From 213a2d0a7d4905e862c920c6f6726061826ac4a1 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Fri, 19 Jan 2018 15:41:52 -0700
Subject: [PATCH 1/2] reverse order that certificates are compared with private
 key when parsing PKCS12

---
 wolfcrypt/src/pkcs12.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/wolfcrypt/src/pkcs12.c b/wolfcrypt/src/pkcs12.c
index dde77ef62..681994757 100644
--- a/wolfcrypt/src/pkcs12.c
+++ b/wolfcrypt/src/pkcs12.c
@@ -768,6 +768,7 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
 {
     ContentInfo* ci       = NULL;
     WC_DerCertList* certList = NULL;
+    WC_DerCertList* tailList = NULL;
     byte* buf             = NULL;
     word32 i, oid;
     int ret, pswSz;
@@ -1067,12 +1068,13 @@ int wc_PKCS12_parse(WC_PKCS12* pkcs12, const char* psw,
 
                     /* put the new node into the list */
                     if (certList != NULL) {
-                        WOLFSSL_MSG("Pushing new cert onto stack");
-                        node->next = certList;
-                        certList = node;
+                        WOLFSSL_MSG("Pushing new cert onto queue");
+                        tailList->next = node;
+                        tailList = node;
                     }
                     else {
                         certList = node;
+                        tailList = node;
                     }
 
                     /* on to next */

From 62b8c0c3fdbc2ae3af882502e9bc7174f3e9a7cc Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 7 Feb 2018 16:52:39 -0700
Subject: [PATCH 2/2] add test case for order of certificates with PKCS12 parse

---
 certs/ecc-rsa-server.p12 | Bin 0 -> 2406 bytes
 certs/include.am         |   1 +
 certs/renewcerts.sh      |  11 +++++++++
 tests/api.c              |  51 +++++++++++++++++++++++++++++++++++++++
 wolfssl/test.h           |   2 ++
 5 files changed, 65 insertions(+)
 create mode 100644 certs/ecc-rsa-server.p12

diff --git a/certs/ecc-rsa-server.p12 b/certs/ecc-rsa-server.p12
new file mode 100644
index 0000000000000000000000000000000000000000..e1682b5cd801ed499275531e59b6e0e84532644a
GIT binary patch
literal 2406
zcmXqL;!I*<WHxBx)L`S(YV&CO&dbQoxS)wslBJ1L)S!t|(4dKf9U;ZGpo#s5K@<BI
zCPoH>Cib@o8AbycHZG_MJdDf+d@LMX9~|AJ|Fz#{V&Y(EXktHLm+|-e5!H-r?#&a5
zH@$qxWvm@Fna%Ou+&jmeB)yN896s*H%--;DYR|of1+wLfPcQw|_~6*FEwxIsHYO}E
z<+EYC&>s7r<;l56rN8v<9&o8XcsD&n*Y(X}`y=Z-%w`${?E3Nf!z<}sD;sMIeFODo
zR~fLJiB~wDWGMEU$-~u5-d#yNZpqREl568WzRtWUd4;pr#*Z(_C3|TgJKry3y{p&b
z5`P}^DiMf1bSh0~$@K%D>gMWR`THdE`2W)@(-zC}>+s)Vo5nZG-tfXK_78iOtQDNG
z;Yg?dj|85?pNko<PyYV4;ahlG(+X`JmQ_zDmVTRlM`2ac-Z{l8Q7k7}Qa`X;CI)|c
zyFlxfMZhJaq-NpM#f-9Rukl^tFkk-Vx5U9Ya%H98Pm1pAV%$<2Ti>5&x!HK%OsTs%
zU!)&C+sps^Rb=S$<y^jbJEh+LvR0pcNmiv^?%#(4vv)ETTWB!NU2{D9!2V`C@zdPV
z!VRZ?hkmQxex9x9=j8)`UWzg}+Gl(I<kmHC(UZ`1{=7(R`l*ElHzT*s{QmWbg2&#A
zU#A_E2&uQzwb-5Wxp|VXMARw!6gx*3Dc=(dHa8wTF?~bYZ1y5)<sCnREIC#%ng=|y
zVJ?lh!T9@dH>;|B(%OIpcbJdbSzA5)_pp9#to&Jb1|^27*!9bKm6AN!oz^UM;;jC)
zU+e!#o#jri#R@Zc>Ld0lI%tP2xtArcbTM;12gj1;Q+m%NcRg(V|NYvlZ9o3mFnG_-
zeLepV_u?xC%YxN9eYo3Z6qr9}-&PT4x#uIlV%FsBXNLDv^cCB=7D>0x+r@t-e)FTJ
z9*f@Y<eTC6M(d1@At&o%&%R(06N$vGs2|Uk`23x>)AuuHrccwxP;;5k#-Lx5F7!n{
zoX{y4{C;Y<h0L0Y_u4UMP2*xE6K;e~|M_68TY66Dfhie1rQ93eep>w6YI6NQri@uG
z?Dl#`BL%;Qmi(IZ@7Mh^2Yi<HG5_OTxX35|$?pT#D@3)5H@{0={`E4Cee(a9o|6vs
z*O;@i<6TZ4abJ?BzAELL0hbBOzl}?aHu35HncncsudZ3BYL0;u>qmzG;q-8hsjrW5
z{kpkJqIF8Ez>;MPH~UrX-q<YmYR?J9`+F2xm|k0d;py48W70=YA?xckjPI}2$L-QI
zk6x3smL+M<J6G?04Xd0Bjx2PIzUTYSVk66spqnKb{kNX@S-vq}_G8`3uI`8Dc3G>K
zHSbD$vT3qX>hsNw1r0iNeqw$ev&yc0`RtoKS&ZxNk^RS2SkANPx^Jj&yI7e2#_PbA
zHy>m#MRb?gPy1Bm6K!4@FJ#T&rC0fzW9r_RvaEj@+w%`E)tRZCdc1n|lGM+CkD7^1
ze6(xcq0C;B^FB`8O$o<$Y<can?P3vQbI9zsogIwwdtOhNWY*`xnc%eX+W~E>Rl8YF
zTCFJO{q}IxQ4^Vx72iKPe|nbxlGkUENb7x3>GyFQ&$FKt2Hj~;eiCrjH=pUa%@HG+
zE`ffI`7@TTN|Lo^+;q1zXN6qZ&O<9Xdek3mRX+K(#7<bCO|0ZW>IJhW$E6QW)6Gu4
zx=LJ!VcX@pTRYz$U3pmag^o~l=DS;Jwp`EhwHL<(J%3kf{37z#IhTXt>teU<@o}hp
z5u<VG>>sHo7i0TYw)^pX4qSaMYPImqtjP;@JZL#=V6t}Y<J0C&Z(d%t<>xC|UERQ?
zwyZhYOsIWvsHv61;@Ib<nQNRbv`pC9!?A5PU$KnaMXT2j!;Jo(l`GNT(7t>A#GmW9
z{l%ZvCS8`#56D?AwC7>*v6EtlTu(WgIvGvh&1ji;`=QJX;R565nUlrk=G}c<tJY_D
zN?W=oE%LL2HcR$v$7lC9FV<*&@b}k`bUDYwqT9CnxRNv;ZCW7s!BOA)<*v)wwY-Ia
z@{T#Xzue(uVm!k9rhE3EowL6!Z>`jFC|LE~woxrI%CmOa?ishg`InXiYX5lQ#??Aw
z`<wDrWd?Jk75?9t)Lq;1`_5^W3YKloAInw5|1SBuI{ZhoS=Z$m>+XcJZS600PFdu<
zc(K>)xWAUKq_u8!iYu}3xbF?FSh%nMu{!JKppWjh85{~r{+_Nj2-$9t6k+^5T00?{
z&&r^u_`keg`W~gD%W6~Xyv#)pf8ILfxm?JON3O1x_om*E&AHUDGheF3yT?m5r1$=x
z8m3ED^+Ng|BzV6DPD!1`W_06#z%SOt0WBgAC!RU)Et!yfU3Y5d%#T^Brj>j9Rf3nz
z`@U4ZQNiTqq~cY)3!8Ft^X#6z&w5jq?h~lIL5ElBtwW(u+SK`x648DVaX(k`>pazB
zZoKi)I$!9u(eJYtKJKenKl^iTq42j?y6YbA?P<BR@4&|YaS~BC_eW^lnmFtG;o8zT
zr(=IOX8oSA$+_TWUT=-@OO=kT$G&{iu4r)G=UEhg`JjXIiMP$Q`rMA+-YA?AU3`4z
z4?8}?+8xq|UNAqX6#x15&kwUo9WgB)chPTAZdcdqSFh?=ED=3NY~Eqk>967s^9xA!
zS1(X}80$BQjW_X-f99HfiIyRc1V4wl*O`C)yYNx=$E+`hGqUrZF@@F5y1=wiXW`_8
zJL$7OoIk(vndKBiw$xc)+of+8R9|^rza(hM&8>>jOD`==yJA@yu=(SjD^~U4a}&=k
zxEH@rar!Mwkw%>xsTGXDA_mjNTP*pcCMwlPns85;_1)<9g(zmdg}NEB%CAmV%J|$c
zXkuhSs_+*yeqm|+Xwdl1pz$>uH>~RCVq{v-xW%AxBW8PGQbUX0>YWQUK<xpR#tEl?
z1|K;ccx?63wY<_{Nr&u271s&;^3=U|+cL)^B1A7@hDgqG)i1ZQ{&u=FABdUT^43S-
zNj&$0>w14bx_{x!y?HOJc%4`9T?tQKHV&?=M!W0Z;ywi4(ktKoe5Z2W^c6k+or_l-
z%f6y`@u`w++tI4O^EQ<2ah123uIBi3--J2ZwyRe>+Qq6Xdr5$O>APh?tK<z;4V2;D
z;}kU%V-cDE=ufP!V))(s&F|JNI}sd|l%L^jU}&Idz{$p{&Bx3n#mc}U;(oMXLd*K7
fuAWKzEQD&_S-J;QKV#uoFS6pHjPv}RAkP8-oY-z>

literal 0
HcmV?d00001

diff --git a/certs/include.am b/certs/include.am
index 192de5351..55e8632f2 100755
--- a/certs/include.am
+++ b/certs/include.am
@@ -35,6 +35,7 @@ EXTRA_DIST += \
 	     certs/server-revoked-key.pem \
 	     certs/wolfssl-website-ca.pem \
 	     certs/test-servercert.p12 \
+	     certs/ecc-rsa-server.p12 \
 	     certs/dsaparams.pem \
 	     certs/ecc-privOnlyKey.pem \
 	     certs/ecc-privOnlyCert.pem \
diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index ea45b8988..edc7ac164 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -274,12 +274,23 @@ function run_renewcerts(){
     openssl x509 -inform PEM -in server-ecc.pem -outform DER -out server-ecc.der
     openssl x509 -inform PEM -in server-ecc-comp.pem -outform DER -out server-ecc-comp.der
 
+    ############################################################
+    ###### update the ecc-rsa-server.p12 file ##################
+    ############################################################
+    echo "Updating ecc-rsa-server.p12 (password is \"\")"
+    echo ""
+    echo "" | openssl pkcs12 -des3 -descert -export -in server-ecc-rsa.pem -inkey ecc-key.pem -certfile server-ecc.pem -out ecc-rsa-server.p12 -password stdin
+
+    ############################################################
+    ########## store DER files as buffers ######################
+    ############################################################
     echo "Changing directory to wolfssl root..."
     echo ""
     cd ../
     echo "Execute ./gencertbuf.pl..."
     echo ""
     ./gencertbuf.pl
+
     ############################################################
     ########## generate the new crls ###########################
     ############################################################
diff --git a/tests/api.c b/tests/api.c
index 500998b92..9e3659c9e 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -2527,7 +2527,9 @@ static void test_wolfSSL_PKCS12(void)
     !defined(NO_ASN) && !defined(NO_PWDBASED) && !defined(NO_RSA)
     byte buffer[5300];
     char file[] = "./certs/test-servercert.p12";
+    char order[] = "./certs/ecc-rsa-server.p12";
     char pass[] = "a password";
+    WOLFSSL_X509_NAME* subject;
     FILE *f;
     int  bytes, ret;
     WOLFSSL_BIO      *bio;
@@ -2535,6 +2537,7 @@ static void test_wolfSSL_PKCS12(void)
     WC_PKCS12        *pkcs12;
     WC_PKCS12        *pkcs12_2;
     WOLFSSL_X509     *cert;
+    WOLFSSL_X509     *x509;
     WOLFSSL_X509     *tmp;
     WOLF_STACK_OF(WOLFSSL_X509) *ca;
 
@@ -2647,6 +2650,54 @@ static void test_wolfSSL_PKCS12(void)
     PKCS12_free(pkcs12_2);
     sk_X509_free(ca);
 
+
+    /* test order of parsing */
+    f = fopen(order, "rb");
+    AssertNotNull(f);
+    bytes = (int)fread(buffer, 1, sizeof(buffer), f);
+    fclose(f);
+
+    AssertNotNull(bio = BIO_new_mem_buf((void*)buffer, bytes));
+    AssertNotNull(pkcs12 = d2i_PKCS12_bio(bio, NULL));
+    AssertIntEQ((ret = PKCS12_parse(pkcs12, "", &pkey, &cert, &ca)),
+            WOLFSSL_SUCCESS);
+    AssertNotNull(pkey);
+    AssertNotNull(cert);
+    AssertNotNull(ca);
+
+    /* compare subject lines of certificates */
+    AssertNotNull(subject = wolfSSL_X509_get_subject_name(cert));
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(eccRsaCertFile,
+                SSL_FILETYPE_PEM));
+    AssertIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject,
+            (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0);
+    X509_free(x509);
+
+    /* test expected fail case */
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile,
+                SSL_FILETYPE_PEM));
+    AssertIntNE(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject,
+            (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0);
+    X509_free(x509);
+    X509_free(cert);
+
+    /* get subject line from ca stack */
+    AssertNotNull(cert = sk_X509_pop(ca));
+    AssertNotNull(subject = wolfSSL_X509_get_subject_name(cert));
+
+    /* compare subject from certificate in ca to expected */
+    AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(eccCertFile,
+                SSL_FILETYPE_PEM));
+    AssertIntEQ(wolfSSL_X509_NAME_cmp((const WOLFSSL_X509_NAME*)subject,
+            (const WOLFSSL_X509_NAME*)wolfSSL_X509_get_subject_name(x509)), 0);
+
+    EVP_PKEY_free(pkey);
+    X509_free(x509);
+    X509_free(cert);
+    BIO_free(bio);
+    PKCS12_free(pkcs12);
+    sk_X509_free(ca);
+
     printf(resultFmt, passed);
 #endif /* OPENSSL_EXTRA */
 }
diff --git a/wolfssl/test.h b/wolfssl/test.h
index f1e2c6bc4..2ca3d491b 100644
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -258,6 +258,7 @@
 #define caCertFile     "certs/ca-cert.pem"
 #define eccCertFile    "certs/server-ecc.pem"
 #define eccKeyFile     "certs/ecc-key.pem"
+#define eccRsaCertFile "certs/server-ecc-rsa.pem"
 #define svrCertFile    "certs/server-cert.pem"
 #define svrKeyFile     "certs/server-key.pem"
 #define cliCertFile    "certs/client-cert.pem"
@@ -277,6 +278,7 @@
 #define caCertFile     "./certs/ca-cert.pem"
 #define eccCertFile    "./certs/server-ecc.pem"
 #define eccKeyFile     "./certs/ecc-key.pem"
+#define eccRsaCertFile "./certs/server-ecc-rsa.pem"
 #define svrCertFile    "./certs/server-cert.pem"
 #define svrKeyFile     "./certs/server-key.pem"
 #define cliCertFile    "./certs/client-cert.pem"