From bec36e795970b6f9d4f8efcd20a5b8e1cb4241b3 Mon Sep 17 00:00:00 2001
From: Aidan Keefe <aidan.keefe@wolfssl.com>
Date: Thu, 28 May 2026 14:22:18 -0600
Subject: [PATCH] F-4422 ensured that a malformed -subj string will be caught
 and result in a non-success program exit and added more clear error reporting

---
 src/tools/clu_funcs.c           |  3 +--
 src/x509/clu_request_setup.c    |  8 ++++++--
 tests/x509/x509-process-test.py | 14 ++++++++++++++
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/src/tools/clu_funcs.c b/src/tools/clu_funcs.c
index 603bfccf..7085726d 100644
--- a/src/tools/clu_funcs.c
+++ b/src/tools/clu_funcs.c
@@ -1305,11 +1305,10 @@ WOLFSSL_X509_NAME* wolfCLU_ParseX509NameString(const char* n, int nSz)
         wolfCLU_LogError("error allocating name structure");
         return NULL;
     }
-
     for (word = strtok_r((char*)n, deli, &end); word != NULL;
             word = strtok_r(NULL, deli, &end)) {
         tagSz = (int)strcspn(word, "=");
-        if (tagSz <= 0) {
+        if (tagSz <= 0 || word[tagSz] != '=') {
             wolfCLU_LogError("error finding '=' char in name");
             wolfSSL_X509_NAME_free(ret);
             ret = NULL;
diff --git a/src/x509/clu_request_setup.c b/src/x509/clu_request_setup.c
index 80494618..974edc7b 100644
--- a/src/x509/clu_request_setup.c
+++ b/src/x509/clu_request_setup.c
@@ -865,9 +865,13 @@ int wolfCLU_requestSetup(int argc, char** argv)
         if (name != NULL) {
             wolfSSL_X509_REQ_set_subject_name(x509, name);
             wolfSSL_X509_NAME_free(name);
+            reSign = 1; /* re-sign after subject change */
+        }
+        else {
+            wolfCLU_LogError("Failed to parse -subj string");
+            wolfCLU_certgenHelp();
+            ret = USER_INPUT_ERROR;
         }
-
-        reSign = 1; /* re-sign after subject change */
     }
 
     /* if no configure is passed in then get input from command line */
diff --git a/tests/x509/x509-process-test.py b/tests/x509/x509-process-test.py
index d1db9c23..2224471a 100644
--- a/tests/x509/x509-process-test.py
+++ b/tests/x509/x509-process-test.py
@@ -504,6 +504,20 @@ def test_4f_nonexistent_file_pem(self):
         self.assertNotEqual(r.returncode, 0)
 
 
+class TestMalformedArguments(unittest.TestCase):
+    """ Regression: for malformed arguments """
+
+    def test_5a_malformed_subj_argument(self):
+        """ malformed string passed to -subj should result in error and
+        logging of issue """
+        r = run_wolfssl("req", "-new", "-days", "3650",
+                        "-key", os.path.join(CERTS_DIR, "server-key.pem"),
+                        "-subj",
+                        "/O=wolfSSL/C=US/ST=WA/L=Seattle/CN=wolfSSL/OUorg-unit")
+        self.assertNotEqual(r.returncode, 0, r.stderr)
+        self.assertGreater(len(r.stderr), 0)
+
+
 class TestX509ModulusNoout(unittest.TestCase):
     """Regression: x509 -modulus -noout must not crash."""