From b3c5aadf4ce3dc2207cc605726bf370a55b531c9 Mon Sep 17 00:00:00 2001 From: "Dr. David von Oheimb" Date: Fri, 14 Aug 2020 21:58:34 +0200 Subject: [PATCH] apps: make use of OSSL_STORE for generalized certs and CRLs loading Reviewed-by: Richard Levitte (Merged from https://github.com/openssl/openssl/pull/12647) --- apps/ca.c | 2 +- apps/cmp.c | 144 +++------------------- apps/cms.c | 3 +- apps/include/apps.h | 9 +- apps/lib/apps.c | 197 ++++++++++++------------------- apps/lib/s_cb.c | 3 +- apps/ocsp.c | 11 +- apps/pkcs12.c | 21 +++- apps/s_client.c | 3 +- apps/s_server.c | 4 +- apps/smime.c | 3 +- apps/verify.c | 8 +- doc/man1/openssl-ca.pod.in | 5 +- doc/man1/openssl-cmp.pod.in | 12 +- doc/man1/openssl-cms.pod.in | 1 + doc/man1/openssl-ocsp.pod.in | 12 +- doc/man1/openssl-pkcs12.pod.in | 23 +++- doc/man1/openssl-s_client.pod.in | 3 +- doc/man1/openssl-s_server.pod.in | 6 +- doc/man1/openssl-smime.pod.in | 1 + doc/man1/openssl-verify.pod.in | 7 +- test/certs/v3-certs-RC2.p12 | Bin 0 -> 1568 bytes test/certs/v3-certs-TDES.p12 | Bin 0 -> 1568 bytes test/recipes/80-test_pkcs12.t | 25 +++- 24 files changed, 194 insertions(+), 309 deletions(-) create mode 100644 test/certs/v3-certs-RC2.p12 create mode 100644 test/certs/v3-certs-TDES.p12 diff --git a/apps/ca.c b/apps/ca.c index fef0b82c39..2c60715531 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -214,7 +214,7 @@ const OPTIONS ca_options[] = { OPT_SECTION("Signing"), {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, - {"keyfile", OPT_KEYFILE, 's', "Private key"}, + {"keyfile", OPT_KEYFILE, 's', "The CA private key"}, {"keyform", OPT_KEYFORM, 'f', "Private key file format (ENGINE, other values ignored)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"}, diff --git a/apps/cmp.c b/apps/cmp.c index b2afbf64e8..350aa22628 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -138,8 +138,6 @@ static char *opt_certform_s = "PEM"; static int opt_certform = FORMAT_PEM; static char *opt_keyform_s = "PEM"; static int opt_keyform = FORMAT_PEM; -static char *opt_certsform_s = "PEM"; -static int opt_certsform = FORMAT_PEM; static char *opt_otherpass = NULL; static char *opt_engine = NULL; @@ -222,7 +220,7 @@ typedef enum OPTION_choice { OPT_DIGEST, OPT_MAC, OPT_EXTRACERTS, OPT_UNPROTECTED_REQUESTS, - OPT_CERTFORM, OPT_KEYFORM, OPT_CERTSFORM, + OPT_CERTFORM, OPT_KEYFORM, OPT_OTHERPASS, #ifndef OPENSSL_NO_ENGINE OPT_ENGINE, @@ -394,12 +392,8 @@ const OPTIONS cmp_options[] = { OPT_SECTION("Credentials format"), {"certform", OPT_CERTFORM, 's', "Format (PEM or DER) to use when saving a certificate to a file. Default PEM"}, - {OPT_MORE_STR, 0, 0, - "This also determines format to use for writing (not supported for P12)"}, {"keyform", OPT_KEYFORM, 's', - "Format to assume when reading key files. Default PEM"}, - {"certsform", OPT_CERTSFORM, 's', - "Format (PEM/DER/P12) to try first reading multiple certs. Default PEM"}, + "Format of the key input (ENGINE, other values ignored)"}, {"otherpass", OPT_OTHERPASS, 's', "Pass phrase source potentially needed for loading certificates of others"}, #ifndef OPENSSL_NO_ENGINE @@ -540,7 +534,7 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_digest}, {&opt_mac}, {&opt_extracerts}, {(char **)&opt_unprotected_requests}, - {&opt_certform_s}, {&opt_keyform_s}, {&opt_certsform_s}, + {&opt_certform_s}, {&opt_keyform_s}, {&opt_otherpass}, #ifndef OPENSSL_NO_ENGINE {&opt_engine}, @@ -642,51 +636,6 @@ static X509 *load_cert_pwd(const char *uri, const char *pass, const char *desc) return cert; } -/* TODO remove when PR #4930 is merged */ -static int load_pkcs12(BIO *in, const char *desc, - pem_password_cb *pem_cb, void *cb_data, - EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca) -{ - const char *pass; - char tpass[PEM_BUFSIZE]; - int len; - int ret = 0; - PKCS12 *p12 = d2i_PKCS12_bio(in, NULL); - - if (desc == NULL) - desc = "PKCS12 input"; - if (p12 == NULL) { - BIO_printf(bio_err, "error loading PKCS12 file for %s\n", desc); - goto die; - } - - /* See if an empty password will do */ - if (PKCS12_verify_mac(p12, "", 0) || PKCS12_verify_mac(p12, NULL, 0)) { - pass = ""; - } else { - if (pem_cb == NULL) - pem_cb = wrap_password_callback; - len = pem_cb(tpass, PEM_BUFSIZE, 0, cb_data); - if (len < 0) { - BIO_printf(bio_err, "passphrase callback error for %s\n", desc); - goto die; - } - if (len < PEM_BUFSIZE) - tpass[len] = 0; - if (!PKCS12_verify_mac(p12, tpass, len)) { - BIO_printf(bio_err, - "mac verify error (wrong password?) in PKCS12 file for %s\n", - desc); - goto die; - } - pass = tpass; - } - ret = PKCS12_parse(p12, pass, pkey, cert, ca); - die: - PKCS12_free(p12); - return ret; -} - /* TODO potentially move this and related functions to apps/lib/apps.c */ static int adjust_format(const char **infile, int format, int engine_ok) { @@ -752,47 +701,6 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc) return csr; } -/* TODO replace by calling generalized load_certs() when PR #4930 is merged */ -static int load_certs_preliminary(const char *file, STACK_OF(X509) **certs, - int format, const char *pass, - const char *desc) -{ - X509 *cert = NULL; - int ret = 0; - - if (format == FORMAT_PKCS12) { - BIO *bio = bio_open_default(file, 'r', format); - - if (bio != NULL) { - EVP_PKEY *pkey = NULL; /* pkey is needed until PR #4930 is merged */ - PW_CB_DATA cb_data; - - cb_data.password = pass; - cb_data.prompt_info = file; - ret = load_pkcs12(bio, desc, wrap_password_callback, - &cb_data, &pkey, &cert, certs); - EVP_PKEY_free(pkey); - BIO_free(bio); - } - } else if (format == FORMAT_ASN1) { /* load only one cert in this case */ - CMP_warn1("can load only one certificate in DER format from %s", file); - cert = load_cert_pass(file, 0, pass, desc); - } - if (format == FORMAT_PKCS12 || format == FORMAT_ASN1) { - if (cert) { - if (*certs == NULL) - *certs = sk_X509_new_null(); - if (*certs != NULL) - ret = sk_X509_insert(*certs, cert, 0); - else - X509_free(cert); - } - } else { - ret = load_certs(file, certs, format, pass, desc); - } - return ret; -} - static void warn_certs_expired(const char *file, STACK_OF(X509) **certs) { int i, res; @@ -812,34 +720,20 @@ static void warn_certs_expired(const char *file, STACK_OF(X509) **certs) } } -/* - * TODO potentially move this and related functions to apps/lib/ - * or even better extend OSSL_STORE with type OSSL_STORE_INFO_CERTS - */ -static int load_certs_autofmt(const char *infile, STACK_OF(X509) **certs, - int exclude_http, const char *pass, - const char *desc) +static int load_certs_pwd(const char *infile, STACK_OF(X509) **certs, + int exclude_http, const char *pass, + const char *desc) { int ret = 0; char *pass_string; - BIO *bio_bak = bio_err; - int format = adjust_format(&infile, opt_certsform, 0); + int format = adjust_format(&infile, FORMAT_PEM, 0); if (exclude_http && format == FORMAT_HTTP) { BIO_printf(bio_err, "error: HTTP retrieval not allowed for %s\n", desc); return ret; } pass_string = get_passwd(pass, desc); - if (format != FORMAT_HTTP) - bio_err = NULL; /* do not show errors on more than one try */ - ret = load_certs_preliminary(infile, certs, format, pass_string, desc); - bio_err = bio_bak; - if (!ret && format != FORMAT_HTTP) { - int format2 = format == FORMAT_PEM ? FORMAT_ASN1 : FORMAT_PEM; - - ERR_clear_error(); - ret = load_certs_preliminary(infile, certs, format2, pass_string, desc); - } + ret = load_certs(infile, certs, pass_string, desc); clear_free(pass_string); if (ret) @@ -1129,7 +1023,7 @@ static X509_STORE *load_certstore(char *input, const char *desc) while (input != NULL) { char *next = next_item(input); \ - if (!load_certs_autofmt(input, &certs, 1, opt_otherpass, desc) + if (!load_certs_pwd(input, &certs, 1, opt_otherpass, desc) || !(store = sk_X509_to_store(store, certs))) { /* CMP_err("out of memory"); */ X509_STORE_free(store); @@ -1160,7 +1054,7 @@ static STACK_OF(X509) *load_certs_multifile(char *files, while (files != NULL) { char *next = next_item(files); - if (!load_certs_autofmt(files, &certs, 0, pass, desc)) + if (!load_certs_pwd(files, &certs, 0, pass, desc)) goto err; if (!X509_add_certs(result, certs, X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP)) @@ -1256,13 +1150,6 @@ static int transform_opts(void) return 0; } - if (opt_certsform_s != NULL - && !opt_format(opt_certsform_s, OPT_FMT_PEMDER | OPT_FMT_PKCS12, - &opt_certsform)) { - CMP_err("unknown option given for certificate list loading format"); - return 0; - } - return 1; } @@ -1554,8 +1441,8 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) X509 *cert; STACK_OF(X509) *certs = NULL; - if (!load_certs_autofmt(opt_tls_cert, &certs, 0, opt_tls_keypass, - "TLS client certificate (optionally with chain)")) + if (!load_certs_pwd(opt_tls_cert, &certs, 0, opt_tls_keypass, + "TLS client certificate (optionally with chain)")) /* * opt_tls_keypass is needed in case opt_tls_cert is an encrypted * PKCS#12 file @@ -1722,8 +1609,8 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) STACK_OF(X509) *certs = NULL; int ok; - if (!load_certs_autofmt(opt_cert, &certs, 0, opt_keypass, - "CMP client certificate (and optionally extra certs)")) + if (!load_certs_pwd(opt_cert, &certs, 0, opt_keypass, + "CMP client certificate (and optionally extra certs)")) /* opt_keypass is needed if opt_cert is an encrypted PKCS#12 file */ goto err; @@ -2666,9 +2553,6 @@ static int get_opts(int argc, char **argv) case OPT_KEYFORM: opt_keyform_s = opt_str("keyform"); break; - case OPT_CERTSFORM: - opt_certsform_s = opt_str("certsform"); - break; case OPT_OTHERPASS: opt_otherpass = opt_str("otherpass"); break; diff --git a/apps/cms.c b/apps/cms.c index 7e48cc1c82..bcf2f44ce5 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -822,8 +822,7 @@ int cms_main(int argc, char **argv) } if (certfile != NULL) { - if (!load_certs(certfile, &other, FORMAT_PEM, NULL, - "certificate file")) { + if (!load_certs(certfile, &other, NULL, "certificate file")) { ERR_print_errors(bio_err); goto end; } diff --git a/apps/include/apps.h b/apps/include/apps.h index 0e734a528e..0f00e9f52a 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -113,10 +113,15 @@ EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *desc); -int load_certs(const char *file, STACK_OF(X509) **certs, int format, +int load_certs(const char *uri, STACK_OF(X509) **certs, const char *pass, const char *desc); -int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, +int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, const char *pass, const char *desc); +int load_key_certs_crls(const char *uri, int maybe_stdin, + const char *pass, const char *desc, + EVP_PKEY **ppkey, EVP_PKEY **ppubkey, + X509 **pcert, STACK_OF(X509) **pcerts, + X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls); int load_key_cert_crl(const char *uri, int maybe_stdin, const char *pass, const char *desc, EVP_PKEY **ppkey, EVP_PKEY **ppubkey, diff --git a/apps/lib/apps.c b/apps/lib/apps.c index d19fdc2126..b2e29917eb 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -491,8 +491,8 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin, if (desc == NULL) desc = "certificate"; - (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, - NULL, NULL, &cert, NULL); + (void)load_key_certs_crls(uri, maybe_stdin, pass, desc, + NULL, NULL, &cert, NULL, NULL, NULL); if (cert == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); @@ -513,8 +513,8 @@ X509_CRL *load_crl(const char *uri, int format, const char *desc) if (desc == NULL) desc = "CRL"; - (void)load_key_cert_crl(uri, 0, NULL, desc, - NULL, NULL, NULL, &crl); + (void)load_key_certs_crls(uri, 0, NULL, desc, + NULL, NULL, NULL, NULL, &crl, NULL); if (crl == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); ERR_print_errors(bio_err); @@ -593,8 +593,8 @@ EVP_PKEY *load_key(const char *uri, int format, int may_stdin, #endif } } else { - (void)load_key_cert_crl(uri, may_stdin, pass, desc, - &pkey, NULL, NULL, NULL); + (void)load_key_certs_crls(uri, may_stdin, pass, desc, + &pkey, NULL, NULL, NULL, NULL, NULL); } if (pkey == NULL) { @@ -632,8 +632,8 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, #endif } } else { - (void)load_key_cert_crl(uri, maybe_stdin, pass, desc, - NULL, &pkey, NULL, NULL); + (void)load_key_certs_crls(uri, maybe_stdin, pass, desc, + NULL, &pkey, NULL, NULL, NULL, NULL); } if (pkey == NULL) { BIO_printf(bio_err, "Unable to load %s\n", desc); @@ -642,89 +642,6 @@ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, return pkey; } -static int load_certs_crls(const char *file, int format, - const char *pass, const char *desc, - STACK_OF(X509) **pcerts, - STACK_OF(X509_CRL) **pcrls) -{ - int i; - BIO *bio; - STACK_OF(X509_INFO) *xis = NULL; - X509_INFO *xi; - PW_CB_DATA cb_data; - int rv = 0; - - cb_data.password = pass; - cb_data.prompt_info = file; - - if (format != FORMAT_PEM) { - BIO_printf(bio_err, "Bad input format specified for %s\n", desc); - return 0; - } - - bio = bio_open_default(file, 'r', FORMAT_PEM); - if (bio == NULL) - return 0; - - xis = PEM_X509_INFO_read_bio_with_libctx(bio, NULL, - (pem_password_cb *)password_callback, - &cb_data, - app_get0_libctx(), - app_get0_propq()); - - BIO_free(bio); - - if (pcerts != NULL && *pcerts == NULL) { - *pcerts = sk_X509_new_null(); - if (*pcerts == NULL) - goto end; - } - - if (pcrls != NULL && *pcrls == NULL) { - *pcrls = sk_X509_CRL_new_null(); - if (*pcrls == NULL) - goto end; - } - - for (i = 0; i < sk_X509_INFO_num(xis); i++) { - xi = sk_X509_INFO_value(xis, i); - if (xi->x509 != NULL && pcerts != NULL) { - if (!sk_X509_push(*pcerts, xi->x509)) - goto end; - xi->x509 = NULL; - } - if (xi->crl != NULL && pcrls != NULL) { - if (!sk_X509_CRL_push(*pcrls, xi->crl)) - goto end; - xi->crl = NULL; - } - } - - if (pcerts != NULL && sk_X509_num(*pcerts) > 0) - rv = 1; - - if (pcrls != NULL && sk_X509_CRL_num(*pcrls) > 0) - rv = 1; - - end: - - sk_X509_INFO_pop_free(xis, X509_INFO_free); - - if (rv == 0) { - if (pcerts != NULL) { - sk_X509_pop_free(*pcerts, X509_free); - *pcerts = NULL; - } - if (pcrls != NULL) { - sk_X509_CRL_pop_free(*pcrls, X509_CRL_free); - *pcrls = NULL; - } - BIO_printf(bio_err, "Unable to load %s\n", desc != NULL ? desc : - pcerts != NULL ? "certificates" : "CRLs"); - } - return rv; -} - void app_bail_out(char *fmt, ...) { va_list args; @@ -749,37 +666,49 @@ void* app_malloc(int sz, const char *what) /* * Initialize or extend, if *certs != NULL, a certificate stack. */ -int load_certs(const char *file, STACK_OF(X509) **certs, int format, +int load_certs(const char *uri, STACK_OF(X509) **certs, const char *pass, const char *desc) { - return load_certs_crls(file, format, pass, desc, certs, NULL); + return load_key_certs_crls(uri, 0, pass, desc, NULL, NULL, + NULL, certs, NULL, NULL); } /* * Initialize or extend, if *crls != NULL, a certificate stack. */ -int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format, +int load_crls(const char *uri, STACK_OF(X509_CRL) **crls, const char *pass, const char *desc) { - return load_certs_crls(file, format, pass, desc, NULL, crls); + return load_key_certs_crls(uri, 0, pass, desc, NULL, NULL, + NULL, NULL, NULL, crls); } /* * Load those types of credentials for which the result pointer is not NULL. * Reads from stdio if uri is NULL and maybe_stdin is nonzero. - * For each type the first credential found in the store is loaded. - * May yield partial result even if rv == 0. + * For non-NULL ppkey, pcert, and pcrl the first suitable value found is loaded. + * If pcerts is non-NULL and *pcerts == NULL then a new cert list is allocated. + * If pcerts is non-NULL then all available certificates are appended to *pcerts + * except any certificate assigned to *pcert. + * If pcrls is non-NULL and *pcrls == NULL then a new list of CRLs is allocated. + * If pcrls is non-NULL then all available CRLs are appended to *pcerts + * except any CRL assigned to *pcrl. + * In any case (also on error) the caller is responsible for freeing all members + * of *pcerts and *pcrls (as far as they are not NULL). */ -int load_key_cert_crl(const char *uri, int maybe_stdin, - const char *pass, const char *desc, - EVP_PKEY **ppkey, EVP_PKEY **ppubkey, - X509 **pcert, X509_CRL **pcrl) +int load_key_certs_crls(const char *uri, int maybe_stdin, + const char *pass, const char *desc, + EVP_PKEY **ppkey, EVP_PKEY **ppubkey, + X509 **pcert, STACK_OF(X509) **pcerts, + X509_CRL **pcrl, STACK_OF(X509_CRL) **pcrls) { PW_CB_DATA uidata; OSSL_STORE_CTX *ctx = NULL; OPENSSL_CTX *libctx = app_get0_libctx(); const char *propq = app_get0_propq(); - int ret = 0; + int ncerts = 0; + int ncrls = 0; + const char *failed = NULL; /* TODO make use of the engine reference 'eng' when loading pkeys */ if (ppkey != NULL) @@ -788,8 +717,18 @@ int load_key_cert_crl(const char *uri, int maybe_stdin, *ppubkey = NULL; if (pcert != NULL) *pcert = NULL; + if (pcerts != NULL && *pcerts == NULL + && (*pcerts = sk_X509_new_null()) == NULL) { + BIO_printf(bio_err, "Out of memory"); + return 0; + } if (pcrl != NULL) *pcrl = NULL; + if (pcrls != NULL && *pcrls == NULL + && (*pcrls = sk_X509_CRL_new_null()) == NULL) { + BIO_printf(bio_err, "Out of memory"); + return 0; + } if (desc == NULL) desc = "key/certificate/CRL"; @@ -799,6 +738,7 @@ int load_key_cert_crl(const char *uri, int maybe_stdin, if (uri == NULL) { BIO *bio; + uri = ""; if (!maybe_stdin) { BIO_printf(bio_err, "No filename or uri specified for loading %s\n", desc); @@ -809,7 +749,6 @@ int load_key_cert_crl(const char *uri, int maybe_stdin, if (bio != NULL) ctx = OSSL_STORE_attach(bio, "file", libctx, propq, get_ui_method(), &uidata, NULL, NULL); - uri = ""; } else { ctx = OSSL_STORE_open_with_libctx(uri, libctx, propq, get_ui_method(), &uidata, NULL, NULL); @@ -820,61 +759,71 @@ int load_key_cert_crl(const char *uri, int maybe_stdin, goto end; } - for (;;) { + while (!OSSL_STORE_eof(ctx)) { OSSL_STORE_INFO *info = OSSL_STORE_load(ctx); int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info); - const char *infostr = - info == NULL ? NULL : OSSL_STORE_INFO_type_string(type); - int err = 0; - - if (info == NULL) { - if (OSSL_STORE_eof(ctx)) - ret = 1; - break; - } + int ok = 1; switch (type) { case OSSL_STORE_INFO_PKEY: if (ppkey != NULL && *ppkey == NULL) - err = ((*ppkey = OSSL_STORE_INFO_get1_PKEY(info)) == NULL); + ok = (*ppkey = OSSL_STORE_INFO_get1_PKEY(info)) != NULL; /* * An EVP_PKEY with private parts also holds the public parts, * so if the caller asked for a public key, and we got a private * key, we can still pass it back. */ - if (ppubkey != NULL && *ppubkey == NULL) - err = ((*ppubkey = OSSL_STORE_INFO_get1_PKEY(info)) == NULL); + if (ok && ppubkey != NULL && *ppubkey == NULL) + ok = ((*ppubkey = OSSL_STORE_INFO_get1_PKEY(info)) != NULL); break; case OSSL_STORE_INFO_PUBKEY: if (ppubkey != NULL && *ppubkey == NULL) - err = ((*ppubkey = OSSL_STORE_INFO_get1_PUBKEY(info)) == NULL); + ok = ((*ppubkey = OSSL_STORE_INFO_get1_PUBKEY(info)) != NULL); break; case OSSL_STORE_INFO_CERT: if (pcert != NULL && *pcert == NULL) - err = ((*pcert = OSSL_STORE_INFO_get1_CERT(info)) == NULL); + ok = (*pcert = OSSL_STORE_INFO_get1_CERT(info)) != NULL; + else if (pcerts != NULL) + ok = X509_add_cert(*pcerts, + OSSL_STORE_INFO_get1_CERT(info), + X509_ADD_FLAG_DEFAULT); + ncerts += ok; break; case OSSL_STORE_INFO_CRL: if (pcrl != NULL && *pcrl == NULL) - err = ((*pcrl = OSSL_STORE_INFO_get1_CRL(info)) == NULL); + ok = (*pcrl = OSSL_STORE_INFO_get1_CRL(info)) != NULL; + else if (pcrls != NULL) + ok = sk_X509_CRL_push(*pcrls, OSSL_STORE_INFO_get1_CRL(info)); + ncrls += ok; break; default: /* skip any other type */ break; } OSSL_STORE_INFO_free(info); - if (err) { - BIO_printf(bio_err, "Could not read %s of %s from %s\n", - infostr, desc, uri); + if (!ok) { + failed = info == NULL ? NULL : OSSL_STORE_INFO_type_string(type); + BIO_printf(bio_err, "Error reading %s of %s from %s\n", + failed, desc, uri); break; } } end: OSSL_STORE_close(ctx); - if (!ret) + if (ppkey != NULL && *ppkey == NULL) + failed = "key"; + else if ((pcert != NULL || pcerts != NULL) && ncerts == 0) + failed = "cert"; + else if ((pcrl != NULL || pcrls != NULL) && ncrls == 0) + failed = "CRL"; + if (failed != NULL) { + BIO_printf(bio_err, "Could not read any %s of %s from %s\n", + failed, desc, uri); ERR_print_errors(bio_err); - return ret; + } + return failed == NULL; } diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index ba9ef12afb..c58f634609 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1040,8 +1040,7 @@ int load_excert(SSL_EXCERT **pexc) if (exc->key == NULL) return 0; if (exc->chainfile != NULL) { - if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL, - "Server Chain")) + if (!load_certs(exc->chainfile, &exc->chain, NULL, "Server Chain")) return 0; } } diff --git a/apps/ocsp.c b/apps/ocsp.c index 4660a7fe5a..8fb605e6fe 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -567,11 +567,10 @@ int ocsp_main(int argc, char **argv) BIO_printf(bio_err, "Error loading responder certificate\n"); goto end; } - if (!load_certs(rca_filename, &rca_cert, FORMAT_PEM, - NULL, "CA certificate")) + if (!load_certs(rca_filename, &rca_cert, NULL, "CA certificates")) goto end; if (rcertfile != NULL) { - if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, + if (!load_certs(rcertfile, &rother, NULL, "responder other certificates")) goto end; } @@ -665,7 +664,7 @@ redo_accept: goto end; } if (sign_certfile != NULL) { - if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, + if (!load_certs(sign_certfile, &sign_other, NULL, "signer certificates")) goto end; } @@ -774,8 +773,8 @@ redo_accept: if (vpmtouched) X509_STORE_set1_param(store, vpm); if (verify_certfile != NULL) { - if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, - "validator certificate")) + if (!load_certs(verify_certfile, &verify_other, NULL, + "validator certificates")) goto end; } diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 46340c0d25..60ede2e1a1 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -59,7 +59,7 @@ typedef enum OPTION_choice { OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER, OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, - OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME, + OPT_INKEY, OPT_CERTFILE, OPT_PASSCERTS, OPT_NAME, OPT_CSP, OPT_CANAME, OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, OPT_R_ENUM, OPT_PROV_ENUM, OPT_LEGACY_ALG @@ -87,6 +87,7 @@ const OPTIONS pkcs12_options[] = { OPT_SECTION("Input"), {"inkey", OPT_INKEY, 's', "Private key if not infile"}, {"certfile", OPT_CERTFILE, '<', "Load certs from file"}, + {"passcerts", OPT_PASSCERTS, 's', "Certificate file pass phrase source"}, {"name", OPT_NAME, 's', "Use name as friendly name"}, {"CSP", OPT_CSP, 's', "Microsoft CSP name"}, {"caname", OPT_CANAME, 's', @@ -143,6 +144,7 @@ const OPTIONS pkcs12_options[] = { int pkcs12_main(int argc, char **argv) { char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; + char *passcertsarg = NULL, *passcerts = NULL; char *name = NULL, *csp_name = NULL; char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0, use_legacy = 0; @@ -260,6 +262,9 @@ int pkcs12_main(int argc, char **argv) case OPT_CERTFILE: certfile = opt_arg(); break; + case OPT_PASSCERTS: + passcertsarg = opt_arg(); + break; case OPT_NAME: name = opt_arg(); break; @@ -322,6 +327,9 @@ int pkcs12_main(int argc, char **argv) } argc = opt_num_rest(); + if (!export_cert && passcertsarg != NULL) + BIO_printf(bio_err, + "Warning: -passcerts option ignored without -export\n"); if (use_legacy) { /* load the legacy provider if not loaded already*/ if (!OSSL_PROVIDER_available(app_get0_libctx(), "legacy")) { @@ -349,6 +357,11 @@ int pkcs12_main(int argc, char **argv) private = 1; + if (!app_passwd(passcertsarg, NULL, &passcerts, NULL)) { + BIO_printf(bio_err, "Error getting certificate file password\n"); + goto end; + } + if (passarg != NULL) { if (export_cert) passoutarg = passarg; @@ -424,8 +437,7 @@ int pkcs12_main(int argc, char **argv) /* Load in all certs in input file */ if (!(options & NOCERTS)) { - if (!load_certs(infile, &certs, FORMAT_PEM, NULL, - "certificates")) + if (!load_certs(infile, &certs, passin, "input certificates")) goto export_end; if (key != NULL) { @@ -453,7 +465,7 @@ int pkcs12_main(int argc, char **argv) /* Add any more certificates asked for */ if (certfile != NULL) { - if (!load_certs(certfile, &certs, FORMAT_PEM, NULL, + if (!load_certs(certfile, &certs, passcerts, "certificates from certfile")) goto export_end; } @@ -652,6 +664,7 @@ int pkcs12_main(int argc, char **argv) BIO_free_all(out); sk_OPENSSL_STRING_free(canames); OPENSSL_free(badpass); + OPENSSL_free(passcerts); OPENSSL_free(passin); OPENSSL_free(passout); return ret; diff --git a/apps/s_client.c b/apps/s_client.c index a1b80f4c5f..ba4fcdcca1 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -1746,8 +1746,7 @@ int s_client_main(int argc, char **argv) } if (chain_file != NULL) { - if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL, - "client certificate chain")) + if (!load_certs(chain_file, &chain, pass, "client certificate chain")) goto end; } diff --git a/apps/s_server.c b/apps/s_server.c index 5f16dcdea4..1c20b48027 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1758,7 +1758,7 @@ int s_server_main(int argc, char *argv[]) if (s_cert == NULL) goto end; if (s_chain_file != NULL) { - if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, + if (!load_certs(s_chain_file, &s_chain, NULL, "server certificate chain")) goto end; } @@ -1822,7 +1822,7 @@ int s_server_main(int argc, char *argv[]) goto end; } if (s_dchain_file != NULL) { - if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, + if (!load_certs(s_dchain_file, &s_dchain, NULL, "second server certificate chain")) goto end; } diff --git a/apps/smime.c b/apps/smime.c index 4dfc80d440..5ecdc019d2 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -449,8 +449,7 @@ int smime_main(int argc, char **argv) } if (certfile != NULL) { - if (!load_certs(certfile, &other, FORMAT_PEM, NULL, - "certificate file")) { + if (!load_certs(certfile, &other, NULL, "certificates")) { ERR_print_errors(bio_err); goto end; } diff --git a/apps/verify.c b/apps/verify.c index c28f44571a..ed20b69b17 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -149,7 +149,7 @@ int verify_main(int argc, char **argv) break; case OPT_UNTRUSTED: /* Zero or more times */ - if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL, + if (!load_certs(opt_arg(), &untrusted, NULL, "untrusted certificates")) goto end; break; @@ -158,14 +158,12 @@ int verify_main(int argc, char **argv) noCAfile = 1; noCApath = 1; noCAstore = 1; - if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL, - "trusted certificates")) + if (!load_certs(opt_arg(), &trusted, NULL, "trusted certificates")) goto end; break; case OPT_CRLFILE: /* Zero or more times */ - if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL, - "other CRLs")) + if (!load_crls(opt_arg(), &crls, NULL, "other CRLs")) goto end; break; case OPT_CRL_DOWNLOAD: diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 5f7dc2d16f..580ed574a3 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -140,7 +140,7 @@ F<.pem> appended. =item B<-cert> -The CA certificate file. +The CA certificate, which must match with B<-keyfile>. =item B<-certform> B|B|B @@ -149,7 +149,7 @@ This option has no effect and is retained for backward compatibility only. =item B<-keyfile> I -The private key to sign requests with. +The CA private key to sign requests with. This must match with B<-cert>. =item B<-keyform> B|B|B|B @@ -179,6 +179,7 @@ The password used to encrypt the private key. Since on some systems the command line arguments are visible (e.g., when using L on Unix), this option should be used with caution. +Better use B<-passin>. =item B<-selfsign> diff --git a/doc/man1/openssl-cmp.pod.in b/doc/man1/openssl-cmp.pod.in index 8d3e686b55..a6a769af9d 100644 --- a/doc/man1/openssl-cmp.pod.in +++ b/doc/man1/openssl-cmp.pod.in @@ -69,7 +69,6 @@ B B [B<-certform> I] [B<-keyform> I] -[B<-certsform> I] [B<-otherpass> I] {- $OpenSSL::safe::opt_engine_synopsis -} {- $OpenSSL::safe::opt_provider_synopsis -} @@ -681,15 +680,10 @@ Send messages without CMP-level protection. File format to use when saving a certificate to a file. Default value is PEM. -=item B<-keyform> I +=item B<-keyform> I -Format to assume when reading key files. -Default value is PEM. - -=item B<-certsform> I - -Format to try first when reading multiple certificates from file(s). -Default value is PEM. +The format of the key input. +The only value with effect is B. =item B<-otherpass> I diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in index a72b4c9fa0..def9766b3c 100644 --- a/doc/man1/openssl-cms.pod.in +++ b/doc/man1/openssl-cms.pod.in @@ -380,6 +380,7 @@ the MIME type multipart/signed is used. Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. +The input can be in PEM, DER, or PKCS#12 format. =item B<-certsout> I diff --git a/doc/man1/openssl-ocsp.pod.in b/doc/man1/openssl-ocsp.pod.in index a738ddbdd7..614a4dae83 100644 --- a/doc/man1/openssl-ocsp.pod.in +++ b/doc/man1/openssl-ocsp.pod.in @@ -130,6 +130,7 @@ the OCSP request is not signed. =item B<-sign_other> I Additional certificates to include in the signed request. +The input can be in PEM, DER, or PKCS#12 format. =item B<-nonce>, B<-no_nonce> @@ -180,10 +181,12 @@ the complete request is received. =item B<-verify_other> I -File containing additional certificates to search when attempting to locate +File or URI containing additional certificates to search +when attempting to locate the OCSP response signing certificate. Some responders omit the actual signer's certificate from the response: this option can be used to supply the necessary certificate in such cases. +The input can be in PEM, DER, or PKCS#12 format. =item B<-trust_other> @@ -194,8 +197,9 @@ root CA is not appropriate. =item B<-VAfile> I -File containing explicitly trusted responder certificates. Equivalent to the -B<-verify_other> and B<-trust_other> options. +File or URI containing explicitly trusted responder certificates. +Equivalent to the B<-verify_other> and B<-trust_other> options. +The input can be in PEM, DER, or PKCS#12 format. =item B<-noverify> @@ -296,6 +300,7 @@ must also be present. CA certificate corresponding to the revocation information in the index file given with B<-index>. +The input can be in PEM, DER, or PKCS#12 format. =item B<-rsigner> I @@ -314,6 +319,7 @@ see L. =item B<-rother> I Additional certificates to include in the OCSP response. +The input can be in PEM, DER, or PKCS#12 format. =item B<-rsigopt> I:I diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 90d8a7e19e..e148d229b0 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -13,6 +13,7 @@ B B [B<-chain>] [B<-inkey> I] [B<-certfile> I] +[B<-passcerts> I] [B<-name> I] [B<-caname> I] [B<-in> I] @@ -85,8 +86,10 @@ Print out a usage message. =item B<-in> I -This specifies filename of the PKCS#12 file to be parsed. Standard input is used -by default. +This specifies filename or URI of the PKCS#12 file to be parsed. +With B<-export>, this refers to the the certificate and/or key input, +which can be in PEM, DER, or PKCS#12 format. +Standard input is used by default. =item B<-out> I @@ -195,9 +198,10 @@ by default. =item B<-in> I -The filename to read certificates and private keys from, standard input by -default. They must all be in PEM format. The order doesn't matter but one -private key and its corresponding certificate should be present. If additional +The filename or URI to read certificates and private keys from, standard input +by default. They can be in PEM, DER, or PKCS#12 format. +The order doesn't matter but one private key and +its corresponding certificate should be present. If additional certificates are present they will also be included in the PKCS#12 file. =item B<-inkey> I @@ -214,7 +218,14 @@ name is typically displayed in list boxes by software importing the file. =item B<-certfile> I -A filename to read additional certificates from. +A filename or URI to read additional certificates from. +The file can be in PEM, DER, or PKCS#12 format. + +=item B<-passcerts> I + +The password source for certificate input such as B<-certfile>. +For more information about the format of B +see the B section in L. =item B<-caname> I diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in index 6d8cb5a397..bcb39f50ca 100644 --- a/doc/man1/openssl-s_client.pod.in +++ b/doc/man1/openssl-s_client.pod.in @@ -248,8 +248,9 @@ This option has no effect and is retained for backward compatibility only. =item B<-cert_chain> -A file containing untrusted certificates to use when attempting to build the +A file or URI of untrusted certificates to use when attempting to build the certificate chain related to the certificate specified via the B<-cert> option. +The input can be in PEM, DER, or PKCS#12 format. =item B<-build_chain> diff --git a/doc/man1/openssl-s_server.pod.in b/doc/man1/openssl-s_server.pod.in index 47515af42a..7e10fdb036 100644 --- a/doc/man1/openssl-s_server.pod.in +++ b/doc/man1/openssl-s_server.pod.in @@ -228,8 +228,9 @@ This option has no effect and is retained for backward compatibility only. =item B<-cert_chain> -A file containing untrusted certificates to use when attempting to build the +A file or URI of untrusted certificates to use when attempting to build the certificate chain related to the certificate specified via the B<-cert> option. +The input can be in PEM, DER, or PKCS#12 format. =item B<-build_chain> @@ -274,9 +275,10 @@ by using an appropriate certificate. =item B<-dcert_chain> -A file containing untrusted certificates to use when attempting to build the +A file or URI of untrusted certificates to use when attempting to build the server certificate chain when a certificate specified via the B<-dcert> option is in use. +The input can be in PEM, DER, or PKCS#12 format. =item B<-dcertform> B|B|B diff --git a/doc/man1/openssl-smime.pod.in b/doc/man1/openssl-smime.pod.in index 9f42c0c1fe..3aa0dc49d2 100644 --- a/doc/man1/openssl-smime.pod.in +++ b/doc/man1/openssl-smime.pod.in @@ -238,6 +238,7 @@ option is present B is used instead. Allows additional certificates to be specified. When signing these will be included with the message. When verifying these will be searched for the signers certificates. +The input can be in PEM, DER, or PKCS#12 format. =item B<-signer> I diff --git a/doc/man1/openssl-verify.pod.in b/doc/man1/openssl-verify.pod.in index ff4d88f577..e9c2ca922c 100644 --- a/doc/man1/openssl-verify.pod.in +++ b/doc/man1/openssl-verify.pod.in @@ -40,7 +40,7 @@ Print out a usage message. =item B<-CRLfile> I -The I should contain one or more CRLs in PEM format. +The file or URI should contain one or more CRLs in PEM or DER format. This option can be specified more than once to include CRLs from multiple Is. @@ -60,13 +60,14 @@ Print extra information about the operations being performed. =item B<-trusted> I -A file of trusted certificates in PEM format. +A file or URI of trusted certificates in PEM, DER, or PKCS#12 format. This option can be specified more than once to load certificates from multiple Is. =item B<-untrusted> I -A file of untrusted certificates in PEM format to use for chain building. +A file or URI of untrusted certificates in PEM, DER, or PKCS#12 format +to use for chain building. This option can be specified more than once to load certificates from multiple Is. diff --git a/test/certs/v3-certs-RC2.p12 b/test/certs/v3-certs-RC2.p12 new file mode 100644 index 0000000000000000000000000000000000000000..0cdbcc1f2662d8625f4fdd7e481b607884b9e97d GIT binary patch literal 1568 zcmV+*2H*KGf(9G{0Ru3C1>yz?Duzgg_YDCD0ic2f(*%MA&oF`o%P@ik#|8;1hDe6@ z4FLxRpn?UsFoFfN0s#Opf(5Mx2`Yw2hW8Bt2LUh~1_~;MNQU4L5S?Z=x{eaHZw{t`HG@(B)LkVB6ccD9| z+n0(Si;9KL_r&r08LAu2veoalPW^RWjYOQg*p4Al85B-p4M^0o@%+x3owFep{juPPbc!h@U#U|>kKRHMMW1M+#)D~3u*KIDH_PkLc z+^+05Pm0g*I(kvNX;vPvR@k3cM$AiiJlP3V_aZyrQyOKBB?A8B1L@OmtiEK82%R8i z{yT#M>yML+yNp~Hjzm-aFhcD-lRR*R9RSD;vV-|y7QYweQ$P`yCa7Vb0%y1Yy=*n6 z!J_>aM4I?Ia64>`5>8cQ?1gmG|5*5|2!UrcB#)03-p$VkWKlSk zURa6xO9AXeq^Hr~!JTmd;=PS!AtK_y<;xi4P&3>=ogNjr#&g?7M9x>-O(AF2u-YtH zR*Eyf^gjK(l~))A!Dnk!*D}4UVa}7k@N*a-1etU82{K(L>wIy#y>>PRZaPoP|w=|l;wud9kop&EYfnx4-z8C@2n_B9gBAwR$xh%qPZiSdw;r_dwbu60axva%f5D#A&vUgD zk%NWYe8;Eff-J!V0_Dr@qJKGK19g|+01eP&sXc(`K>^SGwEvy|(@@4d?Sz?l%<1&! zggc*NA;DVLqI<)wxw0P)(1m%S#}MPYc1<*%J82(mFymvhH=H#jXY4fnVE2X}M{ibV zCeZh{WM1bU()*e+O*$!kNab#qoDGo1@TK~WdNR?SocR(`kV2WwA1cR+`p(mlU;V_f zl(p1Z#Mn$Gs7MWo_k8kS1XB(P3U5qm$c_SyT^8<0w-zumRkCj%Mjs+xrvAYAqLoOmhl-aGQVD z7V&T1&`_+Xw>YWGvg<~CFDbf93S!;j{~v-sGHAHgL3e||Ral^(gmb(gIp(9e{=&Y2 zZ{RwR{sqSSKpd)=T$9u{;mVlKByGV1JTF0&*L6P*f+cW}Dg19|{Hm;YJ?|49iopma zEY7xVj*@22_OFMD07!bO)!}b#kU;cGhD7vIvU3+mFX52~|6EwTmmiNoGOblib-wPz zFNM);xmq8RgJnAkQAum>SZ(T%a`ko$3CVvejyC7M#_+BJK?4860Y$JkK9|Se2^rRj zeMtlh|G1agmNnd~tfnJbm=`+2rz@yc8KYR2#|Qb1Gh zvJfh$#V5+ek;=Gt^e0Ul-D;pXm`KtHcV&8Jt^Q6I7a+1rN%XvsJ^E~JEErPYNOkQR z3TOOaSB<<`EXL!yF6&CoFflM8FbM_)D-Ht!8U+9Z6wKbMB-1!FCBDySt^KH2c&gHB S)dUC*K^yVIhS@m+0tf)=9OYvG literal 0 HcmV?d00001 diff --git a/test/certs/v3-certs-TDES.p12 b/test/certs/v3-certs-TDES.p12 new file mode 100644 index 0000000000000000000000000000000000000000..d203dc29860af80a0e9ad1887218059e64489801 GIT binary patch literal 1568 zcmV+*2H*KGf(9G{0Ru3C1>yz?Duzgg_YDCD0ic2f(*%MA&oF`o%P@ik#|8;1hDe6@ z4FLxRpn?UsFoFfN0s#Opf(5Mx2`Yw2hW8Bt2LUh~1_~;MNQUJ_-B+td39)$Q+q4b%LtOI=|;1eE@yN$ITLMlR)>)`fGh#SOX<1IUzJ-nxCml53$u?W7=6P?$92Lh2E3oAu`S^BIgriZI!GJ|K0@h` zVQTvOe;Nf63_uqwuGn)i)`&4-V$FwZVlb&J7i!t7qN$ghX-=1bK5*VL{(Dc90PnlQ z5p^{{_yEPA2+D}SZ;859hqdy(?0S{TGhsT{1~u?!M?p_l00(@POhHVPk-k;(^LDYO zB@kic*IGAP7fW*(w_~xlh8Cj#DPZ zoEwXaZ;R>pptb}DC*u;7B*>3w!_rV%vbSVTnK@q+Fm?|KD>2rppmbrl4lK!vF9wm2 z!eYi>X;v?OD+X`L!PFrvwoV7}dC5z{m{?X3kBkQDh}{^m!mlN?feq>h^opVojw#lO zhJfj+_!L6ajLd&XBfLxf!OKD(_jjvH3&TVWyM1A1TkZ!W@>|)TrkY|-Z-7kOBwu5>z~DUR+rb;kouU%VSYxOwtGO zKdB0k&X4(VB&bmGD6vY*zOE~yK9-ulldpzK1(vWR0GEj)54137;H$4N8Qe`dC~j#p8Z@J@n$6 zIf-Y5eNZ{PdKO;60dP90vSq3h%z;oOpPeB^^U+#Id_)`T41h3t@bzL|GAx#a=NEIV zDSA5>qsS{DtmG)XJ~DmDbH=GtMni^s1+1chBB4F09HOUDV#i!U^XAm1(Uc!mCMdI) z@4V1ht@%mj$~-$Je*l)k2|4!GotZ->9BuRKTJ$6tt*0>RAp)Wb<8F~RTn*+QCevuu5KH({fNBIR37yn6KoC$M22@( z9URkV@EAWf?O;;2Ti^?j*7skTam#?djMTDv*s-t#SXamUYJkWZFV>8FzjdtY>a!*v*qx9^nIfICEHM* zO6{FXZAfU{td(8|=?z?@1TjZ1hX#Av*Ep(-BCh1#oQ&)>soeDxE70FNVcMG(KDE~) z{LW~O!0$B?U3A60uxSl%5=ocS0|dip+VT0k6P2=}DfVWt7dmJb4`C8Pa>I+B9eO60 z%poH$Pkhp-sw6aYDGjO-4?N`qS}sk^O!vvAylkda#sFH7!Z7SXym#`B$C5rH6>4C` z0!|?#i4IQDS$o9Ls(yoQvB=$Lm(9qo+9WedG%Ko~S260v^&i#C~XUHm-1{i#xulto|O; SRRjnS(74yVmL2Q@0tf(I?bts6 literal 0 HcmV?d00001 diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t index fa95649212..24247b8c25 100644 --- a/test/recipes/80-test_pkcs12.t +++ b/test/recipes/80-test_pkcs12.t @@ -57,7 +57,7 @@ if (eval { require Win32::API; 1; }) { } $ENV{OPENSSL_WIN32_UTF8}=1; -plan tests => 2; +plan tests => 4; # Test different PKCS#12 formats ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); @@ -68,4 +68,27 @@ ok(run(app(["openssl", "pkcs12", "-noout", "-in", srctop_file("test", "shibboleth.pfx")])), "test_pkcs12"); +my @path = qw(test certs); +my $tmpfile = "tmp.p12"; + +# Test the -passcerts option +ok(run(app(["openssl", "pkcs12", "-export", + "-in", srctop_file(@path, "ee-cert.pem"), + "-certfile", srctop_file(@path, "v3-certs-TDES.p12"), + "-passcerts", "pass:v3-certs", + "-nokeys", "-passout", "pass:v3-certs", "-descert", + "-out", $tmpfile])), + "test_pkcs12_passcert"); +unlink $tmpfile; + +# Test reading legacy PKCS#12 file +ok(run(app(["openssl", "pkcs12", "-export", + "-in", srctop_file(@path, "v3-certs-RC2.p12"), + "-passin", "pass:v3-certs", + "-provider", "default", "-provider", "legacy", + "-nokeys", "-passout", "pass:v3-certs", "-descert", + "-out", $tmpfile])), + "test_pkcs12_passcert"); +unlink $tmpfile; + SetConsoleOutputCP($savedcp) if (defined($savedcp));