The branch master has been updated via 35258435ddc9a1afe7da0a1de78607bd3cbf837a (commit) via be618c7cc18ab0cbaf0538128705de7f60975ad7 (commit) from 5c8c2e6b484d5845cc26a0b634c872e2d102037a (commit)
- Log ----------------------------------------------------------------- commit 35258435ddc9a1afe7da0a1de78607bd3cbf837a Author: Matt Caswell <m...@openssl.org> Date: Tue Jul 6 11:31:28 2021 +0100 Add a PKCS12 test to check with one input cert we get one output cert Following on from the regression in issue #15983, add a test that with one input cert, we get one cert in the pkcs12 file, and that it has the expected friendlyName. Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> Reviewed-by: Tim Hudson <t...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16001) commit be618c7cc18ab0cbaf0538128705de7f60975ad7 Author: Matt Caswell <m...@openssl.org> Date: Mon Jul 5 17:19:59 2021 +0100 Don't add the first pkcs12 certificate multiple times This fixes a regression introduced by commit 1d6c867. When exporting a set of certificates to a PKCS12 file we shouldn't add the first one twice. Also we restore historic behaviour with respect to the canames option where we have no ee certificate with key. Fixes #15983 Reviewed-by: David von Oheimb <david.von.ohe...@siemens.com> Reviewed-by: Tim Hudson <t...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16001) ----------------------------------------------------------------------- Summary of changes: apps/pkcs12.c | 11 +++++++---- test/recipes/80-test_pkcs12.t | 16 +++++++++++++++- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 1234a69892..d745df8494 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv) infile); goto export_end; } - } else { - ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */ } } @@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv) int vret; STACK_OF(X509) *chain2; X509_STORE *store; + X509 *ee_cert_tmp = ee_cert; + + /* Assume the first cert if we haven't got anything else */ + if (ee_cert_tmp == NULL && certs != NULL) + ee_cert_tmp = sk_X509_value(certs, 0); - if (ee_cert == NULL) { + if (ee_cert_tmp == NULL) { BIO_printf(bio_err, "No end entity certificate to check with -chain\n"); goto export_end; @@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv) == NULL) goto export_end; - vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2); + vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2); X509_STORE_free(store); if (vret == X509_V_OK) { diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t index 52c70cb0f7..1f0cb4d501 100644 --- a/test/recipes/80-test_pkcs12.t +++ b/test/recipes/80-test_pkcs12.t @@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { } $ENV{OPENSSL_WIN32_UTF8}=1; -plan tests => 10; +plan tests => 13; # Test different PKCS#12 formats ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); @@ -79,6 +79,7 @@ my $outfile1 = "out1.p12"; my $outfile2 = "out2.p12"; my $outfile3 = "out3.p12"; my $outfile4 = "out4.p12"; +my $outfile5 = "out5.p12"; # Test the -chain option with -untrusted ok(run(app(["openssl", "pkcs12", "-export", "-chain", @@ -133,5 +134,18 @@ ok(run(app(["openssl", "pkcs12", "-nomacver", "-nodes"])), "test_import_pkcs12_cert_key_cert"); +ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile5, + "-in", srctop_file(@path, "ee-cert.pem"), "-caname", "testname", + "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])), + "test nokeys single cert"); + +my @pkcs12info = run(app(["openssl", "pkcs12", "-info", "-in", $outfile5, + "-passin", "pass:"]), capture => 1); + +# Test that with one input certificate, we get one output certificate +ok(grep(/subject=CN = server.example/, @pkcs12info) == 1, + "test one cert in output"); +# Test that the expected friendly name is present in the output +ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output"); SetConsoleOutputCP($savedcp) if (defined($savedcp));