Make sure X509_dup() also dup's any associated EVP_PKEY

Otherwise we can end up with a blank EVP_PKEY. If it is later recreated it can end up with the wrong libctx/propq. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15591)
author: Matt Caswell <matt@openssl.org> 2021-05-27 09:00:47 +0100
committer: Pauli <pauli@openssl.org> 2021-06-05 17:39:27 +1000
commit: 6282d6c28456543734defc45f653adeec1362958 (patch)
tree: b1d6d23e0317886150b569c45ae7f1f868d6a8b5
parent: c6313780586f94b0542f55c3ffa399f5ad2c7297 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index a45b89cbeb..6666058b4c 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -104,6 +104,23 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 
             if (!ossl_x509_set0_libctx(ret, old->libctx, old->propq))
                 return 0;
+            if (old->cert_info.key != NULL) {
+                EVP_PKEY *pkey = X509_PUBKEY_get0(old->cert_info.key);
+
+                if (pkey != NULL) {
+                    pkey = EVP_PKEY_dup(pkey);
+                    if (pkey == NULL) {
+                        ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
+                        return 0;
+                    }
+                    if (!X509_PUBKEY_set(&ret->cert_info.key, pkey)) {
+                        EVP_PKEY_free(pkey);
+                        ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR);
+                        return 0;
+                    }
+                    EVP_PKEY_free(pkey);
+                }
+            }
         }
         break;
     default:
author	Matt Caswell <matt@openssl.org>	2021-05-27 09:00:47 +0100
committer	Pauli <pauli@openssl.org>	2021-06-05 17:39:27 +1000
commit	6282d6c28456543734defc45f653adeec1362958 (patch)
tree	b1d6d23e0317886150b569c45ae7f1f868d6a8b5
parent	c6313780586f94b0542f55c3ffa399f5ad2c7297 (diff)