[openssl.org #1189] Bug Report and Patch : -subj option of the req command does not refer openssl.cnf to check the minimum and maximum limits of each field

prakash babu via RT Thu, 18 Aug 2005 04:44:25 -0700

Hello All,
 
Bug Description     : The -subj option of the req command does not refer the 
openssl.cnf  file to check the minimum and  maximum limits of each field.
Operating System  :  HPUX 11iv1,  HPUX 11iv2 and Linux
OpenSSL Version  :  0.9.8 and all prior versions
 
Detailed Description:
When creating a self signed certificate using req command we can specify the 
X509 name either by using -subj option or prompting the users to enter the 
values.
 
i. prompting the user to enter the  values
Here we donot use the -subj option and the users are prompted for the X509 name 
parameters.The values entered by the user are checked with minimum and maximum  
limits of each field specified in the openssl.cnf file. This is because the  
req_check_len function is called to verify the field length
Flow :  make_REQ( )  ---> prompt_info( )  ---> add_DN_object( )  ---> 
req_check_len()


eg. I have set  the value of commonName_max  = 5 in openssl.cnf
# openssl  req -x509 -out cacert.pem -new -keyout cakey.pem  -nodes
Common Name (eg, YOUR name) []:xxxxxxxxxx
string is too long, it needs to be less than  5 bytes long
Fails

ii -subj  option
Here we use the -subj options and specify the X509 name parameters in the 
command line itself. These  valuesa re not checked with minimum and maximum  
limits of each field specified in the openssl.conf file. This is because  
req_check_len function is not called 
Flow : make_REQ( ) ---> build_subject( )  ---> parse_name( )     
//req_check_len is not called

eg. I have set  the value of commonName_max  = 5 in openssl.cnf
 # openssl req -x509 -out cacert.pem -new -keyout cakey.pem -subj 
/C=INN/ST=TamilNadu/L=CBE/O=test/CN=xxxxxxxxxx -nodes
 Successful

Suggestion for OpenSSL 0.9.8 :
 The following code can be added in file apps/apps.c between lines 2135 and 
2137  to check the  minimum and maximum limits of each field specified in the 
-subj option against the limits specified in the openssl.cnf file
 
  2133                          BIO_printf(bio_err, "No value provided for 
Subject Attribute %s, skipped\n", ne_types[i]);
  2134                          continue;
  2135                          }
// 
-------------------------------------------------------------------------------------------------------
 // 
const char *longname;
char buffer[100];
char longname_min[256],longname_max[256],*p;
long n_min,n_max,j;
long errline;
int len_buf;
static CONF *req_conf=NULL;
char *dn_sect,*value;
 
//Get the longname from the NID
longname=OBJ_nid2ln(nid);
 
//Load the default configuration file
p=make_config_name();
req_conf=NCONF_new(NULL);
j=NCONF_load(req_conf, p, &errline);
if (j == 0)
{
 BIO_printf(bio_err,"error on line %ld of %s\n",errline,req_conf);
 goto error;
}
 
dn_sect=NCONF_get_string(req_conf,"req","distinguished_name");
 
if (dn_sect == NULL)
{
 BIO_printf(bio_err,"unable to find distinguished_name in config %s\n",p);
 goto error;
}
 
if ((value=NCONF_get_string(req_conf,dn_sect,longname)) == NULL)
{
ERR_clear_error();
value=NULL;
}
 
//Get the min length of the field from config file
BIO_snprintf(buffer,sizeof buffer,"%s_min",longname);
if (!NCONF_get_number(req_conf,dn_sect,buffer, &n_min))
{
ERR_clear_error();
n_min = -1;
}
 
//Get the max length of the field from config file
BIO_snprintf(buffer,sizeof buffer,"%s_max",longname);
if (!NCONF_get_number(req_conf,dn_sect,buffer, &n_max))
{
ERR_clear_error();
n_max = -1;
}
 
//Compare the length of field against against the allowable minimum and maximum
 
len_buf=strlen(ne_values[i]);
if ((n_min > 0) && (len_buf < n_min))
                {
                BIO_printf(bio_err,"%s  is too short, it needs to be at least 
%d bytes long\n",longname,n_min);
                goto error;
                }
if ((n_max >= 0) && (len_buf > n_max))
                {
                BIO_printf(bio_err,"%s is too long, it needs to be less than  
%d bytes long\n",longname,n_max);
                goto error;
                }
 
// 
-------------------------------------------------------------------------------------------------------
 // 
  2137                  if (!X509_NAME_add_entry_by_NID(n, nid, chtype, 
(unsigned char*)ne_values[i], -1,-1,mval[i]))
  2138                          goto error;
  2139                  }
 
Thanks,
Prakash Babu

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

[openssl.org #1189] Bug Report and Patch : -subj option of the req command does not refer openssl.cnf to check the minimum and maximum limits of each field

Reply via email to