Don't allow an empty Subject when creating a Certificate

Misconfiguration (e.g. an empty policy section in the config file) can lead to an empty Subject. Since certificates should have unique Subjects this should not be allowed. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5114)
author: Matt Caswell <matt@openssl.org> 2018-01-19 14:34:56 +0000
committer: Matt Caswell <matt@openssl.org> 2018-01-22 10:07:41 +0000
commit: e505f1e86874acfd98826d64c53bf2ddfd9c1399 (patch)
tree: d2ffee9e69c1fa85d89c1bd1f528e675fc42d9ce /apps/ca.c
parent: 154d8c132fbe22a248f95e95ef21f1840451da62 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/apps/ca.c b/apps/ca.c
index ea2750a3f8..551d0aa2f8 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1403,6 +1403,10 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
         BIO_printf(bio_err, "The Subject's Distinguished Name is as follows\n");
 
     name = X509_REQ_get_subject_name(req);
+    if (X509_NAME_entry_count(name) == 0) {
+        BIO_printf(bio_err, "Error: The supplied Subject is empty\n");
+        goto end;
+    }
     for (i = 0; i < X509_NAME_entry_count(name); i++) {
         ne = X509_NAME_get_entry(name, i);
         str = X509_NAME_ENTRY_get_data(ne);
@@ -1565,6 +1569,12 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
             goto end;
     }
 
+    if (X509_NAME_entry_count(subject) == 0) {
+        BIO_printf(bio_err,
+                   "Error: After applying policy the Subject is empty\n");
+        goto end;
+    }
+
     if (verbose)
         BIO_printf(bio_err,
                    "The subject name appears to be ok, checking data base for clashes\n");
author	Matt Caswell <matt@openssl.org>	2018-01-19 14:34:56 +0000
committer	Matt Caswell <matt@openssl.org>	2018-01-22 10:07:41 +0000
commit	e505f1e86874acfd98826d64c53bf2ddfd9c1399 (patch)
tree	d2ffee9e69c1fa85d89c1bd1f528e675fc42d9ce /apps/ca.c
parent	154d8c132fbe22a248f95e95ef21f1840451da62 (diff)