git.openssl.org Git - openssl.git/commit

author	Neil Horman <nhorman@openssl.org>
	Wed, 18 Oct 2023 14:01:21 +0000 (10:01 -0400)
committer	Matt Caswell <matt@openssl.org>
	Fri, 20 Oct 2023 15:30:43 +0000 (16:30 +0100)
commit	21f7a09ca256eee0ccc9a8fc498e8427469ab506
tree	85f689c3a442ace25edd6436f72ed9149da5bc5e	tree \| snapshot
parent	7757f5ef731ad4e8d6c0f59ef752e4f726ba4f90	commit \| diff

Convert jdkTrustedKeyUsage to be a pkcs12 cmd line option

Creating JDK compatible pkcs12 files requires a bit more than just
adding the Trusted Key Usage OID to a certbag in the pkcs12 file.
Additionally the JDK currently requires that pkcs12 files setting this
oid _not_ contain any additional keys, and in response will produce
unpredictable results.

This could be solved by implying --nokeys when the pkcs12 utility is run
and the config option is set, but thatcould confuse users who didn't
specify nokeys on the command line. As such, remove the config file
setting for this feature, and replace it with a -jdktrust command line
option, that is documented to assert nokeys when a users specifies the
new command line option.

Fixes #22215

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22422)

apps/openssl-vms.cnf		diff \| blob \| history
apps/openssl.cnf		diff \| blob \| history
apps/pkcs12.c		diff \| blob \| history
doc/man1/openssl-pkcs12.pod.in		diff \| blob \| history
test/recipes/80-test_pkcs12.t		diff \| blob \| history
test/recipes/80-test_pkcs12_data/jdk_trusted.cnf	[deleted file]	blob \| history