Hi, I modified a patch which I received from Christophe Bailleux <[EMAIL PROTECTED]>. The original patch simply deactivate all parts of OpenSSL which checks for a unique DN.
The attached patch adds an option -nouniqueDN to ca.c. The attached patch was made from 0.9.7 but it should be applied to the HEAD-branch because 0.9.7 is frozen. The patch requires the use of -nouniqueDN for revocation too. This is necessary because ca.c tries to build an index from the DNs. Any comments? Michael -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org
--- ca.c.orig Wed Oct 2 10:00:43 2002
+++ ca.c Wed Oct 2 10:55:21 2002
@@ -147,7 +147,7 @@
#define DB_rev_date 2
#define DB_serial 3 /* index - unique */
#define DB_file 4
-#define DB_name 5 /* index - unique for active */
+#define DB_name 5 /* index - unique for active operations and unique_dn
+*/
#define DB_NUMBER 6
#define DB_TYPE_REV 'R'
@@ -188,6 +188,7 @@
" -ss_cert file - File contains a self signed cert to sign\n",
" -preserveDN - Don't re-order the DN\n",
" -noemailDN - Don't add the EMAIL field into certificate' subject\n",
+" -nouniqueDN - Don't check the DN for uniqueness\n",
" -batch - Don't ask questions\n",
" -msie_hack - msie modifications to handle all those universal strings\n",
" -revoke file - Revoke a certificate (given in file)\n",
@@ -217,20 +218,20 @@
static int save_serial(char *serialfile, BIGNUM *serial);
static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
- BIGNUM *serial, char *subj, int email_dn, char *startdate,
+ BIGNUM *serial, char *subj, int email_dn, int unique_dn, char
+*startdate,
char *enddate, long days, int batch, char *ext_sect, CONF *conf,
int verbose, unsigned long certopt, unsigned long nameopt,
int default_op, int ext_copy);
static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
- TXT_DB *db, BIGNUM *serial, char *subj, int email_dn,
+ TXT_DB *db, BIGNUM *serial, char *subj, int email_dn, int
+unique_dn,
char *startdate, char *enddate, long days, int batch,
char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy,
ENGINE *e);
static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
- TXT_DB *db, BIGNUM *serial,char *subj, int email_dn,
+ TXT_DB *db, BIGNUM *serial,char *subj, int email_dn, int
+unique_dn,
char *startdate, char *enddate, long days, char *ext_sect,
CONF *conf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy);
@@ -238,7 +239,7 @@
static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj,
- int email_dn, char *startdate, char *enddate, long days, int batch,
+ int email_dn, int unique_dn, char *startdate, char *enddate, long days, int
+batch,
int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy);
@@ -274,6 +275,7 @@
int badops=0;
int ret=1;
int email_dn=1;
+ int unique_dn=1;
int req=0;
int verbose=0;
int gencrl=0;
@@ -448,6 +450,8 @@
preserve=1;
else if (strcmp(*argv,"-noemailDN") == 0)
email_dn=0;
+ else if (strcmp(*argv,"-nouniqueDN") == 0)
+ unique_dn=0;
else if (strcmp(*argv,"-gencrl") == 0)
gencrl=1;
else if (strcmp(*argv,"-msie_hack") == 0)
@@ -905,14 +909,15 @@
if (!make_serial_index(db))
goto err;
- if (!TXT_DB_create_index(db, DB_name, index_name_qual,
- LHASH_HASH_FN(index_name_hash),
- LHASH_COMP_FN(index_name_cmp)))
- {
- BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
- db->error,db->arg1,db->arg2);
- goto err;
- }
+ if (unique_dn)
+ if (!TXT_DB_create_index(db, DB_name, index_name_qual,
+ LHASH_HASH_FN(index_name_hash),
+ LHASH_COMP_FN(index_name_cmp)))
+ {
+ BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
+ db->error,db->arg1,db->arg2);
+ goto err;
+ }
/*****************************************************************/
/* Update the db file for expired certificates */
@@ -1178,7 +1183,7 @@
{
total++;
j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
- serial,subj,email_dn,startdate,enddate,days,extensions,
+
+serial,subj,email_dn,unique_dn,startdate,enddate,days,extensions,
conf,verbose,certopt,nameopt,default_op,ext_copy);
if (j < 0) goto err;
if (j > 0)
@@ -1202,7 +1207,7 @@
{
total++;
j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
- db,serial,subj,email_dn,startdate,enddate,days,batch,
+
+db,serial,subj,email_dn,unique_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy, e);
if (j < 0) goto err;
@@ -1222,7 +1227,7 @@
{
total++;
j=certify(&x,infile,pkey,x509,dgst,attribs,db,
- serial,subj,email_dn,startdate,enddate,days,batch,
+
+serial,subj,email_dn,unique_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy);
if (j < 0) goto err;
@@ -1242,7 +1247,7 @@
{
total++;
j=certify(&x,argv[i],pkey,x509,dgst,attribs,db,
- serial,subj,email_dn,startdate,enddate,days,batch,
+
+serial,subj,email_dn,unique_dn,startdate,enddate,days,batch,
extensions,conf,verbose, certopt, nameopt,
default_op, ext_copy);
if (j < 0) goto err;
@@ -1729,7 +1734,7 @@
static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ BIGNUM *serial, char *subj, int email_dn, int unique_dn, char *startdate,
+char *enddate,
long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy)
@@ -1779,7 +1784,7 @@
else
BIO_printf(bio_err,"Signature ok\n");
- ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn,
+ ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, email_dn, unique_dn,
startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
certopt, nameopt, default_op, ext_copy);
@@ -1791,7 +1796,7 @@
static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ BIGNUM *serial, char *subj, int email_dn, int unique_dn, char *startdate,
+char *enddate,
long days, int batch, char *ext_sect, CONF *lconf, int verbose,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy, ENGINE *e)
@@ -1833,7 +1838,7 @@
if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
goto err;
-
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
+
+ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,unique_dn,startdate,enddate,
days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
ext_copy);
@@ -1845,7 +1850,7 @@
static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj,
- int email_dn, char *startdate, char *enddate, long days, int batch,
+ int email_dn, int unique_dn, char *startdate, char *enddate, long days,
+int batch,
int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
unsigned long certopt, unsigned long nameopt, int default_op,
int ext_copy)
@@ -2096,7 +2101,11 @@
goto err;
}
- rrow=TXT_DB_get_by_index(db,DB_name,row);
+ if (unique_dn)
+ rrow=TXT_DB_get_by_index(db,DB_name,row);
+ else
+ rrow=NULL;
+
if (rrow != NULL)
{
BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n",
@@ -2383,7 +2392,7 @@
static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
- BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
+ BIGNUM *serial, char *subj, int email_dn, int unique_dn, char *startdate,
+char *enddate,
long days, char *ext_sect, CONF *lconf, int verbose, unsigned long
certopt,
unsigned long nameopt, int default_op, int ext_copy)
{
@@ -2524,7 +2533,7 @@
X509_REQ_set_pubkey(req,pktmp);
EVP_PKEY_free(pktmp);
-
ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,startdate,enddate,
+
+ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,email_dn,unique_dn,startdate,enddate,
days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
ext_copy);
err:
README
Description: application/java-vm
