This fixes a regression introduced by commit
1d6c867. When exporting a set
of certificates to a PKCS12 file we shouldn't add the first one twice. Also
we restore historic behaviour with respect to the canames option where we
have no ee certificate with key.
Fixes #15983
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16001)
infile);
goto export_end;
}
- } else {
- ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */
}
}
int vret;
STACK_OF(X509) *chain2;
X509_STORE *store;
+ X509 *ee_cert_tmp = ee_cert;
+
+ /* Assume the first cert if we haven't got anything else */
+ if (ee_cert_tmp == NULL && certs != NULL)
+ ee_cert_tmp = sk_X509_value(certs, 0);
- if (ee_cert == NULL) {
+ if (ee_cert_tmp == NULL) {
BIO_printf(bio_err,
"No end entity certificate to check with -chain\n");
goto export_end;
== NULL)
goto export_end;
- vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2);
+ vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2);
X509_STORE_free(store);
if (vret == X509_V_OK) {