From 40b64553f577716cb4898895f5fd4530a6266c75 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Tue, 29 Jan 2019 15:04:38 +0000 Subject: [PATCH] Complain if -twopass is used incorrectly The option -twopass to the pkcs12 app is ignored if -passin, -passout or -password is used. We should complain if an attempt is made to use it in combination with those options. Fixes #8107 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/8114) --- apps/pkcs12.c | 7 +++++++ doc/man1/pkcs12.pod | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 94d6661c3f..bf22aeb48d 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -311,6 +311,13 @@ int pkcs12_main(int argc, char **argv) if (cpass != NULL) { mpass = cpass; noprompt = 1; + if (twopass) { + if (export_cert) + BIO_printf(bio_err, "Option -twopass cannot be used with -passout or -password\n"); + else + BIO_printf(bio_err, "Option -twopass cannot be used with -passin or -password\n"); + goto end; + } } else { cpass = pass; mpass = macpass; diff --git a/doc/man1/pkcs12.pod b/doc/man1/pkcs12.pod index 67adaa1e15..b1b688449e 100644 --- a/doc/man1/pkcs12.pod +++ b/doc/man1/pkcs12.pod @@ -154,7 +154,8 @@ Don't attempt to verify the integrity MAC before reading the file. Prompt for separate integrity and encryption passwords: most software always assumes these are the same so this option will render such -PKCS#12 files unreadable. +PKCS#12 files unreadable. Cannot be used in combination with the options +-password, -passin (if importing) or -passout (if exporting). =back -- 2.25.1