[openssl] master update

Dr. Paul Dale pauli at openssl.org
Fri Jul 9 00:25:54 UTC 2021


The branch master has been updated
       via  35258435ddc9a1afe7da0a1de78607bd3cbf837a (commit)
       via  be618c7cc18ab0cbaf0538128705de7f60975ad7 (commit)
      from  5c8c2e6b484d5845cc26a0b634c872e2d102037a (commit)


- Log -----------------------------------------------------------------
commit 35258435ddc9a1afe7da0a1de78607bd3cbf837a
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Jul 6 11:31:28 2021 +0100

    Add a PKCS12 test to check with one input cert we get one output cert
    
    Following on from the regression in issue #15983, add a test that with
    one input cert, we get one cert in the pkcs12 file, and that it has the
    expected friendlyName.
    
    Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16001)

commit be618c7cc18ab0cbaf0538128705de7f60975ad7
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Jul 5 17:19:59 2021 +0100

    Don't add the first pkcs12 certificate multiple times
    
    This fixes a regression introduced by commit 1d6c867. When exporting a set
    of certificates to a PKCS12 file we shouldn't add the first one twice. Also
    we restore historic behaviour with respect to the canames option where we
    have no ee certificate with key.
    
    Fixes #15983
    
    Reviewed-by: David von Oheimb <david.von.oheimb at siemens.com>
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/16001)

-----------------------------------------------------------------------

Summary of changes:
 apps/pkcs12.c                 | 11 +++++++----
 test/recipes/80-test_pkcs12.t | 16 +++++++++++++++-
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 1234a69892..d745df8494 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv)
                                infile);
                     goto export_end;
                 }
-            } else {
-                ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */
             }
         }
 
@@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv)
             int vret;
             STACK_OF(X509) *chain2;
             X509_STORE *store;
+            X509 *ee_cert_tmp = ee_cert;
+
+            /* Assume the first cert if we haven't got anything else */
+            if (ee_cert_tmp == NULL && certs != NULL)
+                ee_cert_tmp = sk_X509_value(certs, 0);
 
-            if (ee_cert == NULL) {
+            if (ee_cert_tmp == NULL) {
                 BIO_printf(bio_err,
                            "No end entity certificate to check with -chain\n");
                 goto export_end;
@@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv)
                     == NULL)
                 goto export_end;
 
-            vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2);
+            vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
             X509_STORE_free(store);
 
             if (vret == X509_V_OK) {
diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 52c70cb0f7..1f0cb4d501 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
 }
 $ENV{OPENSSL_WIN32_UTF8}=1;
 
-plan tests => 10;
+plan tests => 13;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -79,6 +79,7 @@ my $outfile1 = "out1.p12";
 my $outfile2 = "out2.p12";
 my $outfile3 = "out3.p12";
 my $outfile4 = "out4.p12";
+my $outfile5 = "out5.p12";
 
 # Test the -chain option with -untrusted
 ok(run(app(["openssl", "pkcs12", "-export", "-chain",
@@ -133,5 +134,18 @@ ok(run(app(["openssl", "pkcs12",
             "-nomacver", "-nodes"])),
   "test_import_pkcs12_cert_key_cert");
 
+ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
+            "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
+            "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
+   "test nokeys single cert");
+
+my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
+                          "-passin", "pass:"]), capture => 1);
+
+# Test that with one input certificate, we get one output certificate
+ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
+   "test one cert in output");
+# Test that the expected friendly name is present in the output
+ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
 
 SetConsoleOutputCP($savedcp) if (defined($savedcp));


More information about the openssl-commits mailing list