forked from rpms/openssl
- Prevents creation of duplicate cert entries in PKCS #12 files
Resolves: rhbz#1978670 Signed-off-by: Sahana Prasad <sahana@redhat.com>
This commit is contained in:
parent
b7c6b85c95
commit
0b6afca185
75
0020-no-dup-cert-entries.patch
Normal file
75
0020-no-dup-cert-entries.patch
Normal file
@ -0,0 +1,75 @@
|
|||||||
|
diff -up openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 openssl-3.0.0-beta1/apps/pkcs12.c
|
||||||
|
--- openssl-3.0.0-beta1/apps/pkcs12.c.dup-pkcs12 2021-07-22 14:59:14.777544688 +0200
|
||||||
|
+++ openssl-3.0.0-beta1/apps/pkcs12.c 2021-07-22 15:06:04.768908265 +0200
|
||||||
|
@@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv)
|
||||||
|
infile);
|
||||||
|
goto export_end;
|
||||||
|
}
|
||||||
|
- } else {
|
||||||
|
- ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv)
|
||||||
|
int vret;
|
||||||
|
STACK_OF(X509) *chain2;
|
||||||
|
X509_STORE *store;
|
||||||
|
+ X509 *ee_cert_tmp = ee_cert;
|
||||||
|
|
||||||
|
- if (ee_cert == NULL) {
|
||||||
|
+ /* Assume the first cert if we haven't got anything else */
|
||||||
|
+ if (ee_cert_tmp == NULL && certs != NULL)
|
||||||
|
+ ee_cert_tmp = sk_X509_value(certs, 0);
|
||||||
|
+
|
||||||
|
+ if (ee_cert_tmp == NULL) {
|
||||||
|
BIO_printf(bio_err,
|
||||||
|
"No end entity certificate to check with -chain\n");
|
||||||
|
goto export_end;
|
||||||
|
@@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv)
|
||||||
|
== NULL)
|
||||||
|
goto export_end;
|
||||||
|
|
||||||
|
- vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2);
|
||||||
|
+ vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
|
||||||
|
X509_STORE_free(store);
|
||||||
|
|
||||||
|
if (vret == X509_V_OK) {
|
||||||
|
diff -up openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t
|
||||||
|
--- openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t.dup-pkcs12 2021-07-22 15:06:22.715077291 +0200
|
||||||
|
+++ openssl-3.0.0-beta1/test/recipes/80-test_pkcs12.t 2021-07-22 15:17:52.250559784 +0200
|
||||||
|
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
|
||||||
|
}
|
||||||
|
$ENV{OPENSSL_WIN32_UTF8}=1;
|
||||||
|
|
||||||
|
-plan tests => 7;
|
||||||
|
+plan tests => 10;
|
||||||
|
|
||||||
|
# Test different PKCS#12 formats
|
||||||
|
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
|
||||||
|
@@ -73,6 +73,7 @@ my @path = qw(test certs);
|
||||||
|
my $outfile1 = "out1.p12";
|
||||||
|
my $outfile2 = "out2.p12";
|
||||||
|
my $outfile3 = "out3.p12";
|
||||||
|
+my $outfile5 = "out5.p12";
|
||||||
|
|
||||||
|
# Test the -chain option with -untrusted
|
||||||
|
ok(run(app(["openssl", "pkcs12", "-export", "-chain",
|
||||||
|
@@ -108,4 +109,18 @@ SKIP: {
|
||||||
|
"test_pkcs12_passcerts_legacy");
|
||||||
|
}
|
||||||
|
|
||||||
|
+ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5,
|
||||||
|
+ "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname",
|
||||||
|
+ "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
|
||||||
|
+ "test nokeys single cert");
|
||||||
|
+
|
||||||
|
+my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5,
|
||||||
|
+ "-passin", "pass:"]), capture => 1);
|
||||||
|
+
|
||||||
|
+# Test that with one input certificate, we get one output certificate
|
||||||
|
+ok(grep(/subject=CN = server.example/, @pkcs12info) == 1,
|
||||||
|
+ "test one cert in output");
|
||||||
|
+# Test that the expected friendly name is present in the output
|
||||||
|
+ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output");
|
||||||
|
+
|
||||||
|
SetConsoleOutputCP($savedcp) if (defined($savedcp));
|
@ -15,7 +15,7 @@
|
|||||||
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
Summary: Utilities from the general purpose cryptography library with TLS implementation
|
||||||
Name: openssl
|
Name: openssl
|
||||||
Version: 3.0.0
|
Version: 3.0.0
|
||||||
Release: 0.beta1.4%{?dist}
|
Release: 0.beta1.5%{?dist}
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
# We have to remove certain patented algorithms from the openssl source
|
# We have to remove certain patented algorithms from the openssl source
|
||||||
# tarball with the hobble-openssl script which is included below.
|
# tarball with the hobble-openssl script which is included below.
|
||||||
@ -58,6 +58,8 @@ Patch17: 0017-use-AI-ADDRCONFIG-explicit-hostname.patch
|
|||||||
Patch18: 0018-Fix-crash-BN_lebin2bn.patch
|
Patch18: 0018-Fix-crash-BN_lebin2bn.patch
|
||||||
# Temporary dual-ABI build patch
|
# Temporary dual-ABI build patch
|
||||||
Patch19: 0019-dual-abi.patch
|
Patch19: 0019-dual-abi.patch
|
||||||
|
# Prevents creation of duplicate cert entries in PKCS #12 files
|
||||||
|
Patch20: 0020-no-dup-cert-entries.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: http://www.openssl.org/
|
URL: http://www.openssl.org/
|
||||||
@ -380,6 +382,10 @@ install -m644 %{SOURCE9} \
|
|||||||
%ldconfig_scriptlets libs
|
%ldconfig_scriptlets libs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
|
||||||
|
- Prevents creation of duplicate cert entries in PKCS #12 files
|
||||||
|
- Resolves: rhbz#1978670
|
||||||
|
|
||||||
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
|
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
|
||||||
- NVR bump to update to OpenSSL 3.0 Beta1
|
- NVR bump to update to OpenSSL 3.0 Beta1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user