Merge pull request #191 from Yu-Ma28051503/fix-x9146

dgarske · web-flow · commit b9411d549fcd · 2025-11-17T09:24:18.000-08:00
fix README and setting subject
diff --git a/README.md b/README.md
@@ -161,11 +161,11 @@ wolfssl verify -CAfile A.cert C.cert
 
 Following is a scenario creating Chimera (dual algorithms) certificates for PQC(Post Quantum Cryptography).
 
-The following demonstrates how to create a root CA and use it to sign other certificates. This example uses ECC and ML-DSA. In this scenario there are three entities A, B, and C, where A is meant to function as a root CA. 
+The following demonstrates how to create a root CA and use it to sign other certificates. This example uses ECC and ML-DSA. In this scenario there are three entities A, B, and C, where A is meant to function as a root CA, and B is assumed to be an intermediate CA.
 
-Before running the commands below, ensure you have the `ml-dsa` option enabled in wolfSSL. This can be done by configuring wolfSSL with `--enable-dilithium`, `--enable-dual-alg-certs` and `--enable-experimental`.
+Before running the commands below, ensure you have the `ml-dsa` option enabled in wolfSSL. This can be done by configuring wolfSSL with `--enable-wolfclu`,  `--enable-dilithium`, `--enable-dual-alg-certs` and `--enable-experimental`.
 
-The following steps demonstrate how to generate keys and certificates for A, B, and C, where A is self-signed and B and C are signed by A
+The following steps demonstrate how to generate keys and certificates for A, B, and C, where A is self-signed and B and C are signed by A.
 
 1. Create private ECC and ML-DSA keys for A, B, and C
 ```
diff --git a/src/x509/clu_x509_sign.c b/src/x509/clu_x509_sign.c
@@ -248,6 +248,7 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
     char *key     = NULL;
     char *value   = NULL;
     char *saveptr = NULL;
+    char *slash   = NULL;
     char *subj    = NULL;
     int  subjSz   = 0;
 
@@ -617,49 +618,50 @@ int wolfCLU_GenChimeraCertSign(WOLFSSL_BIO *bioCaKey, WOLFSSL_BIO *bioAltCaKey,
     }
 
     if (ret == WOLFCLU_SUCCESS) {
-        subjSz = XSTRLEN(subject) + 1;
+        subjSz = (int)XSTRLEN(subject) + 1;
         subj = (char*)XMALLOC(subjSz, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
         if (subj == NULL) {
             wolfCLU_LogError("Failed to allocate memory for subject");
             ret = MEMORY_E;
         }
         else {
             XMEMCPY(subj, subject, subjSz);
-            token = XSTRTOK(subj, "/", &saveptr);
+            token = XSTRTOK(subj, "/", &slash);
             while (token != NULL) {
+                saveptr = NULL;
                 key   = XSTRTOK(token, "=", &saveptr);
                 value = XSTRTOK(NULL,  "=", &saveptr);
 
-                if (key == NULL || value == NULL) {
-                    /* exit loop if key or value is NULL */
-                    break;
-                }
-                if (XSTRCMP(key, "C") == 0) {
-                    XSTRLCPY(newCert.subject.country, value, CTC_NAME_SIZE);
-                }
-                else if (XSTRCMP(key, "ST") == 0) {
-                    XSTRLCPY(newCert.subject.state, value, CTC_NAME_SIZE);
-                }
-                else if (XSTRCMP(key, "L") == 0) {
-                    XSTRLCPY(newCert.subject.locality, value, CTC_NAME_SIZE);
-                }
-                else if (XSTRCMP(key, "O") == 0) {
-                    XSTRLCPY(newCert.subject.org, value, CTC_NAME_SIZE);
-                }
-                else if (XSTRCMP(key, "OU") == 0) {
-                    XSTRLCPY(newCert.subject.unit, value, CTC_NAME_SIZE);
-                }
-                else if (XSTRCMP(key, "CN") == 0) {
-                    XSTRLCPY(newCert.subject.commonName, value, CTC_NAME_SIZE);
-                }
-                else if (XSTRCMP(key, "emailAddress") == 0) {
-                    XSTRLCPY(newCert.subject.email, value, CTC_NAME_SIZE);
+                if (!(key == NULL && value ==NULL)) {
+                    if (XSTRCMP(key, "C") == 0) {
+                        XSTRLCPY(newCert.subject.country, value, CTC_NAME_SIZE);
+                    }
+                    else if (XSTRCMP(key, "ST") == 0) {
+                        XSTRLCPY(newCert.subject.state, value, CTC_NAME_SIZE);
+                    }
+                    else if (XSTRCMP(key, "L") == 0) {
+                        XSTRLCPY(newCert.subject.locality, value, CTC_NAME_SIZE);
+                    }
+                    else if (XSTRCMP(key, "O") == 0) {
+                        XSTRLCPY(newCert.subject.org, value, CTC_NAME_SIZE);
+                    }
+                    else if (XSTRCMP(key, "OU") == 0) {
+                        XSTRLCPY(newCert.subject.unit, value, CTC_NAME_SIZE);
+                    }
+                    else if (XSTRCMP(key, "CN") == 0) {
+                        XSTRLCPY(newCert.subject.commonName, value, CTC_NAME_SIZE);
+                    }
+                    else if (XSTRCMP(key, "emailAddress") == 0) {
+                        XSTRLCPY(newCert.subject.email, value, CTC_NAME_SIZE);
+                    }
                 }
 
-                token = XSTRTOK(NULL, "/", &saveptr);
+                token = XSTRTOK(NULL, "/", &slash);
             }
 
+            XMEMSET(subj, 0, subjSz);
             XFREE(subj, HEAP_HINT, NULL);
+            subj = NULL;
         }
     }
 
