Hi. I've come across an issue where certain PKCS#12 files are incorrectly
parsed by PKCS12_parse().

The problem seems to be when the Signing cert appears twice in the PKCS12
file (or something - not 100% sure).

Anyway - looking at crypto/pkcs12/p12_kiss.c, it appears that the logic in
parse_bag() will always return the last cert in the file, not necessarily
the cert which matches the Private Key.

It all appears to be down to this (unified diff follows)

$ diff --unified p12_kiss.c p12_kiss_updated.c
--- p12_kiss.c 2004-12-05 01:04:39.000000000 +0000
+++ p12_kiss_updated.c 2005-04-05 11:20:09.613404368 +0100
@@ -216,14 +216,18 @@
}

/* Check for any local key id matching (if needed) */
- if (lkey && ((*keymatch & MATCH_ALL) != MATCH_ALL)) {
- if (*keyid) {
- if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey)) lkey =
NULL;
+ if (lkey) {
+ if ((*keymatch & MATCH_ALL) != MATCH_ALL) {
+ if (*keyid) {
+ if (M_ASN1_OCTET_STRING_cmp(*keyid, lkey))
lkey = NULL;
+ } else {
+ if (!(*keyid =
M_ASN1_OCTET_STRING_dup(lkey))) {+
PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE );
+ return 0;
+ }
+ }
} else {
- if (!(*keyid = M_ASN1_OCTET_STRING_dup(lkey))) {
- PKCS12err(PKCS12_F_PARSE_BAGS,ERR_R_MALLOC_FAILURE );
- return 0;
- }
+ lkey = NULL;
}
}


Cheers,
Paul

--
Paul Ford-Hutchinson, CISSP : eCommerce application security
e: paul.ford-hutchinson@g-international.com
p: MPT-6, IBM , PO Box 31, Birmingham Rd, Warwick, CV34 5JL
t: +44 (0)1926 462005
w: http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org