Skip to content

T
Third Party Openssl

OpenHarmony / Third Party Openssl
1 年多 前同步成功

通知 10
Star 18
Fork 1
T
Third Party Openssl
提交 5af88441 编写于 作者: M Matt Caswell
浏览文件
操作

Allow multiple entries without a Subject even if unique_subject == yes 

It is quite likely for there to be multiple certificates with empty
subjects, which are still distinct because of subjectAltName. Therefore
we allow multiple certificates with an empty Subject even if
unique_subject is set to yes.
Reviewed-by: NRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5444)
上级 2cedf794
隐藏空白更改
内联 并排
Showing with 23 addition and 0 deletion
apps/ca.c
浏览文件 @ 5af88441
...@@ -1721,6 +1721,20 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, ...@@ -1721,6 +1721,20 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto end; goto end;
} }
if (row[DB_name][0] == '\0') {
/*
* An empty subject! We'll use the serial number instead. If
* unique_subject is in use then we don't want different entries with
* empty subjects matching each other.
*/
OPENSSL_free(row[DB_name]);
row[DB_name] = OPENSSL_strdup(row[DB_serial]);
if (row[DB_name] == NULL) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
}
if (db->attributes.unique_subject) { if (db->attributes.unique_subject) {
OPENSSL_STRING *crow = row; OPENSSL_STRING *crow = row;
...@@ -2034,6 +2048,11 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type, ...@@ -2034,6 +2048,11 @@ static int do_revoke(X509 *x509, CA_DB *db, REVINFO_TYPE rev_type,
else else
row[DB_serial] = BN_bn2hex(bn); row[DB_serial] = BN_bn2hex(bn);
BN_free(bn); BN_free(bn);
if (row[DB_name] != NULL && row[DB_name][0] == '\0') {
/* Entries with empty Subjects actually use the serial number instead */
OPENSSL_free(row[DB_name]);
row[DB_name] = OPENSSL_strdup(row[DB_serial]);
}
if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) { if ((row[DB_name] == NULL) || (row[DB_serial] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n"); BIO_printf(bio_err, "Memory allocation failure\n");
goto end; goto end;
......
doc/man1/ca.pod
浏览文件 @ 5af88441
...@@ -469,6 +469,10 @@ versions of OpenSSL. However, to make CA certificate roll-over easier, ...@@ -469,6 +469,10 @@ versions of OpenSSL. However, to make CA certificate roll-over easier,
it's recommended to use the value B<no>, especially if combined with it's recommended to use the value B<no>, especially if combined with
the B<-selfsign> command line option. the B<-selfsign> command line option.
Note that it is valid in some circumstances for certificates to be created
without any subject. In the case where there are multiple certificates without
subjects this does not count as a duplicate.
=item B<serial> =item B<serial>
A text file containing the next serial number to use in hex. Mandatory. A text file containing the next serial number to use in hex. Mandatory.
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册