Commit ea902d80b3 for openssl.org

commit ea902d80b36691861644d68cade280a18c19b6f7
Author: Jakub Zelenka <jakub.zelenka@openssl.foundation>
Date:   Tue Jun 23 11:35:42 2026 +0200

    apps: cover the unencrypted key bag path in the pkcs12 test recipe

    The NID_keyBag branch of dump_certs_pkeys_bag() was not exercised.
    Export a file with -keypbe NONE and dump it, checking the key bag is
    reported and its private key is output.

    Assisted-by: Claude:claude-opus-4-8

    Reviewed-by: Matt Caswell <matt@openssl.foundation>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Wed Jul  8 18:02:22 2026
    (Merged from https://github.com/openssl/openssl/pull/31665)

diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index a1dc539311..5e9838d107 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;

 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);

-plan tests => 61 + ($no_fips ? 0 : 5);
+plan tests => 64 + ($no_fips ? 0 : 5);

 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -176,6 +176,29 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0,
     ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr6_empty");
 }

+# Test dumping a PKCS#12 file whose private key is stored in an unencrypted
+# keyBag (created with -keypbe NONE) rather than a shrouded keyBag.
+{
+    my $keybag = "keybag.p12";
+    ok(run(app(["openssl", "pkcs12", "-export", "-keypbe", "NONE",
+                "-certpbe", "NONE", "-nomac",
+                "-inkey", srctop_file(@path, "cert-key-cert.pem"),
+                "-in", srctop_file(@path, "cert-key-cert.pem"),
+                "-passout", "pass:", "-out", $keybag])),
+       "export PKCS#12 with an unencrypted key bag");
+
+    # -nodes so the dumped key isn't re-encrypted (which would prompt).
+    my @info = run(app(["openssl", "pkcs12", "-in", $keybag, "-info", "-nodes",
+                        "-passin", "pass:"], stderr => "keybag_info.txt"),
+                   capture => 1);
+    open DATA, "keybag_info.txt";
+    my @match = grep /Key bag/, <DATA>;
+    close DATA;
+    ok(scalar @match > 0 ? 1 : 0, "test unencrypted key bag is reported");
+    ok(grep(/-----BEGIN PRIVATE KEY-----/, @info) == 1,
+       "test private key from key bag is output");
+}
+
 my %pbmac1_tests = (
     pbmac1_defaults => {args => [], lookup => "hmacWithSHA256"},
     pbmac1_nondefaults => {args => ["-pbmac1_pbkdf2_md", "sha512", "-macalg", "sha384"], lookup => "hmacWithSHA512"},