- Prevents creation of duplicate cert entries in PKCS #12 files
Resolves: rhbz#1978670 Signed-off-by: Sahana Prasad <sahana@redhat.com>epel8
Sahana Prasad
3 years ago
parent
b7c6b85c95
commit
0b6afca185
@ -0,0 +1,75 @@
|
||||
diff -up openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 openssl-3.0.0-beta1/apps/pkcs12.c
|
||||
--- openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 2021-07-22 14:59:14.777544688 +0200
|
||||
+++ openssl-3.0.0-beta1/apps/pkcs12.c 2021-07-22 15:06:04.768908265 +0200
|
||||
@@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv)
|
||||
infile);
|
||||
goto export_end;
|
||||
}
|
||||
- } else {
|
||||
- ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */
|
||||
}
|
||||
}
|
||||
|
||||
@@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv)
|
||||
int vret;
|
||||
STACK_OF(X509) *chain2;
|
||||
X509_STORE *store;
|
||||
+ X509 *ee_cert_tmp = ee_cert;
|
||||
|
||||
- if (ee_cert == NULL) {
|
||||
+ /* Assume the first cert if we haven't got anything else */
|
||||
+ if (ee_cert_tmp == NULL && certs != NULL)
|
||||
+ ee_cert_tmp = sk_X509_value(certs, 0);
|
||||
+
|
||||
+ if (ee_cert_tmp == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"No end entity certificate to check with -chain\n");
|
||||
goto export_end;
|
||||
@@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv)
|
||||
== NULL)
|
||||
goto export_end;
|
||||
|
||||
- vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2);
|
||||
+ vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
|
||||
X509_STORE_free(store);
|
||||
|
||||
if (vret == X509_V_OK) {
|
||||
diff -up openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t
|
||||
--- openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 2021-07-22 15:06:22.715077291 +0200
|
||||
+++ openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t 2021-07-22 15:17:52.250559784 +0200
|
||||
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
|
||||
}
|
||||
$ENV{OPENSSL_WIN32_UTF8}=1;
|
||||
|
||||
-plan tests => 7;
|
||||
+plan tests => 10;
|
||||
|
||||
# Test different PKCS#12 formats
|
||||
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
|
||||
@@ -73,6 +73,7 @@ my @path = qw(test certs);
|
||||
my $outfile1 = "out1.p12";
|
||||
my $outfile2 = "out2.p12";
|
||||
my $outfile3 = "out3.p12";
|
||||
+my $outfile5 = "out5.p12";
|
||||
|
||||
# Test the -chain option with -untrusted
|
||||
ok(run(app(["openssl", "pkcs12", "-export", "-chain",
|
||||
@@ -108,4 +109,18 @@ SKIP: {
|
||||
"test_pkcs12_passcerts_legacy");
|
||||
}
|
||||
|
||||
+ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
|
||||
+ "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
|
||||
+ "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
|
||||
+ "test nokeys single cert");
|
||||
+
|
||||
+my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
|
||||
+ "-passin", "pass:"]), capture => 1);
|
||||
+
|
||||
+# Test that with one input certificate, we get one output certificate
|
||||
+ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
|
||||
+ "test one cert in output");
|
||||
+# Test that the expected friendly name is present in the output
|
||||
+ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
|
||||
+
|
||||
SetConsoleOutputCP($savedcp) if (defined($savedcp));
|
||||
Loading…
Reference in new issue