Hi, The behavior of this function in openssl 1.0.1 seems changed (compared with 0.9.8d).
In the early release, the user key parameter could be NULL if only the user cert was interested. e.g. PKCS12_parse(p12, password, NULL, &cert, NULL) used to return the cert. In 1.0.1, both the key and the cert parameter have to be non-NULL (may not be initialized though), Otherwise the cert will not be returned. See code in evp_pbe.c: 133 while ((x = sk_X509_pop(ocerts))) 134 { 135 if (pkey && *pkey && cert && !*cert) 136 { 137 if (X509_check_private_key(x, *pkey)) 138 { 139 *cert = x; <== cert is only returned when both pkey and cert are not NULL 140 x = NULL; 141 } 142 } Is this change intended or a bug? Thanks, -binlu