Is this a bug with the -subj option of the req command

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Is this a bug with the -subj option of the req command

prakash babu
Hello All,
 
     I am using OpenSSL 0.9.8
     The -subj option of the req command does not refer the openssl.cnf file to check the maximum and minimum values of each field.
     When creating a self signed certificate using req command we can specify the X509 name either by using -subj option or prompting the user to enter the  values.
 
i. prompting the user to enter the  values
eg # openssl  req -x509 -out cacert.pem -new -keyout cakey.pem  -nodes
   Country Name (2 letter code) [AU]:INN
   string is too long, it needs to be less than  2 bytes long

Here the values entered by the user are checked with minimum and maximum  limits of each field specified in the openssl.conf file
 
Reason: req_check_len function is called to verify the field length
 
Flow :  make_REQ( )  ---> prompt_info( )  ---> add_DN_object( )  ---> req_check_len()
 
ii -subj  option
eg # openssl req -x509 -out cacert.pem -new -keyout cakey.pem -subj /C=IN/ST=TamilNadu/L=CBE/O=test/CN=test -nodes
Here the values entered  by the user are not checked with minimum and maximum  limits of each field specified in the openssl.conf file
 
Reason: req_check_len function is not called
 
Flow : make_REQ( ) ---> build_subject( )  ---> parse_name( )     //req_check_len is not called
 
Is this a bug ?

Suggestion for OpenSSL 0.9.8 :
 The following code can be added in file apps/apps.c between lines 2135 and 2137  to check the  minimum and maximum  limits of each field specified in the openssl.conf file
 
  2133                          BIO_printf(bio_err, "No value provided for Subject Attribute %s, skipped\n", ne_types[i]);
  2134                          continue;
  2135                          }

// ------------------------------------------------------------------------------------------------------- //
const char *longname;
char buffer[100];
char longname_min[256],longname_max[256],*p;
long n_min,n_max,j;
long errline;
int len_buf;
static CONF *req_conf=NULL;
char *dn_sect,*value;
 
//Get the longname from the NID
longname=OBJ_nid2ln(nid);
 
//Load the default configuration file
p=make_config_name();
req_conf=NCONF_new(NULL);
j=NCONF_load(req_conf, p, &errline);
if (j == 0)
{
 BIO_printf(bio_err,"error on line %ld of %s\n",errline,req_conf);
 goto error;
}
 
dn_sect=NCONF_get_string(req_conf,"req","distinguished_name");
 
if (dn_sect == NULL)
{
 BIO_printf(bio_err,"unable to find distinguished_name in config %s\n",p);
 goto error;
}
 
if ((value=NCONF_get_string(req_conf,dn_sect,longname)) == NULL)
{
ERR_clear_error();
value=NULL;
}
 
//Get the min length of the field from config file
BIO_snprintf(buffer,sizeof buffer,"%s_min",longname);
if (!NCONF_get_number(req_conf,dn_sect,buffer, &n_min))
{
ERR_clear_error();
n_min = -1;
}
 
//Get the max length of the field from config file
BIO_snprintf(buffer,sizeof buffer,"%s_max",longname);
if (!NCONF_get_number(req_conf,dn_sect,buffer, &n_max))
{
ERR_clear_error();
n_max = -1;
}
 
//Compare the length of field against against the allowable minimum and maximum
 
len_buf=strlen(ne_values[i]);
if ((n_min > 0) && (len_buf < n_min))
                {
                BIO_printf(bio_err,"%s  is too short, it needs to be at least %d bytes long\n",longname,n_min);
                goto error;
                }
if ((n_max >= 0) && (len_buf > n_max))
                {
                BIO_printf(bio_err,"%s is too long, it needs to be less than  %d bytes long\n",longname,n_max);
                goto error;
                }
 
// ------------------------------------------------------------------------------------------------------- //
 
  2137                  if (!X509_NAME_add_entry_by_NID(n, nid, chtype, (unsigned char*)ne_values[i], -1,-1,mval[i]))
  2138                          goto error;
  2139                  }
 
Thanks,
Prakash Babu


Start your day with Yahoo! - make it your home page