff491dc7f (commit)
via 5af88441f4fb1951a0672c0c0e1979cd44acdb69 (commit)
via 2cedf79474ebc7bf910980f397decfaddec7122b (commit)
via c845ff070d03052f10d9d183682388429cf4fd92 (commit)
via 62e394de9178df055265f528fc6b6c015951dd46 (commit)
from f929439f61e7e4cf40e06de56880758b5344f198 (commit)
- Log -----------------------------------------------------------------
commit 01985122ae2b144cdd3a2061640e76bff491dc7f
Author: Matt Caswell <m...@openssl.org>
Date: Wed Mar 14 14:32:48 2018 +0000
Fix a memory leak in the ca application
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
commit 5af88441f4fb1951a0672c0c0e1979cd44acdb69
Author: Matt Caswell <m...@openssl.org>
Date: Fri Feb 23 19:48:11 2018 +0000
Allow multiple entries without a Subject even if unique_subject == yes
It is quite likely for there to be multiple certificates with empty
subjects, which are still distinct because of subjectAltName. Therefore
we allow multiple certificates with an empty Subject even if
unique_subject is set to yes.
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
commit 2cedf79474ebc7bf910980f397decfaddec7122b
Author: Matt Caswell <m...@openssl.org>
Date: Fri Feb 23 18:28:47 2018 +0000
Report a readable error on a duplicate cert in ca app
Commit 87e8feca (16 years ago!) introduced a bug where if we are
attempting to insert a cert with a duplicate subject name, and
duplicate subject names are not allowed (which is the default),
then we get an unhelpful error message back (error number 2). Prior
to that commit we got a helpful error message which displayed details
of the conflicting entry in the database.
That commit was itself attempting to fix a bug with the noemailDN option
where we were setting the subject field in the database too early
(before extensions had made any amendments to it).
This PR moves the check for a conflicting Subject name until after all
changes to the Subject have been made by extensions etc.
This also, co-incidentally fixes the ca crashing bug described in issue
5109.
Fixes #5109
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
commit c845ff070d03052f10d9d183682388429cf4fd92
Author: Matt Caswell <m...@openssl.org>
Date: Fri Feb 23 09:46:30 2018 +0000
Revert "Don't allow an empty Subject when creating a Certificate"
This reverts commit e505f1e86874acfd98826d64c53bf2ddfd9c1399.
Empty Subjects should be permissible.
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
commit 62e394de9178df055265f528fc6b6c015951dd46
Author: Matt Caswell <m...@openssl.org>
Date: Fri Feb 23 09:46:06 2018 +0000
Revert "Don't crash on a missing Subject in index.txt"
This reverts commit 1e05c6d07ff963107286d028f6778d2ccc863a9a.
Empty subjects should be permissible.
Reviewed-by: Richard Levitte <levi...@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 245 ++++++++++++++++++++++++++++----------------------------
doc/man1/ca.pod | 4 +
2 files changed, 128 insertions(+), 121 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 2819fea..d530cf5 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -664,10 +664,6 @@ end_of_options:
goto end;
}
}
- if (pp[DB_name][0] == '\0') {
- BIO_printf(bio_err, "entry %d: bad Subject\n", i + 1);
- goto end;
- }
}
if (verbose) {
TXT_DB_write(bio_out, db->db);
@@ -1375,7 +1371,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
CONF *lconf, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy, int selfsign)
{
- X509_NAME *name = NULL, *CAname = NULL, *subject = NULL, *dn_subject =
NULL;
+ X509_NAME *name = NULL, *CAname = NULL, *subject = NULL;
const ASN1_TIME *tm;
ASN1_STRING *str, *str2;
ASN1_OBJECT *obj;
@@ -1408,10 +1404,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
BIO_printf(bio_err, "The Subject's Distinguished Name is as
follows\n");
name = X509_REQ_get_subject_name(req);
- if (X509_NAME_entry_count(name) == 0) {
- BIO_printf(bio_err, "Error: The supplied Subject is empty\n");
- goto end;
- }
for (i = 0; i < X509_NAME_entry_count(name); i++) {
ne = X509_NAME_get_entry(name, i);
str = X509_NAME_ENTRY_get_data(ne);
@@ -1573,109 +1565,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
goto end;
}
- if (X509_NAME_entry_count(subject) == 0) {
- BIO_printf(bio_err,
- "Error: After applying policy the Subject is empty\n");
- goto end;
- }
-
- if (verbose)
- BIO_printf(bio_err,
- "The subject name appears to be ok, checking data base for
clashes\n");
-
- /*
- * Build the correct Subject if no e-mail is wanted in the subject.
- * And add it later on because of the method extensions are added (altName)
- */
-
- if (email_dn) {
- dn_subject = subject;
- } else {
- X509_NAME_ENTRY *tmpne;
- /*
- * Its best to dup the subject DN and then delete any email addresses
- * because this retains its structure.
- */
- if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
- while ((i = X509_NAME_get_index_by_NID(dn_subject,
- NID_pkcs9_emailAddress,
- -1)) >= 0) {
- tmpne = X509_NAME_get_entry(dn_subject, i);
- X509_NAME_delete_entry(dn_subject, i);
- X509_NAME_ENTRY_free(tmpne);
- }
- }
-
- if (BN_is_zero(serial))
- row[DB_serial] = OPENSSL_strdup("00");
- else
- row[DB_serial] = BN_bn2hex(serial);
- if (row[DB_serial] == NULL) {
- BIO_printf(bio_err, "Memory allocation failure\n");
- goto end;
- }
-
- if (db->attributes.unique_subject) {
- OPENSSL_STRING *crow = row;
-
- rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
- if (rrow != NULL) {
- BIO_printf(bio_err,
- "ERROR:There is already a certificate for %s\n",
- row[DB_name]);
- }
- }
- if (rrow == NULL) {
- rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
- if (rrow != NULL) {
- BIO_printf(bio_err,
- "ERROR:Serial number %s has already been issued,\n",
- row[DB_serial]);
- BIO_printf(bio_err,
- " check the database/serial_file for
corruption\n");
- }
- }
-
- if (rrow != NULL) {
- BIO_printf(bio_err, "The matching entry has the following details\n");
- if (rrow[DB_type][0] == DB_TYPE_EXP)
- p = "Expired";
- else if (rrow[DB_type][0] == DB_TYPE_REV)
- p = "Revoked";
- else if (rrow[DB_type][0] == DB_TYPE_VAL)
- p = "Valid";
- else
- p = "\ninvalid type, Data base error\n";
- BIO_printf(bio_err, "Type :%s\n", p);;
- if (rrow[DB_type][0] == DB_TYPE_REV) {
- p = rrow[DB_exp_date];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "Was revoked on:%s\n", p);
- }
- p = rrow[DB_exp_date];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "Expires on :%s\n", p);
- p = rrow[DB_serial];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "Serial Number :%s\n", p);
- p = rrow[DB_file];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "File name :%s\n", p);
- p = rrow[DB_name];
- if (p == NULL)
- p = "undef";
- BIO_printf(bio_err, "Subject Name :%s\n", p);
- ok = -1; /* This is now a 'bad' error. */
- goto end;
- }
-
/* We are now totally happy, lets make and sign the certificate */
if (verbose)
BIO_printf(bio_err,
@@ -1785,10 +1674,123 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
goto end;
}
- /* Set the right value for the noemailDN option */
- if (email_dn == 0) {
- if (!X509_set_subject_name(ret, dn_subject))
+ if (verbose)
+ BIO_printf(bio_err,
+ "The subject name appears to be ok, checking data base for
clashes\n");
+
+ /* Build the correct Subject if no e-mail is wanted in the subject. */
+ if (!email_dn) {
+ X509_NAME_ENTRY *tmpne;
+ X509_NAME *dn_subject;
+
+ /*
+ * Its best to dup the subject DN and then delete any email addresses
+ * because this retains its structure.
+ */
+ if ((dn_subject = X509_NAME_dup(subject)) == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto end;
+ }
+ while ((i = X509_NAME_get_index_by_NID(dn_subject,
+ NID_pkcs9_emailAddress,
+ -1)) >= 0) {
+ tmpne = X509_NAME_get_entry(dn_subject, i);
+ X509_NAME_delete_entry(dn_subject, i);
+ X509_NAME_ENTRY_free(tmpne);
+ }
+
+ if (!X509_set_subject_name(ret, dn_subject)) {
+ X509_NAME_free(dn_subject);
+ goto end;
+ }
+ X509_NAME_free(dn_subject);
+ }
+
+ row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
+ if (row[DB_name] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto end;
+ }
+
+ if (BN_is_zero(serial))
+ row[DB_serial] = OPENSSL_strdup("00");
+ else
+ row[DB_serial] = BN_bn2hex(serial);
+ if (row[DB_serial] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
+ goto end;
+ }
+
+ if (row[DB_name][0] == '\0') {
+ /*
+ * An empty subject! We'll use the serial number instead. If
+ * unique_subject is in use then we don't want different entries with
+ * empty subjects matching each other.
+ */
+ OPENSSL_free(row[DB_name]);
+ row[DB_name] = OPENSSL_strdup(row[DB_serial]);
+ if (row[DB_name] == NULL) {
+ BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
+ }
+ }
+
+ if (db->attributes.unique_subject) {
+ OPENSSL_STRING *crow = row;
+
+ rrow = TXT_DB_get_by_index(db->db, DB_name, crow);
+ if (rrow != NULL) {
+ BIO_printf(bio_err,
+ "ERROR:There is already a certificate for %s\n",
+ row[DB_name]);
+ }
+ }
+ if (rrow == NULL) {
+ rrow = TXT_DB_get_by_index(db->db, DB_serial, row);
+ if (rrow != NULL) {
+ BIO_printf(bio_err,
+ "ERROR:Serial number %s has already been issued,\n",
+ row[DB_serial]);
+ BIO_printf(bio_err,
+ " check the database/serial_file for
corruption\n");
+ }
+ }
+
+ if (rrow != NULL) {
+ BIO_printf(bio_err, "The matching entry has the following details\n");
+ if (rrow[DB_type][0] == DB_TYPE_EXP)
+ p = "Expired";
+ else if (rrow[DB_type][0] == DB_TYPE_REV)
+ p = "Revoked";
+ else if (rrow[DB_type][0] == DB_TYPE_VAL)
+ p = "Valid";
+ else
+ p = "\ninvalid type, Data base error\n";
+ BIO_printf(bio_err, "Type :%s\n", p);;
+ if (rrow[DB_type][0] == DB_TYPE_REV) {
+ p = rrow[DB_exp_date];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "Was revoked on:%s\n", p);
+ }
+ p = rrow[DB_exp_date];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "Expires on :%s\n", p);
+ p = rrow[DB_serial];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "Serial Number :%s\n", p);
+ p = rrow[DB_file];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "File name :%s\n", p);
+ p = rrow[DB_name];
+ if (p == NULL)
+ p = "undef";
+ BIO_printf(bio_err, "Subject Name :%s\n", p);
+ ok = -1; /* This is now a 'bad' error. */
+ goto end;
}
if (!default_op) {
@@ -1840,8 +1842,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL;
row[DB_file] = OPENSSL_strdup("unknown");
- row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
-
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
(row[DB_file] == NULL) || (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
@@ -1861,16 +1861,14 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509
*x509,
irow = NULL;
ok = 1;
end:
- if (irow != NULL) {
+ if (ok != 1) {
for (i = 0; i < DB_NUMBER; i++)
OPENSSL_free(row[i]);
- OPENSSL_free(irow);
}
+ OPENSSL_free(irow);
X509_NAME_free(CAname);
X509_NAME_free(subject);
- if (dn_subject != subject)
- X509_NAME_free(dn_subject);
if (ok <= 0)
X509_free(ret);
else
@@ -2050,6 +2048,11 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE
rev_type,
else
row[DB_serial] = BN_bn2hex(bn);
BN_free(bn);
+ if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
+ /* Entries with empty Subjects actually use the serial number instead
*/
+ OPENSSL_free(row[DB_name]);
+ row[DB_name] = OPENSSL_strdup(row[DB_serial]);
+ }
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod
index 9c5af4a..c09f98e 100644
--- a/doc/man1/ca.pod
+++ b/doc/man1/ca.pod
@@ -469,6 +469,10 @@ versions of OpenSSL. However, to make CA certificate
roll-over easier,
it's recommended to use the value B<no>, especially if combined with
the B<-selfsign> command line option.
+Note that it is valid in some circumstances for certificates to be created
+without any subject. In the case where there are multiple certificates without
+subjects this does not count as a duplicate.
+
=item B<serial>
A text file containing the next serial number to use in hex. Mandatory.
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits
