diff options
| author | Jack Lloyd <[email protected]> | 2016-04-24 06:09:33 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2016-05-23 11:48:36 -0400 |
| commit | 93899a96dc79199bf31d40f452d40b0c6fba20b7 (patch) | |
| tree | 9b18f237a29ff10330cca0b1001e897a6ea94398 /src/lib/cert | |
| parent | 4f04a39d104a65d55762b6d03cf7ec21aac02ffa (diff) | |
Remove DN field requirements on generating certs and PKCS #10
I have no idea why this is requiring the country code be set, but for
many applications a country is not even meaningful. This change also
allows CN to be empty/unset on the request or cert, since there is no
actual requirement for any specific DN entry type and RFC 5280
specifically allows even an completely empty DN, with name information
only in the subjectAltName extension.
This change also allows generating a self-signed cert or cert request
that expires before it starts. That could only happen with an explicit
decision by the application to set it that way, and there is no harm
in returning these non-secret bits. They will probably notice their
problem as soon as the cert is rejected by any receiving system.
Diffstat (limited to 'src/lib/cert')
| -rw-r--r-- | src/lib/cert/x509/x509opt.cpp | 13 | ||||
| -rw-r--r-- | src/lib/cert/x509/x509self.cpp | 4 | ||||
| -rw-r--r-- | src/lib/cert/x509/x509self.h | 5 |
3 files changed, 0 insertions, 22 deletions
diff --git a/src/lib/cert/x509/x509opt.cpp b/src/lib/cert/x509/x509opt.cpp index 158f4c779..2dd2098fe 100644 --- a/src/lib/cert/x509/x509opt.cpp +++ b/src/lib/cert/x509/x509opt.cpp @@ -62,19 +62,6 @@ void X509_Cert_Options::CA_key(size_t limit) } /* -* Do basic sanity checks -*/ -void X509_Cert_Options::sanity_check() const - { - if(common_name.empty() || country.empty()) - throw Encoding_Error("X.509 certificate: name and country MUST be set"); - if(country.size() != 2) - throw Encoding_Error("Invalid ISO country code: " + country); - if(start >= end) - throw Encoding_Error("X509_Cert_Options: invalid time constraints"); - } - -/* * Initialize the certificate options */ X509_Cert_Options::X509_Cert_Options(const std::string& initial_opts, diff --git a/src/lib/cert/x509/x509self.cpp b/src/lib/cert/x509/x509self.cpp index 7d1c01c37..8b9aeda09 100644 --- a/src/lib/cert/x509/x509self.cpp +++ b/src/lib/cert/x509/x509self.cpp @@ -49,8 +49,6 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, X509_DN subject_dn; AlternativeName subject_alt; - opts.sanity_check(); - std::vector<byte> pub_key = X509::BER_encode(key); std::unique_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); load_info(opts, subject_dn, subject_alt); @@ -95,8 +93,6 @@ PKCS10_Request create_cert_req(const X509_Cert_Options& opts, X509_DN subject_dn; AlternativeName subject_alt; - opts.sanity_check(); - std::vector<byte> pub_key = X509::BER_encode(key); std::unique_ptr<PK_Signer> signer(choose_sig_format(key, hash_fn, sig_algo)); load_info(opts, subject_dn, subject_alt); diff --git a/src/lib/cert/x509/x509self.h b/src/lib/cert/x509/x509self.h index a4bbad214..401b2eb2f 100644 --- a/src/lib/cert/x509/x509self.h +++ b/src/lib/cert/x509/x509self.h @@ -115,11 +115,6 @@ class BOTAN_DLL X509_Cert_Options std::vector<OID> ex_constraints; /** - * Check the options set in this object for validity. - */ - void sanity_check() const; - - /** * Mark the certificate as a CA certificate and set the path limit. * @param limit the path limit to be set in the BasicConstraints extension. */ |