forked from rpms/openssl
- Prevents creation of duplicate cert entries in PKCS #12 files
Resolves: rhbz#1978670 Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
parent
b7c6b85c95
commit
0b6afca185
75
0020-no-dup-cert-entries.patch
Normal file
75
0020-no-dup-cert-entries.patch
Normal file
@ -0,0 +1,75 @@
|
||||
diff -up openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 openssl-3.0.0-beta1/apps/pkcs12.c
|
||||
--- openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 2021-07-22 14:59:14.777544688 +0200
|
||||
+++ openssl-3.0.0-beta1/apps/pkcs12.c 2021-07-22 15:06:04.768908265 +0200
|
||||
@@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv)
|
||||
infile);
|
||||
goto export_end;
|
||||
}
|
||||
- } else {
|
||||
- ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */
|
||||
}
|
||||
}
|
||||
|
||||
@@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv)
|
||||
int vret;
|
||||
STACK_OF(X509) *chain2;
|
||||
X509_STORE *store;
|
||||
+ X509 *ee_cert_tmp = ee_cert;
|
||||
|
||||
- if (ee_cert == NULL) {
|
||||
+ /* Assume the first cert if we haven't got anything else */
|
||||
+ if (ee_cert_tmp == NULL && certs != NULL)
|
||||
+ ee_cert_tmp = sk_X509_value(certs, 0);
|
||||
+
|
||||
+ if (ee_cert_tmp == NULL) {
|
||||
BIO_printf(bio_err,
|
||||
"No end entity certificate to check with -chain\n");
|
||||
goto export_end;
|
||||
@@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv)
|
||||
== NULL)
|
||||
goto export_end;
|
||||
|
||||
- vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2);
|
||||
+ vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
|
||||
X509_STORE_free(store);
|
||||
|
||||
if (vret == X509_V_OK) {
|
||||
diff -up openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t
|
||||
--- openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 2021-07-22 15:06:22.715077291 +0200
|
||||
+++ openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t 2021-07-22 15:17:52.250559784 +0200
|
||||
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
|
||||
}
|
||||
$ENV{OPENSSL_WIN32_UTF8}=1;
|
||||
|
||||
-plan tests => 7;
|
||||
+plan tests => 10;
|
||||
|
||||
# Test different PKCS#12 formats
|
||||
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
|
||||
@@ -73,6 +73,7 @@ my @path = qw(test certs);
|
||||
my $outfile1 = "out1.p12";
|
||||
my $outfile2 = "out2.p12";
|
||||
my $outfile3 = "out3.p12";
|
||||
+my $outfile5 = "out5.p12";
|
||||
|
||||
# Test the -chain option with -untrusted
|
||||
ok(run(app(["openssl", "pkcs12", "-export", "-chain",
|
||||
@@ -108,4 +109,18 @@ SKIP: {
|
||||
"test_pkcs12_passcerts_legacy");
|
||||
}
|
||||
|
||||
+ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
|
||||
+ "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
|
||||
+ "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
|
||||
+ "test nokeys single cert");
|
||||
+
|
||||
+my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
|
||||
+ "-passin", "pass:"]), capture => 1);
|
||||
+
|
||||
+# Test that with one input certificate, we get one output certificate
|
||||
+ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
|
||||
+ "test one cert in output");
|
||||
+# Test that the expected friendly name is present in the output
|
||||
+ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
|
||||
+
|
||||
SetConsoleOutputCP($savedcp) if (defined($savedcp));
|
@ -15,7 +15,7 @@
|
||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||
Name: openssl
|
||||
Version: 3.0.0
|
||||
Release: 0.beta1.4%{?dist}
|
||||
Release: 0.beta1.5%{?dist}
|
||||
Epoch: 1
|
||||
# We have to remove certain patented algorithms from the openssl source
|
||||
# tarball with the hobble-openssl script which is included below.
|
||||
@ -58,6 +58,8 @@ Patch17: 0017-use-AI-ADDRCONFIG-explicit-hostname.patch
|
||||
Patch18: 0018-Fix-crash-BN_lebin2bn.patch
|
||||
# Temporary dual-ABI build patch
|
||||
Patch19: 0019-dual-abi.patch
|
||||
# Prevents creation of duplicate cert entries in PKCS #12 files
|
||||
Patch20: 0020-no-dup-cert-entries.patch
|
||||
|
||||
License: ASL 2.0
|
||||
URL: http://www.openssl.org/
|
||||
@ -380,6 +382,10 @@ install -m644 %{SOURCE9} \
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%changelog
|
||||
* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
|
||||
- Prevents creation of duplicate cert entries in PKCS #12 files
|
||||
- Resolves: rhbz#1978670
|
||||
|
||||
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
|
||||
- NVR bump to update to OpenSSL 3.0 Beta1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user