From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Wed, 12 Aug 2020 16:06:00 +0000 (+0200)
Subject: PKCS12_parse(): Fix reversed order of certs parsed and output via *ca
X-Git-Tag: openssl-3.0.0-alpha7~560
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fc0aae737eb1cb2d2554caa8bffea80b8cbd38f9;p=thirdparty%2Fopenssl.git

PKCS12_parse(): Fix reversed order of certs parsed and output via *ca

Fixes #6698

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12641)
---

diff --git a/CHANGES.md b/CHANGES.md
index 3ecdd5d99bb..31e183f3959 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1172,6 +1172,11 @@ OpenSSL 3.0
 
    *Martin Elshuber*
 
+ * `PKCS12_parse` now maintains the order of the parsed certificates
+   when outputting them via `*ca` (rather than reversing it).
+
+   *David von Oheimb*
+
 OpenSSL 1.1.1
 -------------
 
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index eaf6501c1c9..4cbf4530ffb 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -89,7 +89,7 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
         goto err;
     }
 
-    while ((x = sk_X509_pop(ocerts))) {
+    while ((x = sk_X509_shift(ocerts))) {
         if (pkey != NULL && *pkey != NULL
                 && cert != NULL && *cert == NULL) {
             ERR_set_mark();