Don't allow an empty Subject when creating a Certificate

Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5114)

Don't allow an empty Subject when creating a Certificate
Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by: N Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5114)
e505f1e8 · Matt Caswell · 154d8c13 · e505f1e8
隐藏空白更改
内联并排

Showing with 10 addition and 0 deletion

apps/ca.c apps/ca.c +10 -0

未找到文件。
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1403,6 +1403,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
        BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n");

    name = X509_REQ_get_subject_name(req);
+    if (X509_NAME_entry_count(name) == 0) {
+        BIO_printf(bio_err, "Error: The supplied Subject is empty\n");
+        goto end;
+    }
    for (i = 0; i < X509_NAME_entry_count(name); i++) {
        ne = X509_NAME_get_entry(name, i);
        str = X509_NAME_ENTRY_get_data(ne);
@@ -1565,6 +1569,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
            goto end;
    }

+    if (X509_NAME_entry_count(subject) == 0) {
+        BIO_printf(bio_err,
+                   "Error: After applying policy the Subject is empty\n");
+        goto end;
+    }
+
    if (verbose)
        BIO_printf(bio_err,
                   "The subject name appears to be ok, checking data base for clashes\n");