From 63d4fbb4167c81cd399d9b6ff595ffb3d87a50bd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Fri, 12 Jan 2007 22:46:52 +0000
Subject: [PATCH] Don't issue certs with subject DN that is NULL and have no
 SANs

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19876 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/hx509/ca.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/lib/hx509/ca.c b/lib/hx509/ca.c
index afc80bac9..e8338fc6d 100644
--- a/lib/hx509/ca.c
+++ b/lib/hx509/ca.c
@@ -484,16 +484,25 @@ ca_sign(hx509_context context,
 	hx509_set_error_string(context, 0, ret, "No public key set");
 	return ret;
     }
-    if (tbs->subject == NULL && !tbs->flags.proxy) {
-	ret = EINVAL;
-	hx509_set_error_string(context, 0, ret, "No subject name set");
-	return ret;
+    /*
+     * Don't put restrictions on proxy certificate's subject name, it
+     * will be generated below.
+     */
+    if (!tbs->flags.proxy) {
+	if (tbs->subject == NULL) {
+	    hx509_set_error_string(context, 0, EINVAL, "No subject name set");
+	    return EINVAL;
+	}
+	if (hx509_name_is_null_p(tbs->subject) && tbs->san.len == 0) {
+	    hx509_set_error_string(context, 0, EINVAL, 
+				   "NULL subject and no SubjectAltNames");
+	    return EINVAL;
+	}
     }
     if (tbs->flags.ca && tbs->flags.proxy) {
-	ret = EINVAL;
-	hx509_set_error_string(context, 0, ret, "Can't be proxy and CA "
+	hx509_set_error_string(context, 0, EINVAL, "Can't be proxy and CA "
 			       "at the same time");
-	return ret;
+	return EINVAL;
     }
     if (tbs->flags.proxy) {
 	if (tbs->san.len > 0) {