On my problem:
> > regarding my yesterday's post to enable the apps x509 and req to work
> > with empty subject DNs (as permitted, even suggested by PKIX for certs
> > with non-human subjects), I found another problem that I'm going to do
> > something about now. The ca tool depends on the subject DN when using
> > the index.txt database [crypto/txt_db]. This is a problem.
Dr S N Henson most helpfully suggested:
> Do you need the 'ca' tool to handle that? The 'x509' tool can do most
> things that the 'ca' tool can but without the (allegedly) friendly
> front end.
Steve, thanks again for your suggestion. It works for me with x509
only, leaving the CRL worries for the future...
However, I found another such case where presence of subject DN
elements were simply assumed instead of tested. This patch fixes
that hole in apps/x509.c
Thanks,
-Gunther
PS: who is responsible for adding these diffs to the code? How
are these things tracked? Is there a gnat system for openssl?
Is it O.K. to just submit to openssl-dev? Is there any orderly
process for such patches?
*** apps/x509.c~ Tue Oct 16 18:05:06 2001
--- apps/x509.c Wed Oct 17 13:50:10 2001
***************
*** 547,553 ****
else
BIO_printf(bio_err,"Signature ok\n");
! print_name(bio_err, "subject=",
X509_REQ_get_subject_name(req), nmflag);
if ((x=X509_new()) == NULL) goto end;
ci=x->cert_info;
--- 547,558 ----
else
BIO_printf(bio_err,"Signature ok\n");
! {
! X509_NAME *subj = NULL;
! subj = X509_REQ_get_subject_name(req);
! if (subj && (X509_NAME_entry_count(subj) > 0))
! print_name(bio_err, "subject=", subj,
nmflag);
! }
if ((x=X509_new()) == NULL) goto end;
ci=x->cert_info;
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
