pkcs12: fix .new to handle strucuture with no keys or no certstopic/pkcs12-read-no-private-key

It's possible that a PKCS #12 strucuture holds zero private keys. At
such a time PKCS12_parse() returns NULL as the private key. Likewise,
when the strucuture does not contain the corresponding certificate to
the private key, PKCS12_parse() returns NULL as the certificate.

Reported and fix suggested by Masahiro Tomita <tommy@tmtm.org>.
[ruby-dev:49776] [Bug #12726]

1 files changed, 11 insertions, 9 deletions

diff --git a/ext/openssl/ossl_pkcs12.c b/ext/openssl/ossl_pkcs12.c
index a7daad20..0b9c7816 100644
--- a/ext/openssl/ossl_pkcs12.c
+++ b/ext/openssl/ossl_pkcs12.c
@@ -190,15 +190,17 @@ ossl_pkcs12_initialize(int argc, VALUE *argv, VALUE self)
     if(!PKCS12_parse(pkcs, passphrase, &key, &x509, &x509s))
 	ossl_raise(ePKCS12Error, "PKCS12_parse");
     ERR_pop_to_mark();
-    pkey = rb_protect((VALUE (*)(VALUE))ossl_pkey_new, (VALUE)key,
-		      &st); /* NO DUP */
-    if(st) goto err;
-    cert = rb_protect((VALUE (*)(VALUE))ossl_x509_new, (VALUE)x509, &st);
-    if(st) goto err;
-    if(x509s){
-	ca =
-	    rb_protect((VALUE (*)(VALUE))ossl_x509_sk2ary, (VALUE)x509s, &st);
-	if(st) goto err;
+    if (key) {
+	pkey = rb_protect((VALUE (*)(VALUE))ossl_pkey_new, (VALUE)key, &st);
+	if (st) goto err;
+    }
+    if (x509) {
+	cert = rb_protect((VALUE (*)(VALUE))ossl_x509_new, (VALUE)x509, &st);
+	if (st) goto err;
+    }
+    if (x509s) {
+	ca = rb_protect((VALUE (*)(VALUE))ossl_x509_sk2ary, (VALUE)x509s, &st);
+	if (st) goto err;
     }
 
   err: