diff --git a/apps/ca.c b/apps/ca.c index 1fdc2e417d26bf889220910bdf068db25176e83f..743e48185b8a67676c4ff9aa436d7af2f9c0a528 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1721,6 +1721,20 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto end; } + if (row[DB_name][0] == '\0') { + /* + * An empty subject! We'll use the serial number instead. If + * unique_subject is in use then we don't want different entries with + * empty subjects matching each other. + */ + OPENSSL_free(row[DB_name]); + row[DB_name] = OPENSSL_strdup(row[DB_serial]); + if (row[DB_name] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto end; + } + } + if (db->attributes.unique_subject) { OPENSSL_STRING *crow = row; @@ -2034,6 +2048,11 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, else row[DB_serial] = BN_bn2hex(bn); BN_free(bn); + if (row[DB_name] != NULL && row[DB_name][0] == '\0') { + /* Entries with empty Subjects actually use the serial number instead */ + OPENSSL_free(row[DB_name]); + row[DB_name] = OPENSSL_strdup(row[DB_serial]); + } if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); goto end; diff --git a/doc/man1/ca.pod b/doc/man1/ca.pod index 9c5af4a8913fc9e4275c56719ebfbc0ac9e08cce..c09f98e96fb13bf25cc227993b61d1ffa1c8e7b5 100644 --- a/doc/man1/ca.pod +++ b/doc/man1/ca.pod @@ -469,6 +469,10 @@ versions of OpenSSL. However, to make CA certificate roll-over easier, it's recommended to use the value B, especially if combined with the B<-selfsign> command line option. +Note that it is valid in some circumstances for certificates to be created +without any subject. In the case where there are multiple certificates without +subjects this does not count as a duplicate. + =item B A text file containing the next serial number to use in hex. Mandatory.