From c3f8e83069ea6ec59a21fa209c108f58a6f557d8 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Wed, 12 Nov 2025 16:49:04 +0100
Subject: [PATCH] Add safety checks to PKCS12_SAFEBAG_get0_bag*() functions

Fixes #26655

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/29128)

(cherry picked from commit 7776744a5912ac9346bf04bf60570b149243eb33)
---
 crypto/pkcs12/p12_sbag.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index 04ef0b74ede..c7ecfb24391 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -74,11 +74,20 @@ int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
 
 const ASN1_OBJECT *PKCS12_SAFEBAG_get0_bag_type(const PKCS12_SAFEBAG *bag)
 {
+    int btype = PKCS12_SAFEBAG_get_nid(bag);
+
+    if (btype != NID_certBag && btype != NID_crlBag && btype != NID_secretBag)
+        return NULL;
     return bag->value.bag->type;
 }
 
 const ASN1_TYPE *PKCS12_SAFEBAG_get0_bag_obj(const PKCS12_SAFEBAG *bag)
 {
+    int vtype = PKCS12_SAFEBAG_get_bag_nid(bag);
+
+    if (vtype == -1 || vtype == NID_x509Certificate || vtype == NID_x509Crl
+        || vtype == NID_sdsiCertificate)
+        return NULL;
     return bag->value.bag->value.other;
 }
 
-- 
2.47.3