Hi Philippe, >> You accept the PKCS12 file even if the password is incorrect. This is >> clearly wrong. > > It is not accepted. If the verification fails, ERR is spewed out and the next > step (parse, below) will fail as well.
Is this how Windows fails? That is, with a parse error? Please add a test to cover this case. >> You don't support more than a single certificate in the PKCS12 file. >> This may be fine for the majority of uses, but at least a warning >> indicating more certificates are present would be helpful. > > Hmmm. How do you suggest I do that? From > <http://www.openssl.org/docs/crypto/PKCS12_parse.html> I get this: > > BUGS > > Only a single private key and corresponding certificate is returned by > this function. More complex PKCS#12 > files with multiple private keys will only return the first match. Look at the 5th parameter of PKCS12_parse. It's true that OpenSSL will only return a single certificate with a private key, but not every certificate in a PKCS12 file need contain a private key. >> Also, a >> PKCS12 file can contain more than just certificates, and the tests >> ought at least to check this. For example, what about a PKCS12 file >> with a CRL in it? > > I have not seen, nor needed to implement this, so I'm not sure how to test > for it. Maybe add a comment to the test? Or a wine_todo test so we don't lose > this information? Test for it the way you should any Wine test: on Windows. Create a store with a CRL in it, export it to a PKCS12 file, and use that as your test case. >> The Crypto API also supports setting such attributes, and if you >> aren't going to support these, at least the tests should cover them >> (and marked todo_wine) so we know they're still not done. > > Same answer. I guess I can update the test set with more wine_todo(). Yes, I'd appreciate that. > If you create a store with no name, you run the risk of it not being created > (if there is another store with no name). Not for a memory store, it's just a linked list. --Juan
