Browse Source

PKCS12_parse(): Clean up code and correct documentation

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12641)
master
Dr. David von Oheimb 2 years ago
parent
commit
c7dfb2abe5
2 changed files with 34 additions and 23 deletions
  1. +26
    -19
      crypto/pkcs12/p12_kiss.c
  2. +8
    -4
      doc/man3/PKCS12_parse.pod

+ 26
- 19
crypto/pkcs12/p12_kiss.c View File

@ -30,8 +30,8 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
/*
* Parse and decrypt a PKCS#12 structure returning user key, user cert and
* other (CA) certs. Note either ca should be NULL, *ca should be NULL, or it
* should point to a valid STACK structure. pkey and cert can be passed
* uninitialised.
* should point to a valid STACK structure. pkey and/or cert may be NULL;
* if non-NULL the variables they point to can be passed uninitialised.
*/
int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
@ -40,9 +40,9 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
STACK_OF(X509) *ocerts = NULL;
X509 *x = NULL;
if (pkey)
if (pkey != NULL)
*pkey = NULL;
if (cert)
if (cert != NULL)
*cert = NULL;
/* Check for NULL PKCS12 structure */
@ -76,10 +76,9 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
goto err;
}
/* Allocate stack for other certificates */
ocerts = sk_X509_new_null();
if (!ocerts) {
/* If needed, allocate stack for other certificates */
if ((cert != NULL || ca != NULL)
&& (ocerts = sk_X509_new_null()) == NULL) {
PKCS12err(PKCS12_F_PKCS12_PARSE, ERR_R_MALLOC_FAILURE);
goto err;
}
@ -89,36 +88,39 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
goto err;
}
while ((x = sk_X509_shift(ocerts))) {
/* Split the certs in ocerts over *cert and *ca as far as requested */
while ((x = sk_X509_shift(ocerts)) != NULL) {
if (pkey != NULL && *pkey != NULL
&& cert != NULL && *cert == NULL) {
int match;
ERR_set_mark();
if (X509_check_private_key(x, *pkey)) {
match = X509_check_private_key(x, *pkey);
ERR_pop_to_mark();
if (match) {
*cert = x;
x = NULL;
continue;
}
ERR_pop_to_mark();
}
if (ca != NULL && x != NULL) {
if (ca != NULL) {
if (!X509_add_cert_new(ca, x, X509_ADD_FLAG_DEFAULT))
goto err;
x = NULL;
continue;
}
X509_free(x);
}
sk_X509_pop_free(ocerts, X509_free);
sk_X509_free(ocerts);
return 1;
err:
if (pkey) {
if (pkey != NULL) {
EVP_PKEY_free(*pkey);
*pkey = NULL;
}
if (cert) {
if (cert != NULL) {
X509_free(*cert);
*cert = NULL;
}
@ -130,6 +132,7 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
/* Parse the outer PKCS#12 structure */
/* pkey and/or ocerts may be NULL */
static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
@ -164,6 +167,7 @@ static int parse_pk12(PKCS12 *p12, const char *pass, int passlen,
return 1;
}
/* pkey and/or ocerts may be NULL */
static int parse_bags(const STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
int passlen, EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
@ -176,6 +180,7 @@ static int parse_bags(const STACK_OF(PKCS12_SAFEBAG) *bags, const char *pass,
return 1;
}
/* pkey and/or ocerts may be NULL */
static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
EVP_PKEY **pkey, STACK_OF(X509) *ocerts)
{
@ -212,7 +217,8 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
break;
case NID_certBag:
if (PKCS12_SAFEBAG_get_bag_nid(bag) != NID_x509Certificate)
if (ocerts == NULL
|| PKCS12_SAFEBAG_get_bag_nid(bag) != NID_x509Certificate)
return 1;
if ((x509 = PKCS12_SAFEBAG_get1_cert(bag)) == NULL)
return 0;
@ -223,6 +229,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen,
if (fname) {
int len, r;
unsigned char *data;
len = ASN1_STRING_to_UTF8(&data, fname);
if (len >= 0) {
r = X509_alias_set1(x509, data, len);


+ 8
- 4
doc/man3/PKCS12_parse.pod View File

@ -21,10 +21,14 @@ certificate to B<*cert> and any additional certificates to B<*ca>.
=head1 NOTES
The parameters B<pkey> and B<cert> cannot be B<NULL>. B<ca> can be <NULL> in
which case additional certificates will be discarded. B<*ca> can also be a
valid STACK in which case additional certificates are appended to B<*ca>. If
B<*ca> is B<NULL> a new STACK will be allocated.
Each of the parameters B<pkey>, B<cert>, and B<ca> can be NULL in which case
the private key, the corresponding certificate, or the additional certificates,
respectively, will be discarded.
If any of B<pkey> and B<cert> is non-NULL the variable it points to is
initialized.
If B<ca> is non-NULL and B<*ca> is NULL a new STACK will be allocated.
If B<ca> is non-NULL and B<*ca> is a valid STACK
then additional certificates are appended in the given order to B<*ca>.
The B<friendlyName> and B<localKeyID> attributes (if present) on each
certificate will be stored in the B<alias> and B<keyid> attributes of the


Loading…
Cancel
Save