From 9191dfb0ef48f95002aecfa8e11d9db434b4093d Mon Sep 17 00:00:00 2001 From: slontis Date: Wed, 25 Jan 2023 11:25:33 +1000 Subject: Fix PKCS12_newpass() to work with PBES2. Fixes #19092 The code looks like it was written to work with PBES1. As it had no tests, this would of then broken when PBES2 was introduced at a later point. Also added libctx and propq support. This affects the shroudedkeybag object. Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/20134) --- test/pkcs12_api_test.c | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) (limited to 'test/pkcs12_api_test.c') diff --git a/test/pkcs12_api_test.c b/test/pkcs12_api_test.c index 7186784463..da023f364d 100644 --- a/test/pkcs12_api_test.c +++ b/test/pkcs12_api_test.c @@ -60,6 +60,46 @@ static const char *in_pass = ""; static int has_key = 0; static int has_cert = 0; static int has_ca = 0; + +static int changepass(PKCS12 *p12, EVP_PKEY *key, X509 *cert, STACK_OF(X509) *ca) +{ + int ret = 0; + PKCS12 *p12new = NULL; + EVP_PKEY *key2 = NULL; + X509 *cert2 = NULL; + STACK_OF(X509) *ca2 = NULL; + BIO *bio = NULL; + + if (!TEST_true(PKCS12_newpass(p12, in_pass, "NEWPASS"))) + goto err; + if (!TEST_ptr(bio = BIO_new(BIO_s_mem()))) + goto err; + if (!TEST_true(i2d_PKCS12_bio(bio, p12))) + goto err; + if (!TEST_ptr(p12new = PKCS12_init_ex(NID_pkcs7_data, testctx, "provider=default"))) + goto err; + if (!TEST_ptr(d2i_PKCS12_bio(bio, &p12new))) + goto err; + if (!TEST_true(PKCS12_parse(p12new, "NEWPASS", &key2, &cert2, &ca2))) + goto err; + if (has_key) { + if (!TEST_ptr(key2) || !TEST_int_eq(EVP_PKEY_eq(key, key2), 1)) + goto err; + } + if (has_cert) { + if (!TEST_ptr(cert2) || !TEST_int_eq(X509_cmp(cert, cert2), 0)) + goto err; + } + ret = 1; +err: + BIO_free(bio); + PKCS12_free(p12new); + EVP_PKEY_free(key2); + X509_free(cert2); + OSSL_STACK_OF_X509_free(ca2); + return ret; +} + static int pkcs12_parse_test(void) { int ret = 0; @@ -82,8 +122,9 @@ static int pkcs12_parse_test(void) goto err; if ((has_ca && !TEST_ptr(ca)) || (!has_ca && !TEST_ptr_null(ca))) goto err; + if (has_key && !changepass(p12, key, cert, ca)) + goto err; } - ret = 1; err: PKCS12_free(p12); -- cgit v1.2.3