diff options
| author | Benjamin Kaduk <bkaduk@akamai.com> | 2018-10-04 13:49:21 -0500 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2018-10-08 16:32:47 -0500 |
| commit | 3d362f190306b62a17aa2fd475b2bc8b3faa8142 (patch) | |
| tree | 6017fdeece75ffebed1fa1de05193dc21ceb7814 /apps | |
| parent | 4fef4981f8cc614559b86a06532b0eeac6ffd0d9 (diff) | |
apps: allow empty attribute values with -subj
Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`. Commit
db4c08f0194d58c6192f0d8311bf3f20e251cf4f applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value. As a result, such strings are now treated as
hard errors and the operation fails.
Restore the check to skip empty attribute values and restore
the historical behavior.
Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7349)
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/apps.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/apps/apps.c b/apps/apps.c index 9be656054a..653e3973e0 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1831,6 +1831,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) opt_getprog(), typestr); continue; } + if (*valstr == '\0') { + BIO_printf(bio_err, + "%s: No value provided for Subject Attribute %s, skipped\n", + opt_getprog(), typestr); + continue; + } if (!X509_NAME_add_entry_by_NID(n, nid, chtype, valstr, strlen((char *)valstr), -1, ismulti ? -1 : 0)) |