From: Theo Buehler <tb@theobuehler.org>
Subject: Re: usr.bin/openssl: x509 add -force_pubkey -utf8 -set_issuer -set_subject -multivalue-rdn
To: Job Snijders <job@openbsd.org>
Cc: tech@openbsd.org
Date: Fri, 12 Jan 2024 08:46:49 +0100

On Thu, Jan 11, 2024 at 08:40:24PM +0000, Job Snijders wrote:
> Dear all,
> 
> The below changeset adds support to the 'openssl x509' command line
> utility for the following options: -force_pubkey, -multivalue-rdn,
> -set_issuer, -set_subject, and -utf8.

I think -force_pubkey and the other options are mostly unrelated. It
would be preferable to split at least the x509.c commit into two.

ok tb

> This diff solves https://github.com/libressl/portable/issues/842

It will probably not solve this issue entirely. The regress failure
orbea ran into even with this diff might well be related to the
STDout/out discrepancy of handling the pubkey between libressl on
openssl.

> I proposed -set_issuer and -set_subject to OpenSSL as well:
> https://github.com/openssl/openssl/pull/23257

> @@ -616,6 +648,13 @@ static const struct option x509_options[
>  		.opt.argfunc = x509_opt_set_serial,
>  	},
>  	{
> +		.name = "set_subject",
> +		.argname = "name",
> +		.desc = "Set the subject name",
> +		.type = OPTION_ARG,
> +		.opt.arg = &cfg.set_subject,
> +	},
> +	{
>  		.name = "setalias",
>  		.argname = "arg",
>  		.desc = "Set certificate alias",

I think we want an alias for the god-awful subj. Omitting the argname means
it doesn't show up in the usage output:

	{
		.name = "subj",
		.type = OPTION_ARG,
		.opt.arg = &cfg.set_subject,
        },


> @@ -875,9 +928,18 @@ x509_main(int argc, char **argv)
>  		} else if (!X509_set_serialNumber(x, cfg.sno))
>  			goto end;
>  
> -		if (!X509_set_issuer_name(x, X509_REQ_get_subject_name(req)))
> +		if (cfg.set_issuer != NULL)
> +			iname = parse_name(cfg.set_issuer, cfg.chtype,
> +			    cfg.multirdn);

As already discussed off-list, this needs an error check for iname.