diff options
author | Matt Caswell <matt@openssl.org> | 2018-01-19 14:34:56 +0000 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-01-22 10:19:55 +0000 |
commit | dd37f6f12cc14cc4710289746b112eb0fed3b0b7 (patch) | |
tree | 48b6d57118cefb669109ec0fee426059a6ae1d7e | |
parent | 6e17c64b17882cf03f9224aa454e600a7152817a (diff) |
Don't allow an empty Subject when creating a Certificate
Misconfiguration (e.g. an empty policy section in the config file) can
lead to an empty Subject. Since certificates should have unique Subjects
this should not be allowed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5115)
-rw-r--r-- | apps/ca.c | 10 |
1 files changed, 10 insertions, 0 deletions
@@ -1672,6 +1672,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, "The Subject's Distinguished Name is as follows\n"); name = X509_REQ_get_subject_name(req); + if (X509_NAME_entry_count(name) == 0) { + BIO_printf(bio_err, "Error: The supplied Subject is empty\n"); + goto err; + } for (i = 0; i < X509_NAME_entry_count(name); i++) { ne = X509_NAME_get_entry(name, i); str = X509_NAME_ENTRY_get_data(ne); @@ -1836,6 +1840,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, goto err; } + if (X509_NAME_entry_count(subject) == 0) { + BIO_printf(bio_err, + "Error: After applying policy the Subject is empty\n"); + goto err; + } + if (verbose) BIO_printf(bio_err, "The subject name appears to be ok, checking data base for clashes\n"); |