From: Matt Caswell Date: Mon, 5 Jul 2021 16:19:59 +0000 (+0100) Subject: Don't add the first pkcs12 certificate multiple times X-Git-Tag: openssl-3.0.0-beta2~95 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be618c7cc18ab0cbaf0538128705de7f60975ad7;p=thirdparty%2Fopenssl.git Don't add the first pkcs12 certificate multiple times This fixes a regression introduced by commit 1d6c867. When exporting a set of certificates to a PKCS12 file we shouldn't add the first one twice. Also we restore historic behaviour with respect to the canames option where we have no ee certificate with key. Fixes #15983 Reviewed-by: David von Oheimb Reviewed-by: Tim Hudson Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/16001) --- diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 1234a698922..d745df84943 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -571,8 +571,6 @@ int pkcs12_main(int argc, char **argv) infile); goto export_end; } - } else { - ee_cert = X509_dup(sk_X509_value(certs, 0)); /* take 1st cert */ } } @@ -588,8 +586,13 @@ int pkcs12_main(int argc, char **argv) int vret; STACK_OF(X509) *chain2; X509_STORE *store; + X509 *ee_cert_tmp = ee_cert; + + /* Assume the first cert if we haven't got anything else */ + if (ee_cert_tmp == NULL && certs != NULL) + ee_cert_tmp = sk_X509_value(certs, 0); - if (ee_cert == NULL) { + if (ee_cert_tmp == NULL) { BIO_printf(bio_err, "No end entity certificate to check with -chain\n"); goto export_end; @@ -600,7 +603,7 @@ int pkcs12_main(int argc, char **argv) == NULL) goto export_end; - vret = get_cert_chain(ee_cert, store, untrusted_certs, &chain2); + vret = get_cert_chain(ee_cert_tmp, store, untrusted_certs, &chain2); X509_STORE_free(store); if (vret == X509_V_OK) {