[openssl] master update

dev at ddvo.net dev at ddvo.net
Thu Nov 19 10:39:08 UTC 2020


The branch master has been updated
       via  908c9fc7ed86d8fab4edc1431433509bc18ac935 (commit)
       via  09afbec94bacac7be9fbeab8fa0a9dfd5cb19b1d (commit)
       via  61dd4168f5d98cd914a65b7357e4df06a65693ab (commit)
       via  3a6df6bd5cf64005682da6ec18ef58b929baa452 (commit)
       via  0c2c560cb96346737bace83eb01f8e8aa5970f81 (commit)
       via  852feb3bd8a42ab441bd726ffc96c5757b7a936c (commit)
       via  b84965aff0451dd914d54d3fbb6b9d347e1cd947 (commit)
       via  bb57c90e6cdc8400219673ff32dad95361f3c291 (commit)
       via  279b61d0cade44964956c5c39da462fe43414cc1 (commit)
       via  9c73e48a081278f18f3203efca980ddfa873e71f (commit)
       via  c1097eecdfe438bcb18b3f556ca4e5dec0748cfc (commit)
      from  d7e498ac55f12bc2f4e7f948cbb8de2e3eeafc74 (commit)


- Log -----------------------------------------------------------------
commit 908c9fc7ed86d8fab4edc1431433509bc18ac935
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Mon Aug 10 14:23:46 2020 +0200

    apps/pkcs12: Clean up the order in which many options are presented
    
    Also do a minor extension on the documentation of the -passcerts option
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit 09afbec94bacac7be9fbeab8fa0a9dfd5cb19b1d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Sat Jun 6 13:59:25 2020 +0200

    e_loader_attic.c: Improve result handling of file_load_try_decode()
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit 61dd4168f5d98cd914a65b7357e4df06a65693ab
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Mon May 11 15:51:34 2020 +0200

    Allow for PKCS#12 input without MAC in p12_kiss.c and e_loader_attic.c
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit 3a6df6bd5cf64005682da6ec18ef58b929baa452
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Sat Jun 6 14:00:21 2020 +0200

    e_loader_attic.c: Remove redundant 'pass phrase' sub-string from try_decode_PKCS12()
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit 0c2c560cb96346737bace83eb01f8e8aa5970f81
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Mon May 11 15:50:36 2020 +0200

    apps/storeutl: Add error output in case of parse/decryption/mac errors in input files
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit 852feb3bd8a42ab441bd726ffc96c5757b7a936c
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Mon May 11 15:49:34 2020 +0200

    apps/pkcs12: Really do not perform MAC in case -nomac
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit b84965aff0451dd914d54d3fbb6b9d347e1cd947
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Mon May 11 15:48:52 2020 +0200

    apps/pkcs12: Do not prompt for password in case -nomac and -noenc/-nodes
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit bb57c90e6cdc8400219673ff32dad95361f3c291
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Mon Sep 14 19:17:28 2020 +0200

    Minor improvements of doc for ca and x509 app
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit 279b61d0cade44964956c5c39da462fe43414cc1
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu Dec 14 14:02:27 2017 +0100

    apps/pkcs12: Retain test output files
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit 9c73e48a081278f18f3203efca980ddfa873e71f
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu Dec 14 11:10:33 2017 +0100

    Minor cleanup of error output for various apps
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

commit c1097eecdfe438bcb18b3f556ca4e5dec0748cfc
Author: David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Thu Dec 14 08:04:00 2017 +0100

    apps/ca: Minor code and doc cleanup
    
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/4930)

-----------------------------------------------------------------------

Summary of changes:
 apps/ca.c                      | 47 +++++++++++++---------------------
 apps/pkcs12.c                  | 57 +++++++++++++++++++++++-------------------
 apps/s_server.c                |  3 ++-
 apps/storeutl.c                |  8 +++---
 crypto/pkcs12/p12_kiss.c       |  3 ++-
 doc/man1/openssl-ca.pod.in     | 12 ++++-----
 doc/man1/openssl-pkcs12.pod.in |  5 ++--
 engines/e_loader_attic.c       | 10 +++++---
 test/recipes/80-test_pkcs12.t  | 18 ++++++-------
 9 files changed, 82 insertions(+), 81 deletions(-)

diff --git a/apps/ca.c b/apps/ca.c
index b2866f63d6..0f21b4fa1c 100755
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -100,7 +100,7 @@ static int certify(X509 **xret, const char *infile, int informat,
                    long days, int batch, const char *ext_sect, CONF *conf,
                    int verbose, unsigned long certopt, unsigned long nameopt,
                    int default_op, int ext_copy, int selfsign);
-static int certify_cert(X509 **xret, const char *infile, int informat,
+static int certify_cert(X509 **xret, const char *infile, int certformat,
                         const char *passin, EVP_PKEY *pkey, X509 *x509,
                         const EVP_MD *dgst,
                         STACK_OF(OPENSSL_STRING) *sigopts,
@@ -211,9 +211,11 @@ const OPTIONS ca_options[] = {
     OPT_SECTION("Signing"),
     {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
     {"keyfile", OPT_KEYFILE, 's', "The CA private key"},
-    {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"},
+    {"keyform", OPT_KEYFORM, 'f',
+     "Private key file format (ENGINE, other values ignored)"},
     {"passin", OPT_PASSIN, 's', "Key and cert input file pass phrase source"},
-    {"key", OPT_KEY, 's', "Key to decrypt key or cert files. Better use -passin"},
+    {"key", OPT_KEY, 's',
+     "Key to decrypt the private key or cert files if encrypted. Better use -passin"},
     {"cert", OPT_CERT, '<', "The CA cert"},
     {"certform", OPT_CERTFORM, 'F',
      "Certificate input format (DER/PEM/P12); has no effect"},
@@ -515,10 +517,8 @@ end_of_options:
             BIO_free(oid_bio);
         }
     }
-    if (!add_oid_section(conf)) {
-        ERR_print_errors(bio_err);
+    if (!add_oid_section(conf))
         goto end;
-    }
 
     app_RAND_load_conf(conf, BASE_SECTION);
 
@@ -580,6 +580,7 @@ end_of_options:
         }
     }
     pkey = load_key(keyfile, keyformat, 0, passin, e, "CA private key");
+    cleanse(passin);
     if (pkey == NULL)
         /* load_key() has already printed an appropriate message */
         goto end;
@@ -1344,38 +1345,32 @@ static int certify(X509 **xret, const char *infile, int informat,
     req = load_csr(infile, informat, "certificate request");
     if (req == NULL)
         goto end;
+    if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
+        BIO_printf(bio_err, "Error unpacking public key\n");
+        goto end;
+    }
     if (verbose)
         X509_REQ_print_ex(bio_err, req, nameopt, X509_FLAG_COMPAT);
 
     BIO_printf(bio_err, "Check that the request matches the signature\n");
+    ok = 0;
 
     if (selfsign && !X509_REQ_check_private_key(req, pkey)) {
         BIO_printf(bio_err,
                    "Certificate request and CA private key do not match\n");
-        ok = 0;
-        goto end;
-    }
-    if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
-        BIO_printf(bio_err, "error unpacking public key\n");
         goto end;
     }
     i = do_X509_REQ_verify(req, pktmp, vfyopts);
-    pktmp = NULL;
     if (i < 0) {
-        ok = 0;
-        BIO_printf(bio_err, "Signature verification problems....\n");
-        ERR_print_errors(bio_err);
+        BIO_printf(bio_err, "Signature verification problems...\n");
         goto end;
     }
     if (i == 0) {
-        ok = 0;
         BIO_printf(bio_err,
                    "Signature did not match the certificate request\n");
-        ERR_print_errors(bio_err);
         goto end;
-    } else {
-        BIO_printf(bio_err, "Signature ok\n");
     }
+    BIO_printf(bio_err, "Signature ok\n");
 
     ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
                  chtype, multirdn, email_dn, startdate, enddate, days, batch,
@@ -1383,6 +1378,7 @@ static int certify(X509 **xret, const char *infile, int informat,
                  ext_copy, selfsign);
 
  end:
+    ERR_print_errors(bio_err);
     X509_REQ_free(req);
     return ok;
 }
@@ -1475,10 +1471,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
     if (subj) {
         X509_NAME *n = parse_name(subj, chtype, multirdn, "subject");
 
-        if (!n) {
-            ERR_print_errors(bio_err);
+        if (!n)
             goto end;
-        }
         X509_REQ_set_subject_name(req, n);
         X509_NAME_free(n);
     }
@@ -1716,7 +1710,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
                 BIO_printf(bio_err,
                            "ERROR: adding extensions in section %s\n",
                            ext_sect);
-                ERR_print_errors(bio_err);
                 goto end;
             }
             if (verbose)
@@ -1730,7 +1723,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
                 BIO_printf(bio_err,
                            "ERROR: adding extensions in section %s\n",
                            ext_sect);
-                ERR_print_errors(bio_err);
                 goto end;
             }
 
@@ -1744,7 +1736,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
 
     if (!copy_extensions(ret, req, ext_copy)) {
         BIO_printf(bio_err, "ERROR: adding extensions from request\n");
-        ERR_print_errors(bio_err);
         goto end;
     }
 
@@ -2002,7 +1993,6 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
     parms = CONF_load(NULL, infile, &errline);
     if (parms == NULL) {
         BIO_printf(bio_err, "error on line %ld of %s\n", errline, infile);
-        ERR_print_errors(bio_err);
         goto end;
     }
 
@@ -2020,10 +2010,8 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
      * and we can use the same code as if you had a real X509 request.
      */
     req = X509_REQ_new();
-    if (req == NULL) {
-        ERR_print_errors(bio_err);
+    if (req == NULL)
         goto end;
-    }
 
     /*
      * Build up the subject name set.
@@ -2054,7 +2042,6 @@ static int certify_spkac(X509 **xret, const char *infile, EVP_PKEY *pkey,
                 if (spki == NULL) {
                     BIO_printf(bio_err,
                                "unable to load Netscape SPKAC structure\n");
-                    ERR_print_errors(bio_err);
                     goto end;
                 }
             }
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 1432d2b930..6bc06e370f 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -68,6 +68,17 @@ const OPTIONS pkcs12_options[] = {
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
+    {"password", OPT_PASSWORD, 's', "Set import/export password source"},
+    {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
+
+    OPT_SECTION("Input"),
+    {"in", OPT_IN, '<', "Input file for PKCS12 parsing or certs and possibly key"},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"inkey", OPT_INKEY, 's', "Private key, else read from -in input file"},
+    {"certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output"},
+    {"untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building"},
+    {"passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source"},
+    {"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"},
 
     OPT_SECTION("CA input for export with the -chain option"),
     {"CApath", OPT_CAPATH, '/', "PEM-format directory of CA's"},
@@ -80,39 +91,27 @@ const OPTIONS pkcs12_options[] = {
     {"no-CAstore", OPT_NOCASTORE, '-',
      "Do not load certificates from the default certificates store"},
 
-    OPT_SECTION("Input"),
-    {"in", OPT_IN, '<', "Input file for PKCS12 parsing or certs and possibly key"},
-    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
-    {"inkey", OPT_INKEY, 's', "Private key, else read from -in input file"},
-    {"certfile", OPT_CERTFILE, '<', "Extra certificates for PKCS12 output"},
-    {"untrusted", OPT_UNTRUSTED, '<', "Untrusted certificates for chain building"},
-    {"passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source"},
-    {"name", OPT_NAME, 's', "Use name as friendly name"},
-    {"CSP", OPT_CSP, 's', "Microsoft CSP name"},
-    {"caname", OPT_CANAME, 's',
-     "Use name as CA friendly name (can be repeated)"},
-
     OPT_SECTION("Output"),
-    {"export", OPT_EXPORT, '-', "Output PKCS12 file"},
-    {"LMK", OPT_LMK, '-',
-     "Add local machine keyset attribute to private key"},
-    {"macalg", OPT_MACALG, 's',
-     "Digest algorithm to use in MAC (default SHA1)"},
-    {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"},
     {"out", OPT_OUT, '>', "Output filename"},
     {"passout", OPT_PASSOUT, 's', "Output pass phrase source"},
-    {"password", OPT_PASSWORD, 's', "Set import/export password source"},
+    {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"},
+    {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
     {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"},
     {"clcerts", OPT_CLCERTS, '-', "Only output client certificates"},
     {"cacerts", OPT_CACERTS, '-', "Only output CA certificates"},
     {"noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input"},
+
+    OPT_SECTION("PKCS12 output"),
+    {"export", OPT_EXPORT, '-', "Output PKCS12 file"},
     {"chain", OPT_CHAIN, '-', "Build and add certificate chain for EE cert,"},
     {OPT_MORE_STR, 0, 0,
-     "which is the 1st cert from -in matching the private key (if given)"},
-    {"twopass", OPT_TWOPASS, '-', "Separate MAC, encryption passwords"},
-    {"nomacver", OPT_NOMACVER, '-', "Don't verify MAC"},
-    {"info", OPT_INFO, '-', "Print info about PKCS#12 structure"},
-    {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
+     "which is the 1st cert from -in matching the privte key (if given)"},
+    {"name", OPT_NAME, 's', "Use name as friendly name"},
+    {"CSP", OPT_CSP, 's', "Microsoft CSP name"},
+    {"caname", OPT_CANAME, 's',
+     "Use name as CA friendly name (can be repeated)"},
+    {"LMK", OPT_LMK, '-',
+     "Add local machine keyset attribute to private key"},
     {"keyex", OPT_KEYEX, '-', "Set key type to MS key exchange"},
     {"keysig", OPT_KEYSIG, '-', "Set key type to MS key signature"},
 
@@ -126,10 +125,13 @@ const OPTIONS pkcs12_options[] = {
     {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
     {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
 #endif
+    {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"},
     {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption key and MAC"},
     {"noiter", OPT_NOITER, '-', "Don't use encryption key iteration"},
     {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
     {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"},
+    {"macalg", OPT_MACALG, 's',
+     "Digest algorithm to use in MAC (default SHA1)"},
     {"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
     {"noenc", OPT_NOENC, '-', "Don't encrypt private keys"},
     {"nodes", OPT_NODES, '-', "Don't encrypt private keys; deprecated"},
@@ -235,6 +237,7 @@ int pkcs12_main(int argc, char **argv)
             maciter = 1;
             break;
         case OPT_NOMAC:
+            cert_pbe = -1;
             maciter = -1;
             break;
         case OPT_MACALG:
@@ -573,7 +576,7 @@ int pkcs12_main(int argc, char **argv)
         if (add_lmk && key != NULL)
             EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);
 
-        if (!noprompt) {
+        if (!noprompt && !(enc == NULL && maciter == -1)) {
             /* To avoid bit rot */
             if (1) {
 #ifndef OPENSSL_NO_UI_CONSOLE
@@ -596,7 +599,8 @@ int pkcs12_main(int argc, char **argv)
                             key_pbe, cert_pbe, iter, -1, keytype);
 
         if (p12 == NULL) {
-            ERR_print_errors(bio_err);
+            BIO_printf(bio_err, "Error creating PKCS12 structure for %s\n",
+                       outfile);
             goto export_end;
         }
 
@@ -625,6 +629,7 @@ int pkcs12_main(int argc, char **argv)
         sk_X509_pop_free(untrusted_certs, X509_free);
         X509_free(ee_cert);
 
+        ERR_print_errors(bio_err);
         goto end;
 
     }
diff --git a/apps/s_server.c b/apps/s_server.c
index 1e4bb4f639..24dffeab01 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -827,7 +827,8 @@ const OPTIONS s_server_options[] = {
      "Second private key file to use (usually for DSA)"},
     {"dkeyform", OPT_DKEYFORM, 'F',
      "Second key file format (ENGINE, other values ignored)"},
-    {"dpass", OPT_DPASS, 's', "Second private key and cert file pass phrase source"},
+    {"dpass", OPT_DPASS, 's',
+     "Second private key and cert file pass phrase source"},
     {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
     {"servername", OPT_SERVERNAME, 's',
      "Servername for HostName TLS extension"},
diff --git a/apps/storeutl.c b/apps/storeutl.c
index fcd874ea5d..facbf63333 100644
--- a/apps/storeutl.c
+++ b/apps/storeutl.c
@@ -395,18 +395,20 @@ static int process(const char *uri, const UI_METHOD *uimeth, PW_CB_DATA *uidata,
             info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
 
         if (info == NULL) {
-            if (OSSL_STORE_eof(store_ctx))
-                break;
-
             if (OSSL_STORE_error(store_ctx)) {
                 if (recursive)
                     ERR_clear_error();
                 else
                     ERR_print_errors(bio_err);
+                if (OSSL_STORE_eof(store_ctx))
+                    break;
                 ret++;
                 continue;
             }
 
+            if (OSSL_STORE_eof(store_ctx))
+                break;
+
             BIO_printf(bio_err,
                        "ERROR: OSSL_STORE_load() returned NULL without "
                        "eof or error indications\n");
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index 894520be39..9b2e8a55c5 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -58,7 +58,8 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
      */
 
     if (pass == NULL || *pass == '\0') {
-        if (PKCS12_verify_mac(p12, NULL, 0))
+        if (!PKCS12_mac_present(p12)
+            || PKCS12_verify_mac(p12, NULL, 0))
             pass = NULL;
         else if (PKCS12_verify_mac(p12, "", 0))
             pass = "";
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index bfb8f1a30d..b1d437a5c0 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -182,6 +182,12 @@ L<ps(1)> on Unix),
 this option should be used with caution.
 Better use B<-passin>.
 
+=item B<-passin> I<arg>
+
+The key password source for key files and certificate PKCS#12 files.
+For more information about the format of B<arg>
+see L<openssl(1)/Pass Phrase Options>.
+
 =item B<-selfsign>
 
 Indicates the issued certificates are to be signed with the key
@@ -196,12 +202,6 @@ certificate appears among the entries in the certificate database
 serial number counter as all other certificates sign with the
 self-signed certificate.
 
-=item B<-passin> I<arg>
-
-The key and certificate password source.
-For more information about the format of B<arg>
-see L<openssl(1)/Pass Phrase Options>.
-
 =item B<-notext>
 
 Don't output the text form of a certificate to the output file.
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index adcdc7c1a4..6c4fbfb563 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -11,9 +11,9 @@ B<openssl> B<pkcs12>
 [B<-help>]
 [B<-export>]
 [B<-chain>]
+[B<-untrusted> I<filename>]
 [B<-inkey> I<file_or_id>]
 [B<-certfile> I<filename>]
-[B<-untrusted> I<filename>]
 [B<-passcerts> I<arg>]
 [B<-name> I<name>]
 [B<-caname> I<name>]
@@ -231,7 +231,8 @@ Any certificates that are actually part of the chain are added to the output.
 
 =item B<-passcerts> I<arg>
 
-The password source for certificate input such as B<-certfile>.
+The password source for certificate input such as B<-certfile>
+and B<-untrusted>.
 For more information about the format of B<arg>
 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
 
diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c
index 176c159c8c..936faa98b3 100644
--- a/engines/e_loader_attic.c
+++ b/engines/e_loader_attic.c
@@ -322,12 +322,13 @@ static OSSL_STORE_INFO *try_decode_PKCS12(const char *pem_name,
 
             *matchcount = 1;
 
-            if (PKCS12_verify_mac(p12, "", 0)
+            if (!PKCS12_mac_present(p12)
+                || PKCS12_verify_mac(p12, "", 0)
                 || PKCS12_verify_mac(p12, NULL, 0)) {
                 pass = "";
             } else {
                 if ((pass = file_get_pass(ui_method, tpass, PEM_BUFSIZE,
-                                          "PKCS12 import pass phrase", uri,
+                                          "PKCS12 import", uri,
                                           ui_data)) == NULL) {
                     ATTICerr(0, ATTIC_R_PASSPHRASE_CALLBACK_ERROR);
                     goto p12_end;
@@ -1232,10 +1233,13 @@ static OSSL_STORE_INFO *file_load_try_decode(OSSL_STORE_LOADER_CTX *ctx,
                 }
                 if (result == NULL)
                     result = tmp_result;
+                if (result == NULL) /* e.g., PKCS#12 file decryption error */
+                    break;
             }
         }
 
-        if (*matchcount == 1 && matching_handlers[0]->repeatable) {
+        if (result != NULL
+                && *matchcount == 1 && matching_handlers[0]->repeatable) {
             ctx->_.file.last_handler = matching_handlers[0];
             ctx->_.file.last_handler_ctx = handler_ctx;
         }
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 07cd91f196..0f977d7755 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -66,17 +66,19 @@ ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
 ok(run(app(["openssl", "pkcs12", "-noout",
             "-password", "pass:$pass",
             "-in", srctop_file("test", "shibboleth.pfx")])),
-   "test_pkcs12");
+   "test_load_cert_pkcs12");
 
 my @path = qw(test certs);
-my $tmpfile = "tmp.p12";
+my $outfile1 = "out1.p12";
+my $outfile2 = "out2.p12";
+my $outfile3 = "out3.p12";
 
 # Test the -chain option with -untrusted
 ok(run(app(["openssl", "pkcs12", "-export", "-chain",
             "-CAfile",  srctop_file(@path,  "sroot-cert.pem"),
             "-untrusted", srctop_file(@path, "ca-cert.pem"),
             "-in", srctop_file(@path, "ee-cert.pem"),
-            "-nokeys", "-passout", "pass:", "-out", $tmpfile])),
+            "-nokeys", "-passout", "pass:", "-out", $outfile1])),
    "test_pkcs12_chain_untrusted");
 
 # Test the -passcerts option
@@ -85,9 +87,8 @@ ok(run(app(["openssl", "pkcs12", "-export",
             "-certfile", srctop_file(@path, "v3-certs-TDES.p12"),
             "-passcerts", "pass:v3-certs",
             "-nokeys", "-passout", "pass:v3-certs", "-descert",
-            "-out", $tmpfile])),
-   "test_pkcs12_passcert");
-unlink $tmpfile;
+            "-out", $outfile2])),
+   "test_pkcs12_passcerts");
 
 # Test reading legacy PKCS#12 file
 ok(run(app(["openssl", "pkcs12", "-export",
@@ -95,8 +96,7 @@ ok(run(app(["openssl", "pkcs12", "-export",
             "-passin", "pass:v3-certs",
             "-provider", "default", "-provider", "legacy",
             "-nokeys", "-passout", "pass:v3-certs", "-descert",
-            "-out", $tmpfile])),
-   "test_pkcs12_passcert");
-unlink $tmpfile;
+            "-out", $outfile3])),
+   "test_pkcs12_passcerts_legacy");
 
 SetConsoleOutputCP($savedcp) if (defined($savedcp));


More information about the openssl-commits mailing list