[openssl] master update
Dr. Paul Dale
pauli at openssl.org
Fri Jul 9 00:25:54 UTC 2021
The branch master has been updated
via 35258435ddc9a1afe7da0a1de78607bd3cbf837a (commit)
via be618c7cc18ab0cbaf0538128705de7f60975ad7 (commit)
from 5c8c2e6b484d5845cc26a0b634c872e2d102037a (commit)
- Log -----------------------------------------------------------------
commit 35258435ddc9a1afe7da0a1de78607bd3cbf837a
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jul 6 11:31:28 2021 +0100
Add a PKCS12 test to check with one input cert we get one output cert
Following on from the regression in issue #15983, add a test that with
one input cert, we get one cert in the pkcs12 file, and that it has the
expected friendlyName.
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16001)
commit be618c7cc18ab0cbaf0538128705de7f60975ad7
Author: Matt Caswell <matt at openssl.org>
Date: Mon Jul 5 17:19:59 2021 +0100
Don't add the first pkcs12 certificate multiple times
This fixes a regression introduced by commit 1d6c867. When exporting a set
of certificates to a PKCS12 file we shouldn't add the first one twice. Also
we restore historic behaviour with respect to the canames option where we
have no ee certificate with key.
Fixes #15983
Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
Reviewed-by: Tim Hudson <tjh at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16001)
-----------------------------------------------------------------------
Summary of changes:
apps/pkcs12.c | 11 +++++++----
test/recipes/80-test_pkcs12.t | 16 +++++++++++++++-
2 files changed, 22 insertions(+), 5 deletions(-)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 1234a69892..d745df8494 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv)
infile);
goto export_end;
}
- } else {
- ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */
}
}
@@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv)
int vret;
STACK_OF(X509) *chain2;
X509_STORE *store;
+ X509 *ee_cert_tmp = ee_cert;
+
+ /* Assume the first cert if we haven't got anything else */
+ if (ee_cert_tmp == NULL && certs != NULL)
+ ee_cert_tmp = sk_X509_value(certs, 0);
- if (ee_cert == NULL) {
+ if (ee_cert_tmp == NULL) {
BIO_printf(bio_err,
"No end entity certificate to check with -chain\n");
goto export_end;
@@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv)
== NULL)
goto export_end;
- vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2);
+ vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
X509_STORE_free(store);
if (vret == X509_V_OK) {
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 52c70cb0f7..1f0cb4d501 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
}
$ENV{OPENSSL_WIN32_UTF8}=1;
-plan tests => 10;
+plan tests => 13;
# Test different PKCS#12 formats
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -79,6 +79,7 @@ my $outfile1 = "out1.p12";
my $outfile2 = "out2.p12";
my $outfile3 = "out3.p12";
my $outfile4 = "out4.p12";
+my $outfile5 = "out5.p12";
# Test the -chain option with -untrusted
ok(run(app(["openssl", "pkcs12", "-export", "-chain",
@@ -133,5 +134,18 @@ ok(run(app(["openssl", "pkcs12",
"-nomacver", "-nodes"])),
"test_import_pkcs12_cert_key_cert");
+ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
+ "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
+ "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
+ "test nokeys single cert");
+
+my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
+ "-passin", "pass:"]), capture => 1);
+
+# Test that with one input certificate, we get one output certificate
+ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
+ "test one cert in output");
+# Test that the expected friendly name is present in the output
+ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
SetConsoleOutputCP($savedcp) if (defined($savedcp));
More information about the openssl-commits
mailing list