According to comments in the OpenSSL code, some broken implementations
create certificate requests with missing attributes in the X509_REQ_INFO
structure. I am currently in a situation where I have to deal with such
invalid requests.
There are workarounds in the OpenSSL code to handle such conditions.
Currently, when creating X509_REQ_INFO structures, the 'attributes'
member is autmatically updated using the rinf_cb() callback in x_req.c.
Would it make sense to do the same when an X509_REQ_INFO structure is
*loaded*? Please comment on the attached patch.
Thanks, Remo
diff -ru openssl-0.9.8b/crypto/asn1/x_req.c
openssl-0.9.8b-custom/crypto/asn1/x_req.c
--- openssl-0.9.8b/crypto/asn1/x_req.c 2001-07-27 04:22:24.000000000 +0200
+++ openssl-0.9.8b-custom/crypto/asn1/x_req.c 2006-06-01 16:24:33.000000000
+0200
@@ -83,9 +83,11 @@
{
X509_REQ_INFO *rinf = (X509_REQ_INFO *)*pval;
- if(operation == ASN1_OP_NEW_POST) {
- rinf->attributes = sk_X509_ATTRIBUTE_new_null();
- if(!rinf->attributes) return 0;
+ if(operation == ASN1_OP_NEW_POST || operation == ASN1_OP_D2I_POST) {
+ if(!rinf->attributes) {
+ rinf->attributes = sk_X509_ATTRIBUTE_new_null();
+ if(!rinf->attributes) return 0;
+ }
}
return 1;
}
