From 8bde5e698249c9fb4efbcab659bdabdf44134dea Mon Sep 17 00:00:00 2001
From: Josh Holtrop <josh@wolfssl.com>
Date: Fri, 13 Jun 2025 11:20:17 -0400
Subject: [PATCH 1/2] Fix printing empty names in certificates

The empty-issuer-cert.pem certificate was created with:

    wolfssl genkey rsa -size 2048 -out mykey -outform pem -output KEY
    wolfssl req -new -days 3650 -key mykey.priv -out empty-issuer-cert.pem -x509

Prior to this fix this command would error printing the certificate:

    wolfssl x509 -inform pem -in empty-issuer-cert.pem -text
---
 certs/empty-issuer-cert.pem | 17 +++++++++++++++++
 certs/include.am            |  1 +
 src/x509.c                  |  2 +-
 tests/api.c                 | 19 ++++++++++++++++++-
 wolfssl/test.h              |  2 ++
 5 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 certs/empty-issuer-cert.pem

diff --git a/certs/empty-issuer-cert.pem b/certs/empty-issuer-cert.pem
new file mode 100644
index 000000000..927f34d71
--- /dev/null
+++ b/certs/empty-issuer-cert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICnTCCAYWgAwIBAgIQToFDJ79b/2ZHXVCCCNt8VTANBgkqhkiG9w0BAQsFADAA
+MB4XDTI1MDYxMjIwMTE0N1oXDTM1MDYxMDIwMTE0N1owADCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAOI/4VVa7Pk0NWS7BQGM4ZbuTapoza4baS9+TRbT
+QUqgN28gChSw/kHNp4BU/KQhKN/Mp0NN2vmYzRVDB25L1HWph8TqCO+Kqa6XYvnN
+CgMEYyumWYWJr2u6hjpF19QeiZ26ezgnDbpkFiysdzn7+MG+PjtRj3mcnaKb1PjK
+1P2j9pcrhc/WLo39y+OF2+3nW7JeqJHgAdXgeTLPaFyf91ktaWSLmc3pLqlurLup
+pcClP6CKkLClz2Re3eM2/qdTEDO1pU8DRPc5v8qHxuX4K4DD0HYwWXFWDW8Ce+Ta
+3o2hrM3mKtQH4n2xoJhJKXlcyrOu++SE4iyaSnooYLxkIqsCAwEAAaMTMBEwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAhBolr3oHIKUrKp0eC1AO
+1+byE+vjuDIs0JBtAQ6TD4VTb9E2YavckOXcs0deHM7FUY2TcZ01A0msqtTYYyJ4
+9D325+jrh4FIACrOOyVblWaO+lentmBhexzEXPWS6EhYTDTeZvY1AzDRTkBKm245
+yqeqALL9K5KWdKesQurmt2FKzlc0WSQJmyfVf0IUdHgF05yjECOksYQdFDpeewNF
++1IKwHKemEtnIYatGv0w7XNeUrGTsgVa9vk0Uzg+wIh9+ZeJpOS21010ph6BkaeC
+8Y1+kK7bZc0kBw5V20w16QtbE2MZucjlNLzjvAW5rVFNlBaiO7WIHPTvJfk38hq9
+zw==
+-----END CERTIFICATE-----
diff --git a/certs/include.am b/certs/include.am
index d9cb8f314..90e66c997 100644
--- a/certs/include.am
+++ b/certs/include.am
@@ -30,6 +30,7 @@ EXTRA_DIST += \
              certs/ecc-keyPkcs8.der \
              certs/ecc-client-key.pem \
              certs/ecc-client-keyPub.pem \
+             certs/empty-issuer-cert.pem \
              certs/client-ecc-cert.pem \
              certs/client-ca.pem \
              certs/dh2048.pem \
diff --git a/src/x509.c b/src/x509.c
index 36260ada1..b85a04981 100644
--- a/src/x509.c
+++ b/src/x509.c
@@ -13874,7 +13874,7 @@ int wolfSSL_X509_NAME_print_ex(WOLFSSL_BIO* bio, WOLFSSL_X509_NAME* name,
 
     WOLFSSL_ENTER("wolfSSL_X509_NAME_print_ex");
 
-    if ((name == NULL) || (name->sz == 0) || (bio == NULL))
+    if ((name == NULL) || (bio == NULL))
         return WOLFSSL_FAILURE;
 
     XMEMSET(eqStr, 0, sizeof(eqStr));
diff --git a/tests/api.c b/tests/api.c
index a5b7ad435..03dc22db2 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -22154,7 +22154,7 @@ static int test_wolfSSL_X509_NAME_print_ex(void)
     ExpectIntEQ(X509_NAME_print_ex(NULL, NULL, 0, 0), WOLFSSL_FAILURE);
     ExpectIntEQ(X509_NAME_print_ex(membio, NULL, 0, 0), WOLFSSL_FAILURE);
     ExpectIntEQ(X509_NAME_print_ex(NULL, name, 0, 0), WOLFSSL_FAILURE);
-    ExpectIntEQ(X509_NAME_print_ex(membio, empty, 0, 0), WOLFSSL_FAILURE);
+    ExpectIntEQ(X509_NAME_print_ex(membio, empty, 0, 0), WOLFSSL_SUCCESS);
     ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS);
     wolfSSL_X509_NAME_free(empty);
     BIO_free(membio);
@@ -22178,6 +22178,23 @@ static int test_wolfSSL_X509_NAME_print_ex(void)
     BIO_free(bio);
     name = NULL;
 
+    /* Test with empty issuer cert. */
+    ExpectNotNull(bio = BIO_new(BIO_s_file()));
+    ExpectIntGT(BIO_read_filename(bio, noIssuerCertFile), 0);
+    ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL));
+    ExpectNotNull(name = X509_get_subject_name(x509));
+
+    ExpectNotNull(membio = BIO_new(BIO_s_mem()));
+    ExpectIntEQ(X509_NAME_print_ex(membio, name, 0, 0), WOLFSSL_SUCCESS);
+    /* Should be empty string "" */
+    ExpectIntEQ((memSz = BIO_get_mem_data(membio, &mem)), 0);
+
+    BIO_free(membio);
+    membio = NULL;
+    X509_free(x509);
+    BIO_free(bio);
+    name = NULL;
+
     /* Test normal case without escaped characters */
     {
         /* Create name: "/C=US/CN=wolfssl.com" */
diff --git a/wolfssl/test.h b/wolfssl/test.h
index 6e6bc0f86..70765c4db 100644
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -527,6 +527,7 @@ err_sys_with_errno(const char* msg)
 #define cliEd448CertFile  "certs/ed448/client-ed448.pem"
 #define cliEd448KeyFile   "certs/ed448/client-ed448-priv.pem"
 #define caEd448CertFile   "certs/ed448/ca-ed448.pem"
+#define noIssuerCertFile  "certs/empty-issuer-cert.pem"
 #define caCertFolder      "certs/"
 #ifdef HAVE_WNR
     /* Whitewood netRandom default config file */
@@ -590,6 +591,7 @@ err_sys_with_errno(const char* msg)
 #define cliEd448CertFile  "./certs/ed448/client-ed448.pem"
 #define cliEd448KeyFile   "./certs/ed448/client-ed448-priv.pem"
 #define caEd448CertFile   "./certs/ed448/ca-ed448.pem"
+#define noIssuerCertFile  "./certs/empty-issuer-cert.pem"
 #define caCertFolder      "./certs/"
 #ifdef HAVE_WNR
     /* Whitewood netRandom default config file */

From 3bd9b2e0bcc50d535d997a060a52542ea69409dc Mon Sep 17 00:00:00 2001
From: Josh Holtrop <josh@wolfssl.com>
Date: Mon, 16 Jun 2025 11:39:01 -0400
Subject: [PATCH 2/2] Add generation instructions for empty issuer cert and
 change expiry to 100 years

---
 certs/empty-issuer-cert.pem | 30 +++++++++++++++---------------
 certs/test/gen-testcerts.sh |  8 ++++++++
 tests/api.c                 |  3 ++-
 3 files changed, 25 insertions(+), 16 deletions(-)

diff --git a/certs/empty-issuer-cert.pem b/certs/empty-issuer-cert.pem
index 927f34d71..e93c3839a 100644
--- a/certs/empty-issuer-cert.pem
+++ b/certs/empty-issuer-cert.pem
@@ -1,17 +1,17 @@
 -----BEGIN CERTIFICATE-----
-MIICnTCCAYWgAwIBAgIQToFDJ79b/2ZHXVCCCNt8VTANBgkqhkiG9w0BAQsFADAA
-MB4XDTI1MDYxMjIwMTE0N1oXDTM1MDYxMDIwMTE0N1owADCCASIwDQYJKoZIhvcN
-AQEBBQADggEPADCCAQoCggEBAOI/4VVa7Pk0NWS7BQGM4ZbuTapoza4baS9+TRbT
-QUqgN28gChSw/kHNp4BU/KQhKN/Mp0NN2vmYzRVDB25L1HWph8TqCO+Kqa6XYvnN
-CgMEYyumWYWJr2u6hjpF19QeiZ26ezgnDbpkFiysdzn7+MG+PjtRj3mcnaKb1PjK
-1P2j9pcrhc/WLo39y+OF2+3nW7JeqJHgAdXgeTLPaFyf91ktaWSLmc3pLqlurLup
-pcClP6CKkLClz2Re3eM2/qdTEDO1pU8DRPc5v8qHxuX4K4DD0HYwWXFWDW8Ce+Ta
-3o2hrM3mKtQH4n2xoJhJKXlcyrOu++SE4iyaSnooYLxkIqsCAwEAAaMTMBEwDwYD
-VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAhBolr3oHIKUrKp0eC1AO
-1+byE+vjuDIs0JBtAQ6TD4VTb9E2YavckOXcs0deHM7FUY2TcZ01A0msqtTYYyJ4
-9D325+jrh4FIACrOOyVblWaO+lentmBhexzEXPWS6EhYTDTeZvY1AzDRTkBKm245
-yqeqALL9K5KWdKesQurmt2FKzlc0WSQJmyfVf0IUdHgF05yjECOksYQdFDpeewNF
-+1IKwHKemEtnIYatGv0w7XNeUrGTsgVa9vk0Uzg+wIh9+ZeJpOS21010ph6BkaeC
-8Y1+kK7bZc0kBw5V20w16QtbE2MZucjlNLzjvAW5rVFNlBaiO7WIHPTvJfk38hq9
-zw==
+MIICnzCCAYegAwIBAgIQU1iTAJIjUtSgSXdIIsSjfzANBgkqhkiG9w0BAQsFADAA
+MCAXDTI1MDYxNjE1MzUzMVoYDzIxMjUwNTIzMTUzNTMxWjAAMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnOqupjygE+kYGouC/fcDyPnOoimqKOL/dqdA
+vyRfTL93qgOpkpE6LgdbnUdOIqLgzo66uymwMvzZ3n5ZOfNpjk+ZZ6BA9fPlfnSb
+UEF944metFas1zX7WMrx7lVp/tviMzVcAN8tegY5upOrRK4CmpjnNrHyn4La/aO6
+Xjf/87T2ESt8gpwdfwSKJJp6wKxlplShyXwFERG+J3cyGOrHwqj7m/MHMkNleRra
+WVuGHNN1KIMkM1uu+5mddGoAeft9q72IU5dzHh8L4Bie3BeXmXbym9V5Ol1kunJL
++tQhTy/pkez2JmnbzSgCMsP1CvjudTdHBpGsQvKu4khs6+iL/wIDAQABoxMwETAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBhWgTR9Aldz76zdSIe
+PktR4h4HkTSzdrnY17S3vgRRpYtG3wvVNEFoNrq5qHAt+LuaG0zujU0CtRBZS40F
+8gtgs8tHRbi3erT2WzE0r60KUIEtDUr+MNI2eQqPMR0DQEdheiIW4cGV5brvsCsA
+iv8EnXtUq/JB2os40eFsYi6c9clMZxKwk2AmOYB8i4hvONxyfs0mSP+yJWRVXWoq
+iRcpynIyeaWhTW+Y4Fl4o81a+Ei23NLQkFH6jVAkk2bSkn6W3DwQXhtFu0aBO52E
+zRGGzKBMqwS82tNxHXjwZu0BunDCrpjoDR5RxKiCWWw5ckASQVRpz1Gg3nA8iOB7
+fnXW
 -----END CERTIFICATE-----
diff --git a/certs/test/gen-testcerts.sh b/certs/test/gen-testcerts.sh
index 7564bb358..453f8022b 100755
--- a/certs/test/gen-testcerts.sh
+++ b/certs/test/gen-testcerts.sh
@@ -228,3 +228,11 @@ generate_expired_certs expired/expired-cert ../server-key.pem
 
 
 generate_test_trusted_cert ossl-trusted-cert localhost "" 1
+
+# Note on certs/empty-issuer-cert.pem:
+# OpenSSL did not like to generate this certificate with an empty CN in the
+# conf file.
+# The following commands were used to generate this certificate file:
+#     wolfssl genkey rsa -size 2048 -out mykey -outform pem -output KEY
+#     wolfssl req -new -days 36500 -key mykey.priv -out empty-issuer-cert.pem -x509
+#       (pressing enter for ean input without entering any input text)
diff --git a/tests/api.c b/tests/api.c
index 03dc22db2..7c8e89e3e 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -22178,7 +22178,8 @@ static int test_wolfSSL_X509_NAME_print_ex(void)
     BIO_free(bio);
     name = NULL;
 
-    /* Test with empty issuer cert. */
+    /* Test with empty issuer cert empty-issuer-cert.pem.
+     * See notes in certs/test/gen-testcerts.sh for how it was generated. */
     ExpectNotNull(bio = BIO_new(BIO_s_file()));
     ExpectIntGT(BIO_read_filename(bio, noIssuerCertFile), 0);
     ExpectNotNull(PEM_read_bio_X509(bio, &x509, NULL, NULL));