Commit 77078e6b authored by Benjamin Kaduk's avatar Benjamin Kaduk Committed by Ben Kaduk
Browse files

apps: allow empty attribute values with -subj 



Historically (i.e., OpenSSL 1.0.x), the openssl applications would
allow for empty subject attributes to be passed via the -subj argument,
e.g., `opensl req -subj '/CN=joe/O=/OU=local' ...`.  Commit
db4c08f0 applied a badly needed rewrite
to the parse_name() helper function that parses these strings, but
in the process dropped a check that would skip attributes with no
associated value.  As a result, such strings are now treated as
hard errors and the operation fails.

Restore the check to skip empty attribute values and restore
the historical behavior.

Document the behavior for empty subject attribute values in the
corresponding applications' manual pages.

(cherry picked from commit 3d362f19)
(cherry picked from commit a7ee1ef6)

Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7368)
parent 737a37f7

apps/apps.c

+6 −0
Original line number Diff line number Diff line
@@ -1770,6 +1770,12 @@ X509_NAME *parse_name(const char *cp, long chtype, int canmulti) 
                      opt_getprog(), typestr);

            continue;

        }

        if (*valstr == '\0') {

            BIO_printf(bio_err,

                       "%s: No value provided for Subject Attribute %s, skipped\n",

                       opt_getprog(), typestr);

            continue;

        }

        if (!X509_NAME_add_entry_by_NID(n, nid, chtype,

                                        valstr, strlen((char *)valstr),

                                        -1, ismulti ? -1 : 0))

doc/apps/ca.pod

+4 −2
Original line number Diff line number Diff line
@@ -243,8 +243,10 @@ for all available algorithms. 
=item B<-subj arg>



supersedes subject name given in the request.

The arg must be formatted as I</type0=value0/type1=value1/type2=...>,

characters may be escaped by \ (backslash), no spaces are skipped.

The arg must be formatted as I</type0=value0/type1=value1/type2=...>.

Keyword characters may be escaped by \ (backslash), and whitespace is retained.

Empty values are permitted, but the corresponding type will not be included

in the resulting certificate.



=item B<-utf8>

doc/apps/req.pod

+4 −2
Original line number Diff line number Diff line
@@ -213,8 +213,10 @@ see L<openssl(1)/COMMAND SUMMARY>. 


sets subject name for new request or supersedes the subject name

when processing a request.

The arg must be formatted as I</type0=value0/type1=value1/type2=...>,

characters may be escaped by \ (backslash), no spaces are skipped.

The arg must be formatted as I</type0=value0/type1=value1/type2=...>.

Keyword characters may be escaped by \ (backslash), and whitespace is retained.

Empty values are permitted, but the corresponding type will not be included

in the request.



=item B<-multivalue-rdn>