apps: Escape control characters in DNs by default

When displaying distinguished names the control characters are escaped by default. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/26932) (cherry picked from commit 2411f9b662)
2025-02-28 11:13:27 +01:00 · 2025-02-28 11:13:27 +01:00 · 84b4fef8ab
parent 9537245a5b
commit 84b4fef8ab
6 changed files with 61 additions and 5 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -27,7 +27,10 @@ OpenSSL 3.2

 ### Changes between 3.2.4 and 3.2.5 [xx XXX xxxx]

- * none yet
+ * When displaying distinguished names in the openssl application escape control
+   characters by default.
+
+   *Tomáš Mráz*

 ### Changes between 3.2.3 and 3.2.4 [11 Feb 2025]

--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@ -189,7 +189,11 @@ int set_nameopt(const char *arg)
 unsigned long get_nameopt(void)
 {
    return
-        nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC | ASN1_STRFLGS_UTF8_CONVERT;
+        nmflag_set ? nmflag : XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN
+                              | ASN1_STRFLGS_ESC_CTRL
+                              | ASN1_STRFLGS_UTF8_CONVERT
+                              | ASN1_STRFLGS_DUMP_UNKNOWN
+                              | ASN1_STRFLGS_DUMP_DER;
 }

 void dump_cert_text(BIO *out, X509 *x)
--- a/doc/man1/openssl-namedisplay-options.pod
+++ b/doc/man1/openssl-namedisplay-options.pod
@ -18,8 +18,10 @@ displayed.
 This is specified by using the B<-nameopt> option, which takes a
 comma-separated list of options from the following set.
 An option may be preceded by a minus sign, C<->, to turn it off.
-The default value is C<utf8,sep_comma_plus_space>.
-The first four are the most commonly used.
+The first four option arguments are the most commonly used.
+
+The default value is
+C<esc_ctrl,utf8,dump_unknown,dump_der,sep_comma_plus_space,sname>.

 =head1 OPTIONS

--- a/test/certs/tab-in-dn.pem
+++ b/test/certs/tab-in-dn.pem
@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE-----
+MIIBCjCBvaADAgECAhQtSLWSJKg8TpmuRG/UlzepKY2MazAFBgMrZXAwEzERMA8G
+A1UEAwwIVGVzdAlUQUIwIBcNMjUwMjI4MTAzNDE5WhgPMjEyNTAyMDQxMDM0MTla
+MBMxETAPBgNVBAMMCFRlc3QJVEFCMCowBQYDK2VwAyEA1ptSJCGrDHMlWEoirhZe
+s2TETOMe4f0G335qXYHDPP+jITAfMB0GA1UdDgQWBBQwCDnyYnvR2GXoToxSxPmp
+kvER+zAFBgMrZXADQQBszFQxeWW1BBUgWf9as2zDyYCO43kBWTFTypPsFkpuAg4t
+oxrqzb7Kd4RIT0TGtRGgd3gwRkqC0ecgM/NmXOYM
+-----END CERTIFICATE-----
--- a/test/certs/tab-in-dn.text
+++ b/test/certs/tab-in-dn.text
@ -0,0 +1,27 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            2d:48:b5:92:24:a8:3c:4e:99:ae:44:6f:d4:97:37:a9:29:8d:8c:6b
+        Signature Algorithm: ED25519
+        Issuer: CN=Test\09TAB
+        Validity
+            Not Before: Feb 28 10:34:19 2025 GMT
+            Not After : Feb  4 10:34:19 2125 GMT
+        Subject: CN=Test\09TAB
+        Subject Public Key Info:
+            Public Key Algorithm: ED25519
+                ED25519 Public-Key:
+                pub:
+                    d6:9b:52:24:21:ab:0c:73:25:58:4a:22:ae:16:5e:
+                    b3:64:c4:4c:e3:1e:e1:fd:06:df:7e:6a:5d:81:c3:
+                    3c:ff
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                30:08:39:F2:62:7B:D1:D8:65:E8:4E:8C:52:C4:F9:A9:92:F1:11:FB
+    Signature Algorithm: ED25519
+    Signature Value:
+        6c:cc:54:31:79:65:b5:04:15:20:59:ff:5a:b3:6c:c3:c9:80:
+        8e:e3:79:01:59:31:53:ca:93:ec:16:4a:6e:02:0e:2d:a3:1a:
+        ea:cd:be:ca:77:84:48:4f:44:c6:b5:11:a0:77:78:30:46:4a:
+        82:d1:e7:20:33:f3:66:5c:e6:0c
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;

 setup("test_x509");

-plan tests => 44;
+plan tests => 46;

 # Prevent MSys2 filename munging for arguments that look like file paths but
 # aren't
@ -42,6 +42,18 @@ ok(run(app(["openssl", "x509", "-text", "-in", $pem, "-out", $out_utf8,
 is(cmp_text($out_utf8, $utf),
   0, 'Comparing utf8 output with cyrillic.utf8');

+SKIP: {
+    skip "EdDSA disabled", 2 if disabled("ecx");
+
+    $pem = srctop_file(@certs, "tab-in-dn.pem");
+    my $out_text = "out-tab-in-dn.text";
+    my $text = srctop_file(@certs, "tab-in-dn.text");
+    ok(run(app(["openssl", "x509", "-text", "-noout",
+            "-in", $pem, "-out", $out_text])));
+    is(cmp_text($out_text, $text),
+       0, 'Comparing default output with tab-in-dn.text');
+}
+
 SKIP: {
    skip "DES disabled", 1 if disabled("des");
    skip "Platform doesn't support command line UTF-8", 1 if $^O =~ /^(VMS|msys)$/;