Make sure X509_dup() also dup's any associated EVP_PKEY

Otherwise we can end up with a blank EVP_PKEY. If it is later recreated it can end up with the wrong libctx/propq. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15591)
2025-04-06 20:20:50 +08:00 · 2021-05-27 09:00:47 +01:00 · 2021-05-27 09:00:47 +01:00 · 6282d6c284
commit 6282d6c284
parent c631378058
1 changed files with 17 additions and 0 deletions
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@ -104,6 +104,23 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,

            if (!ossl_x509_set0_libctx(ret, old->libctx, old->propq))
                return 0;
+            if (old->cert_info.key != NULL) {
+                EVP_PKEY *pkey = X509_PUBKEY_get0(old->cert_info.key);
+
+                if (pkey != NULL) {
+                    pkey = EVP_PKEY_dup(pkey);
+                    if (pkey == NULL) {
+                        ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                    }
+                    if (!X509_PUBKEY_set(&ret->cert_info.key, pkey)) {
+                        EVP_PKEY_free(pkey);
+                        ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
+                        return 0;
+                    }
+                    EVP_PKEY_free(pkey);
+                }
+            }
        }
        break;
    default: