Various fixes regarding PKCS#12 input and related cleanup of apps, doc, and tests

[DDvO]

UPDATE: Originally this PR was about extending support for PKCS#12 input in apps.
I've meanwhile carved out the most interesting pieces of that and contributed them separately.
This is the leftovers fixing several corner cases in PKCS#12 input and its error handling.
There are also some rather unrelated fixes to several apps and their documentation, which I could separate if requested.

Checklist

• documentation is added or updated
• tests are added or updated

[DDvO]

This PR also contains (in its first commit) a minor fix of a conditionally unused variable,
which caused a build failure when OPENSSL_SYS_UNIX is not defined and strict/pedantic compiler settings (-Werror) are used.

[DDvO]

I also noticed that doc/man1/s_server.pod is somewhat out of sync.
Besides my adaptations that are related to the PKCS#12 extensions I made,
I removed the following references to options not available any more:

[B<-xkey>]
[B<-xcert>]
[B<-xchain>]
[B<-xchain_build>]
[B<-xcertform PEM|DER>]
[B<-xkeyform PEM|DER>]

[bernd-edlinger]

I think if you have a PKCS#12 file, then you have the certificate, private key and any chain
certificates all in one place, so you should only name one pkcs#12 file, and one password
and not have three different file paths, but only one password.

[DDvO]

I agree that typically a PKCS#12 file contains these related types of key material and that it would be logical and most convenient to refer to such a file only once (including any password input).
Yet so far the OpenSSL CLI, except for the pkcs12 app, does not support this.
And I just noticed that, for some reason, even pkcs12.c does not make use of load_pkacs12() to load them jointly.

I fear that rectifying this would take some non-negligible effort, including a (backward compatible) extension of the CLI options design for all apps that should support joint PKCS#12 input. Shall we go for that, and who would be willing and have time to help doing this?

Nevertheless, the generaliizations I've proprosed here are already useful in themselves - with just the inconvenience that, as before, a PKCS#12 file used not only for key input but also for certificate input needs to be named (together with any password input) more than once.

[levitte]

I had these lying around... can't even remember when I wrote them.

[DDvO]

I had these lying around... can't even remember when I wrote them.

Thanks for these comments. I've just handled them.

[DDvO]

The Travis red cross is due to the (unrelated) issue handled in #11573.

@levitte, all comments have been handled.

[DDvO]

The two CI failures currently reported here are unrelated.

Ready for further reviewing.
See in particular the fixes to PKCS12_parse() and its documentation.

[DDvO]

I've rebased this and partly squashed the commits.
@levitte, is there anything else to improve in this PR?

Hopefully this can soon be merged for inclusion in #11470.

[mattcaswell]

Ping @levitte

[DDvO]

Thanks @FdaSilvaYY for having a look.
Rebased this PR and fixed all reported nits.

[DDvO]

@DDvO why the addition of the two .p12 files? I do not see them being used.

Ah, good point - the files test/v3-certs{,-descert}.p12 where leftovers superseded by test/certs/v3-certs-{RC2,TDES}.p12.
So I've removed them (and rebased the PR).

Except for the question above, this LGTM.

Pleased to hear!

[openssl-machine]

This pull request is ready to merge

[DDvO]

Merged 😅

I'm glad that this nearly three years old PR, after various adaptations and many long waiting times in between, finally has been brought to a good end, even in time for inclusion in 3.0.

Thanks again to @levitte and to all other reviewers for their comments and to @t8m for providing the final push.