Hello All,
Bug Description : The -subj option of the req command does not refer the
openssl.cnf file to check the minimum and maximum limits of each field.
Operating System : HPUX 11iv1, HPUX 11iv2 and Linux
OpenSSL Version : 0.9.8 and all prior versions
Detailed Description:
When creating a self signed certificate using req command we can specify the
X509 name either by using -subj option or prompting the users to enter the
values.
i. prompting the user to enter the values
Here we donot use the -subj option and the users are prompted for the X509 name
parameters.The values entered by the user are checked with minimum and maximum
limits of each field specified in the openssl.cnf file. This is because the
req_check_len function is called to verify the field length
Flow : make_REQ( ) ---> prompt_info( ) ---> add_DN_object( ) --->
req_check_len()
eg. I have set the value of commonName_max = 5 in openssl.cnf
# openssl req -x509 -out cacert.pem -new -keyout cakey.pem -nodes
Common Name (eg, YOUR name) []:xxxxxxxxxx
string is too long, it needs to be less than 5 bytes long
Fails
ii -subj option
Here we use the -subj options and specify the X509 name parameters in the
command line itself. These valuesa re not checked with minimum and maximum
limits of each field specified in the openssl.conf file. This is because
req_check_len function is not called
Flow : make_REQ( ) ---> build_subject( ) ---> parse_name( )
//req_check_len is not called
eg. I have set the value of commonName_max = 5 in openssl.cnf
# openssl req -x509 -out cacert.pem -new -keyout cakey.pem -subj
/C=INN/ST=TamilNadu/L=CBE/O=test/CN=xxxxxxxxxx -nodes
Successful
Suggestion for OpenSSL 0.9.8 :
The following code can be added in file apps/apps.c between lines 2135 and
2137 to check the minimum and maximum limits of each field specified in the
-subj option against the limits specified in the openssl.cnf file
2133 BIO_printf(bio_err, "No value provided for
Subject Attribute %s, skipped\n", ne_types[i]);
2134 continue;
2135 }
//
-------------------------------------------------------------------------------------------------------
//
const char *longname;
char buffer[100];
char longname_min[256],longname_max[256],*p;
long n_min,n_max,j;
long errline;
int len_buf;
static CONF *req_conf=NULL;
char *dn_sect,*value;
//Get the longname from the NID
longname=OBJ_nid2ln(nid);
//Load the default configuration file
p=make_config_name();
req_conf=NCONF_new(NULL);
j=NCONF_load(req_conf, p, &errline);
if (j == 0)
{
BIO_printf(bio_err,"error on line %ld of %s\n",errline,req_conf);
goto error;
}
dn_sect=NCONF_get_string(req_conf,"req","distinguished_name");
if (dn_sect == NULL)
{
BIO_printf(bio_err,"unable to find distinguished_name in config %s\n",p);
goto error;
}
if ((value=NCONF_get_string(req_conf,dn_sect,longname)) == NULL)
{
ERR_clear_error();
value=NULL;
}
//Get the min length of the field from config file
BIO_snprintf(buffer,sizeof buffer,"%s_min",longname);
if (!NCONF_get_number(req_conf,dn_sect,buffer, &n_min))
{
ERR_clear_error();
n_min = -1;
}
//Get the max length of the field from config file
BIO_snprintf(buffer,sizeof buffer,"%s_max",longname);
if (!NCONF_get_number(req_conf,dn_sect,buffer, &n_max))
{
ERR_clear_error();
n_max = -1;
}
//Compare the length of field against against the allowable minimum and maximum
len_buf=strlen(ne_values[i]);
if ((n_min > 0) && (len_buf < n_min))
{
BIO_printf(bio_err,"%s is too short, it needs to be at least
%d bytes long\n",longname,n_min);
goto error;
}
if ((n_max >= 0) && (len_buf > n_max))
{
BIO_printf(bio_err,"%s is too long, it needs to be less than
%d bytes long\n",longname,n_max);
goto error;
}
//
-------------------------------------------------------------------------------------------------------
//
2137 if (!X509_NAME_add_entry_by_NID(n, nid, chtype,
(unsigned char*)ne_values[i], -1,-1,mval[i]))
2138 goto error;
2139 }
Thanks,
Prakash Babu
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
