Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert jdkTrustedKeyUsage to be a pkcs12 cmd line option #22422

Closed
wants to merge 1 commit into from
Closed

Convert jdkTrustedKeyUsage to be a pkcs12 cmd line option #22422

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 0 additions & 7 deletions apps/openssl-vms.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,10 +388,3 @@ oldcert = $insta::certout # insta.cert.pem
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem

[pkcs12]
nhorman marked this conversation as resolved.
Show resolved Hide resolved
certBagAttr = cb_attr

# Uncomment this if you need Java compatible PKCS12 files
[cb_attr]
#jdkTrustedKeyUsage = anyExtendedKeyUsage
7 changes: 0 additions & 7 deletions apps/openssl.cnf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,10 +388,3 @@ oldcert = $insta::certout # insta.cert.pem
# Certificate revocation
cmd = rr
oldcert = $insta::certout # insta.cert.pem

[pkcs12]
certBagAttr = cb_attr

# Uncomment this if you need Java compatible PKCS12 files
[cb_attr]
#jdkTrustedKeyUsage = anyExtendedKeyUsage
29 changes: 11 additions & 18 deletions apps/pkcs12.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ typedef enum OPTION_choice {
OPT_NAME, OPT_CSP, OPT_CANAME,
OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
OPT_R_ENUM, OPT_PROV_ENUM,
OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST,
#ifndef OPENSSL_NO_DES
OPT_LEGACY_ALG
#endif
Expand Down Expand Up @@ -154,6 +154,7 @@ const OPTIONS pkcs12_options[] = {
{"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
{"macsaltlen", OPT_MACSALTLEN, 'p', "Specify the salt len for MAC"},
{"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
{"jdktrust", OPT_JDKTRUST, 's', "Mark certificate in PKCS#12 store as trusted for JDK compatibility"},
{NULL}
};

Expand All @@ -165,6 +166,7 @@ int pkcs12_main(int argc, char **argv)
char *name = NULL, *csp_name = NULL;
char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
char *jdktrust = NULL;
#ifndef OPENSSL_NO_DES
int use_legacy = 0;
#endif
Expand Down Expand Up @@ -222,6 +224,11 @@ int pkcs12_main(int argc, char **argv)
case OPT_NOOUT:
options |= (NOKEYS | NOCERTS);
break;
case OPT_JDKTRUST:
jdktrust = opt_arg();
/* Adding jdk trust implies nokeys */
options |= NOKEYS;
break;
case OPT_INFO:
options |= INFO;
break;
Expand Down Expand Up @@ -530,9 +537,6 @@ int pkcs12_main(int argc, char **argv)
int i;
CONF *conf = NULL;
ASN1_OBJECT *obj = NULL;
STACK_OF(CONF_VALUE) *cb_sk = NULL;
const char *cb_attr = NULL;
const CONF_VALUE *val = NULL;

if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
BIO_printf(bio_err, "Nothing to export due to -noout or -nocerts and -nokeys\n");
Expand Down Expand Up @@ -682,20 +686,9 @@ int pkcs12_main(int argc, char **argv)
goto export_end;
if (!app_load_modules(conf))
goto export_end;
/* Find the cert bag section */
cb_attr = app_conf_try_string(conf, "pkcs12", "certBagAttr");
if (cb_attr != NULL) {
if ((cb_sk = NCONF_get_section(conf, cb_attr)) != NULL) {
for (i = 0; i < sk_CONF_VALUE_num(cb_sk); i++) {
val = sk_CONF_VALUE_value(cb_sk, i);
if (strcmp(val->name, "jdkTrustedKeyUsage") == 0) {
obj = OBJ_txt2obj(val->value, 0);
break;
}
}
} else {
ERR_clear_error();
}

if (jdktrust != NULL) {
obj = OBJ_txt2obj(jdktrust, 0);
}

p12 = PKCS12_create_ex2(cpass, name, key, ee_cert, certs,
Expand Down
10 changes: 10 additions & 0 deletions doc/man1/openssl-pkcs12.pod.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ PKCS#12 output (export) options:
[B<-maciter>]
[B<-macsaltlen>]
[B<-nomac>]
[B<-jdktrust> I<usage>]

=head1 DESCRIPTION

Expand Down Expand Up @@ -381,6 +382,15 @@ Do not attempt to provide the MAC integrity. This can be useful with the FIPS
provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
algorithm and cannot be supported by the FIPS provider.

=item B<-jdktrust>

Export pkcs12 file in a format compatible with Java keystore usage. This option
accepts a string parameter indicating the trust oid name to be granted to the
certificate it is associated with. Currently only "anyExtendedKeyUsage" is
defined. Note that, as Java keystores do not accept PKCS12 files with both
trusted certificates and keypairs, use of this option implies the setting of the
B<-nokeys> option

=back

=head1 NOTES
Expand Down
3 changes: 1 addition & 2 deletions test/recipes/80-test_pkcs12.t
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,9 +172,8 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0,

# Test with Oracle Trusted Key Usage specified in openssl.cnf
{
$ENV{OPENSSL_CONF} = srctop_file("test", "recipes", "80-test_pkcs12_data", "jdk_trusted.cnf");
ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile7,
"-in", srctop_file(@path, "ee-cert.pem"),
"-jdktrust", "anyExtendedKeyUsage", "-in", srctop_file(@path, "ee-cert.pem"),
"-nokeys", "-passout", "pass:", "-certpbe", "NONE"])),
"test nokeys single cert");

Expand Down
8 changes: 0 additions & 8 deletions test/recipes/80-test_pkcs12_data/jdk_trusted.cnf
View file
Open in desktop

This file was deleted.