Hello All,
I am using OpenSSL
0.9.8
When creating a self
signed certificate using req command we can specify
the X509 name either by using -subj option or
prompting the user to enter the values.
i. prompting the
user to enter the values
eg # openssl req -x509 -out cacert.pem
-new -keyout cakey.pem -nodes
Country Name (2 letter code) [AU]:INN string is too long, it needs to be less than 2 bytes long Here the values entered by the user are checked with minimum and maximum limits of each field specified in the openssl.conf file Reason: req_check_len function is
called to verify the field length
Flow : make_REQ( )
---> prompt_info( ) ---> add_DN_object( ) --->
req_check_len()
ii -subj
option
eg # openssl req -x509
-out cacert.pem -new -keyout cakey.pem -subj
/C=IN/ST=TamilNadu/L=CBE/O=test/CN=test -nodes
Here the values entered by the
user are not checked with minimum and
maximum limits of each field specified in the
openssl.conf file
Reason: req_check_len function is not called
Flow : make_REQ( ) ---> build_subject( ) --->
parse_name( ) //req_check_len is not called
Is this a bug ?
Suggestion for OpenSSL 0.9.8 : The following code can be added in file apps/apps.c between
lines 2135 and 2137 to check the minimum and
maximum limits of each field specified in the openssl.conf file
2133
BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n",
ne_types[i]);
2134 continue; 2135 } // ------------------------------------------------------------------------------------------------------- // const char *longname;
char buffer[100]; char longname_min[256],longname_max[256],*p; long n_min,n_max,j; long errline; int len_buf; static CONF *req_conf=NULL; char *dn_sect,*value; //Get the longname from the
NID
longname=OBJ_nid2ln(nid); //Load the default configuration
file
p=make_config_name(); req_conf=NCONF_new(NULL); j=NCONF_load(req_conf, p, &errline); if (j == 0) { BIO_printf(bio_err,"error on line %ld of %s\n",errline,req_conf); goto error; } dn_sect=NCONF_get_string(req_conf,"req","distinguished_name");
if (dn_sect == NULL)
{ BIO_printf(bio_err,"unable to find distinguished_name in config %s\n",p); goto error; } if ((value=NCONF_get_string(req_conf,dn_sect,longname)) ==
NULL)
{ ERR_clear_error(); value=NULL; } //Get the min length of the field from config
file
BIO_snprintf(buffer,sizeof buffer,"%s_min",longname); if (!NCONF_get_number(req_conf,dn_sect,buffer, &n_min)) { ERR_clear_error(); n_min = -1; } //Get the max length of the field from config
file
BIO_snprintf(buffer,sizeof buffer,"%s_max",longname); if (!NCONF_get_number(req_conf,dn_sect,buffer, &n_max)) { ERR_clear_error(); n_max = -1; } //Compare the length of field against against the allowable
minimum and maximum
len_buf=strlen(ne_values[i]);
if ((n_min > 0) && (len_buf < n_min)) { BIO_printf(bio_err,"%s is too short, it needs to be at least %d bytes long\n",longname,n_min); goto error; } if ((n_max >= 0) && (len_buf > n_max)) { BIO_printf(bio_err,"%s is too long, it needs to be less than %d bytes long\n",longname,n_max); goto error; } // -------------------------------------------------------------------------------------------------------
//
2137
if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i],
-1,-1,mval[i]))
2138 goto error; 2139 } Thanks,
Prakash Babu
Start your day with Yahoo! - make it your home page |