From fc0aae737eb1cb2d2554caa8bffea80b8cbd38f9 Mon Sep 17 00:00:00 2001
From: "Dr. David von Oheimb" <David.von.Oheimb@siemens.com>
Date: Wed, 12 Aug 2020 18:06:00 +0200
Subject: [PATCH] PKCS12_parse(): Fix reversed order of certs parsed and output
 via *ca

Fixes #6698

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12641)
---
 CHANGES.md               | 5 +++++
 crypto/pkcs12/p12_kiss.c | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/CHANGES.md b/CHANGES.md
index 3ecdd5d99bb..31e183f3959 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1172,6 +1172,11 @@ OpenSSL 3.0
 
    *Martin Elshuber*
 
+ * `PKCS12_parse` now maintains the order of the parsed certificates
+   when outputting them via `*ca` (rather than reversing it).
+
+   *David von Oheimb*
+
 OpenSSL 1.1.1
 -------------
 
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index eaf6501c1c9..4cbf4530ffb 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -89,7 +89,7 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
         goto err;
     }
 
-    while ((x = sk_X509_pop(ocerts))) {
+    while ((x = sk_X509_shift(ocerts))) {
         if (pkey != NULL && *pkey != NULL
                 && cert != NULL && *cert == NULL) {
             ERR_set_mark();
-- 
2.47.2