38 lines
1.3 KiB
Diff
38 lines
1.3 KiB
Diff
From: Ben Hutchings <ben@decadent.org.uk>
|
|
Date: Mon, 04 Apr 2016 12:53:35 +0100
|
|
Subject: scripts: Fix X.509 PEM support in sign-file
|
|
|
|
sign-file originally required the X.509 certificate to be in DER
|
|
format, but now has a fallback to PEM format. It expects BIO_reset()
|
|
to return 1 on success, but:
|
|
|
|
BIO_reset() normally returns 1 for success and 0 or -1 for failure.
|
|
File BIOs are an exception, they return 0 for success and -1 for
|
|
failure.
|
|
|
|
BIO_reset() also prints accumulated error messages, which we don't
|
|
want when we're about to try a fallback, so drain them first.
|
|
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
---
|
|
--- a/scripts/sign-file.c
|
|
+++ b/scripts/sign-file.c
|
|
@@ -229,10 +229,14 @@ int main(int argc, char **argv)
|
|
ERR(!b, "%s", x509_name);
|
|
x509 = d2i_X509_bio(b, NULL); /* Binary encoded X.509 */
|
|
if (!x509) {
|
|
- ERR(BIO_reset(b) != 1, "%s", x509_name);
|
|
+ /*
|
|
+ * We want to hold onto the error messages in case
|
|
+ * it's neither valid DER or PEM, but BIO_reset() will
|
|
+ * print them immediately so we can't.
|
|
+ */
|
|
+ drain_openssl_errors();
|
|
+ ERR(BIO_reset(b) != 0, "%s", x509_name);
|
|
x509 = PEM_read_bio_X509(b, NULL, NULL, NULL); /* PEM encoded X.509 */
|
|
- if (x509)
|
|
- drain_openssl_errors();
|
|
}
|
|
BIO_free(b);
|
|
ERR(!x509, "%s", x509_name);
|