If one naively uses PKCS12_parse to extract key, certificate, and
certificate chain, and then iterates through the STACK_OF(X509) calling
SSL_CTX_add_extra_chain_cert (starting at sk_X509_value(ca, 0)) then the
chain will be in the opposite order to what's in the PKCS#12 file.
That seems consistent with what the code in crypto/pkcs12/p12_kiss.c is
saying: having constructed ocerts from the file, it iterates with a loop
while ((x = sk_X509_pop(ocerts)))
doing
if (!sk_X509_push(*ca, x))
So (IIUC) the order's exactly reversed.
Is that behaviour a bug or a feature?
(Given that it's presumably always been that way, I guess it's a
feature?)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
