Remove TODO to reverse the output of PKCS12_parse.
OpenSSL classified their behavior as a bug and are fixing it for the
next release. In principle it'd be more compatible to emulate OpenSSL's
bug and undo it when we update OPENSSL_VERSION_NUMBER, but use of
PKCS12_parse is rare and this behavior is confusing, so let's leave it
as-is.
Bug: 250
Change-Id: I5f9825490a8afde67272dfaf476b35dbde94b59c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/46064
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/crypto/pkcs8/pkcs8_x509.c b/crypto/pkcs8/pkcs8_x509.c
index b8439a5..efdf33a 100644
--- a/crypto/pkcs8/pkcs8_x509.c
+++ b/crypto/pkcs8/pkcs8_x509.c
@@ -943,11 +943,6 @@
// OpenSSL selects the last certificate which matches the private key as
// |out_cert|.
- //
- // TODO(davidben): OpenSSL additionally reverses the order of the
- // certificates, which was likely originally a bug, but may be a feature by
- // now. See https://crbug.com/boringssl/250 and
- // https://github.com/openssl/openssl/issues/6698.
*out_cert = NULL;
size_t num_certs = sk_X509_num(ca_certs);
if (*out_pkey != NULL && num_certs > 0) {
diff --git a/include/openssl/pkcs8.h b/include/openssl/pkcs8.h
index 9da54aa..4f21ef3 100644
--- a/include/openssl/pkcs8.h
+++ b/include/openssl/pkcs8.h
@@ -175,7 +175,9 @@
//
// Note if |p12| does not contain a private key, both |*out_pkey| and
// |*out_cert| will be set to NULL and all certificates will be returned via
-// |*out_ca_certs|.
+// |*out_ca_certs|. Also note this function differs from OpenSSL in that extra
+// certificates are returned in the order they appear in the file. OpenSSL 1.1.1
+// returns them in reverse order, but this will be fixed in OpenSSL 3.0.
//
// It returns one on success and zero on error.
//
