- Prevents creation of duplicate cert entries in PKCS #12 files

Resolves: rhbz#1978670

Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
Sahana Prasad 2021-07-22 15:38:17 +02:00
parent b7c6b85c95
commit 0b6afca185
2 changed files with 82 additions and 1 deletions

View File

@ -0,0 +1,75 @@
diff -up openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 openssl-3.0.0-beta1/apps/pkcs12.c
--- openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 2021-07-22 14:59:14.777544688 +0200
+++ openssl-3.0.0-beta1/apps/pkcs12.c 2021-07-22 15:06:04.768908265 +0200
@@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv)
infile);
goto export_end;
}
- } else {
- ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */
}
}
@@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv)
int vret;
STACK_OF(X509) *chain2;
X509_STORE *store;
+ X509 *ee_cert_tmp = ee_cert;
- if (ee_cert == NULL) {
+ /* Assume the first cert if we haven't got anything else */
+ if (ee_cert_tmp == NULL && certs != NULL)
+ ee_cert_tmp = sk_X509_value(certs, 0);
+
+ if (ee_cert_tmp == NULL) {
BIO_printf(bio_err,
"No end entity certificate to check with -chain\n");
goto export_end;
@@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv)
== NULL)
goto export_end;
- vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2);
+ vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
X509_STORE_free(store);
if (vret == X509_V_OK) {
diff -up openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t
--- openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 2021-07-22 15:06:22.715077291 +0200
+++ openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t 2021-07-22 15:17:52.250559784 +0200
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
}
$ENV{OPENSSL_WIN32_UTF8}=1;
-plan tests => 7;
+plan tests => 10;
# Test different PKCS#12 formats
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -73,6 +73,7 @@ my @path = qw(test certs);
my $outfile1 = "out1.p12";
my $outfile2 = "out2.p12";
my $outfile3 = "out3.p12";
+my $outfile5 = "out5.p12";
# Test the -chain option with -untrusted
ok(run(app(["openssl", "pkcs12", "-export", "-chain",
@@ -108,4 +109,18 @@ SKIP: {
"test_pkcs12_passcerts_legacy");
}
+ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
+ "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
+ "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
+ "test nokeys single cert");
+
+my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
+ "-passin", "pass:"]), capture => 1);
+
+# Test that with one input certificate, we get one output certificate
+ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
+ "test one cert in output");
+# Test that the expected friendly name is present in the output
+ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
+
SetConsoleOutputCP($savedcp) if (defined($savedcp));

View File

@ -15,7 +15,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.0
Release: 0.beta1.4%{?dist}
Release: 0.beta1.5%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -58,6 +58,8 @@ Patch17: 0017-use-AI-ADDRCONFIG-explicit-hostname.patch
Patch18: 0018-Fix-crash-BN_lebin2bn.patch
# Temporary dual-ABI build patch
Patch19: 0019-dual-abi.patch
# Prevents creation of duplicate cert entries in PKCS #12 files
Patch20: 0020-no-dup-cert-entries.patch
License: ASL 2.0
URL: http://www.openssl.org/
@ -380,6 +382,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
- Prevents creation of duplicate cert entries in PKCS #12 files
- Resolves: rhbz#1978670
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
- NVR bump to update to OpenSSL 3.0 Beta1