diff --git a/0020-no-dup-cert-entries.patch b/0020-no-dup-cert-entries.patch new file mode 100644 index 0000000..792a1ae --- /dev/null +++ b/0020-no-dup-cert-entries.patch @@ -0,0 +1,75 @@ +diff -up openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 openssl-3.0.0-beta1/apps/pkcs12.c +--- openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 2021-07-22 14:59:14.777544688 +0200 ++++ openssl-3.0.0-beta1/apps/pkcs12.c 2021-07-22 15:06:04.768908265 +0200 +@@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv) + infile); + goto export_end; + } +- } else { +- ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */ + } + } + +@@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv) + int vret; + STACK_OF(X509) *chain2; + X509_STORE *store; ++ X509 *ee_cert_tmp = ee_cert; + +- if (ee_cert == NULL) { ++ /* Assume the first cert if we haven't got anything else */ ++ if (ee_cert_tmp == NULL && certs != NULL) ++ ee_cert_tmp = sk_X509_value(certs, 0); ++ ++ if (ee_cert_tmp == NULL) { + BIO_printf(bio_err, + "No end entity certificate to check with -chain\n"); + goto export_end; +@@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv) + == NULL) + goto export_end; + +- vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2); ++ vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2); + X509_STORE_free(store); + + if (vret == X509_V_OK) { +diff -up openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t +--- openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 2021-07-22 15:06:22.715077291 +0200 ++++ openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t 2021-07-22 15:17:52.250559784 +0200 +@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { + } + $ENV{OPENSSL_WIN32_UTF8}=1; + +-plan tests => 7; ++plan tests => 10; + + # Test different PKCS#12 formats + ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); +@@ -73,6 +73,7 @@ my @path = qw(test certs); + my $outfile1 = "out1.p12"; + my $outfile2 = "out2.p12"; + my $outfile3 = "out3.p12"; ++my $outfile5 = "out5.p12"; + + # Test the -chain option with -untrusted + ok(run(app(["openssl", "pkcs12", "-export", "-chain", +@@ -108,4 +109,18 @@ SKIP: { + "test_pkcs12_passcerts_legacy"); + } + ++ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5, ++ "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname", ++ "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])), ++ "test nokeys single cert"); ++ ++my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5, ++ "-passin", "pass:"]), capture => 1); ++ ++# Test that with one input certificate, we get one output certificate ++ok(grep(/subject=CN = server.example/, @pkcs12info) == 1, ++ "test one cert in output"); ++# Test that the expected friendly name is present in the output ++ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output"); ++ + SetConsoleOutputCP($savedcp) if (defined($savedcp)); diff --git a/openssl.spec b/openssl.spec index 4e0dbab..6d146a5 100644 --- a/openssl.spec +++ b/openssl.spec @@ -15,7 +15,7 @@ Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.0 -Release: 0.beta1.4%{?dist} +Release: 0.beta1.5%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -58,6 +58,8 @@ Patch17: 0017-use-AI-ADDRCONFIG-explicit-hostname.patch Patch18: 0018-Fix-crash-BN_lebin2bn.patch # Temporary dual-ABI build patch Patch19: 0019-dual-abi.patch +# Prevents creation of duplicate cert entries in PKCS #12 files +Patch20: 0020-no-dup-cert-entries.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -380,6 +382,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Jul 22 2021 Sahana Prasad 3.0.0-0.beta1.5 +- Prevents creation of duplicate cert entries in PKCS #12 files +- Resolves: rhbz#1978670 + * Wed Jul 21 2021 Sahana Prasad 3.0.0-0.beta1.4 - NVR bump to update to OpenSSL 3.0 Beta1