From 0b6afca185c2c3a0c6201efd6865f3ed62444103 Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Thu, 22 Jul 2021 15:38:17 +0200
Subject: [PATCH] - Prevents creation of duplicate cert entries in PKCS #12
 files Resolves: rhbz#1978670

Signed-off-by: Sahana Prasad <sahana@redhat.com>
---
 0020-no-dup-cert-entries.patch | 75 ++++++++++++++++++++++++++++++++++
 openssl.spec                   |  8 +++-
 2 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 0020-no-dup-cert-entries.patch

diff --git a/0020-no-dup-cert-entries.patch b/0020-no-dup-cert-entries.patch
new file mode 100644
index 0000000..792a1ae
--- /dev/null
+++ b/0020-no-dup-cert-entries.patch
@@ -0,0 +1,75 @@
+diff -up openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 openssl-3.0.0-beta1/apps/pkcs12.c
+--- openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12	2021-07-22 14:59:14.777544688 +0200
++++ openssl-3.0.0-beta1/apps/pkcs12.c	2021-07-22 15:06:04.768908265 +0200
+@@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv)
+                                infile);
+                     goto export_end;
+                 }
+-            } else {
+-                ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */
+             }
+         }
+ 
+@@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv)
+             int vret;
+             STACK_OF(X509) *chain2;
+             X509_STORE *store;
++            X509 *ee_cert_tmp = ee_cert;
+ 
+-            if (ee_cert == NULL) {
++            /* Assume the first cert if we haven't got anything else */
++            if (ee_cert_tmp == NULL && certs != NULL)
++                ee_cert_tmp = sk_X509_value(certs, 0);
++
++            if (ee_cert_tmp == NULL) {
+                 BIO_printf(bio_err,
+                            "No end entity certificate to check with -chain\n");
+                 goto export_end;
+@@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv)
+                     == NULL)
+                 goto export_end;
+ 
+-            vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2);
++            vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
+             X509_STORE_free(store);
+ 
+             if (vret == X509_V_OK) {
+diff -up openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t
+--- openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12	2021-07-22 15:06:22.715077291 +0200
++++ openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t	2021-07-22 15:17:52.250559784 +0200
+@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
+ }
+ $ENV{OPENSSL_WIN32_UTF8}=1;
+ 
+-plan tests => 7;
++plan tests => 10;
+ 
+ # Test different PKCS#12 formats
+ ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
+@@ -73,6 +73,7 @@ my @path = qw(test certs);
+ my $outfile1 = "out1.p12";
+ my $outfile2 = "out2.p12";
+ my $outfile3 = "out3.p12";
++my $outfile5 = "out5.p12";
+ 
+ # Test the -chain option with -untrusted
+ ok(run(app(["openssl", "pkcs12", "-export", "-chain",
+@@ -108,4 +109,18 @@ SKIP: {
+     "test_pkcs12_passcerts_legacy");
+ }
+ 
++ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
++            "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
++            "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
++   "test nokeys single cert");
++
++my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
++                          "-passin", "pass:"]), capture => 1);
++
++# Test that with one input certificate, we get one output certificate
++ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
++   "test one cert in output");
++# Test that the expected friendly name is present in the output
++ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
++
+ SetConsoleOutputCP($savedcp) if (defined($savedcp));
diff --git a/openssl.spec b/openssl.spec
index 4e0dbab..6d146a5 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -15,7 +15,7 @@
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.0.0
-Release: 0.beta1.4%{?dist}
+Release: 0.beta1.5%{?dist}
 Epoch: 1
 # We have to remove certain patented algorithms from the openssl source
 # tarball with the hobble-openssl script which is included below.
@@ -58,6 +58,8 @@ Patch17: 0017-use-AI-ADDRCONFIG-explicit-hostname.patch
 Patch18: 0018-Fix-crash-BN_lebin2bn.patch
 # Temporary dual-ABI build patch
 Patch19: 0019-dual-abi.patch
+# Prevents creation of duplicate cert entries in PKCS #12 files
+Patch20: 0020-no-dup-cert-entries.patch
 
 License: ASL 2.0
 URL: http://www.openssl.org/
@@ -380,6 +382,10 @@ install -m644 %{SOURCE9} \
 %ldconfig_scriptlets libs
 
 %changelog
+* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
+- Prevents creation of duplicate cert entries in PKCS #12 files
+- Resolves: rhbz#1978670
+
 * Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
 - NVR bump to update to OpenSSL 3.0 Beta1