diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index d6d5f58db6..8203d9ea0c 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -388,10 +388,3 @@ oldcert = $insta::certout # insta.cert.pem # Certificate revocation cmd = rr oldcert = $insta::certout # insta.cert.pem - -[pkcs12] -certBagAttr = cb_attr - -# Uncomment this if you need Java compatible PKCS12 files -[cb_attr] -#jdkTrustedKeyUsage = anyExtendedKeyUsage diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 0d564d3ba5..2833b6f30b 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -388,10 +388,3 @@ oldcert = $insta::certout # insta.cert.pem # Certificate revocation cmd = rr oldcert = $insta::certout # insta.cert.pem - -[pkcs12] -certBagAttr = cb_attr - -# Uncomment this if you need Java compatible PKCS12 files -[cb_attr] -#jdkTrustedKeyUsage = anyExtendedKeyUsage diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 8e8c771819..1fa0abd3d4 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -71,7 +71,7 @@ typedef enum OPTION_choice { OPT_NAME, OPT_CSP, OPT_CANAME, OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, - OPT_R_ENUM, OPT_PROV_ENUM, + OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST, #ifndef OPENSSL_NO_DES OPT_LEGACY_ALG #endif @@ -154,6 +154,7 @@ const OPTIONS pkcs12_options[] = { {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"}, {"macsaltlen", OPT_MACSALTLEN, 'p', "Specify the salt len for MAC"}, {"nomac", OPT_NOMAC, '-', "Don't generate MAC"}, + {"jdktrust", OPT_JDKTRUST, 's', "Mark certificate in PKCS#12 store as trusted for JDK compatibility"}, {NULL} }; @@ -165,6 +166,7 @@ int pkcs12_main(int argc, char **argv) char *name = NULL, *csp_name = NULL; char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0; + char *jdktrust = NULL; #ifndef OPENSSL_NO_DES int use_legacy = 0; #endif @@ -222,6 +224,11 @@ int pkcs12_main(int argc, char **argv) case OPT_NOOUT: options |= (NOKEYS | NOCERTS); break; + case OPT_JDKTRUST: + jdktrust = opt_arg(); + /* Adding jdk trust implies nokeys */ + options |= NOKEYS; + break; case OPT_INFO: options |= INFO; break; @@ -530,9 +537,6 @@ int pkcs12_main(int argc, char **argv) int i; CONF *conf = NULL; ASN1_OBJECT *obj = NULL; - STACK_OF(CONF_VALUE) *cb_sk = NULL; - const char *cb_attr = NULL; - const CONF_VALUE *val = NULL; if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) { BIO_printf(bio_err, "Nothing to export due to -noout or -nocerts and -nokeys\n"); @@ -682,20 +686,9 @@ int pkcs12_main(int argc, char **argv) goto export_end; if (!app_load_modules(conf)) goto export_end; - /* Find the cert bag section */ - cb_attr = app_conf_try_string(conf, "pkcs12", "certBagAttr"); - if (cb_attr != NULL) { - if ((cb_sk = NCONF_get_section(conf, cb_attr)) != NULL) { - for (i = 0; i < sk_CONF_VALUE_num(cb_sk); i++) { - val = sk_CONF_VALUE_value(cb_sk, i); - if (strcmp(val->name, "jdkTrustedKeyUsage") == 0) { - obj = OBJ_txt2obj(val->value, 0); - break; - } - } - } else { - ERR_clear_error(); - } + + if (jdktrust != NULL) { + obj = OBJ_txt2obj(jdktrust, 0); } p12 = PKCS12_create_ex2(cpass, name, key, ee_cert, certs, diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 144650f742..665b22bb64 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -68,6 +68,7 @@ PKCS#12 output (export) options: [B<-maciter>] [B<-macsaltlen>] [B<-nomac>] +[B<-jdktrust> I] =head1 DESCRIPTION @@ -381,6 +382,15 @@ Do not attempt to provide the MAC integrity. This can be useful with the FIPS provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS algorithm and cannot be supported by the FIPS provider. +=item B<-jdktrust> + +Export pkcs12 file in a format compatible with Java keystore usage. This option +accepts a string parameter indicating the trust oid name to be granted to the +certificate it is associated with. Currently only "anyExtendedKeyUsage" is +defined. Note that, as Java keystores do not accept PKCS12 files with both +trusted certificates and keypairs, use of this option implies the setting of the +B<-nokeys> option + =back =head1 NOTES diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t index 06a90ec24b..307942710f 100644 --- a/test/recipes/80-test_pkcs12.t +++ b/test/recipes/80-test_pkcs12.t @@ -172,9 +172,8 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0, # Test with Oracle Trusted Key Usage specified in openssl.cnf { - $ENV{OPENSSL_CONF} = srctop_file("test", "recipes", "80-test_pkcs12_data", "jdk_trusted.cnf"); ok(run(app(["openssl", "pkcs12", "-export", "-out", $outfile7, - "-in", srctop_file(@path, "ee-cert.pem"), + "-jdktrust", "anyExtendedKeyUsage", "-in", srctop_file(@path, "ee-cert.pem"), "-nokeys", "-passout", "pass:", "-certpbe", "NONE"])), "test nokeys single cert"); diff --git a/test/recipes/80-test_pkcs12_data/jdk_trusted.cnf b/test/recipes/80-test_pkcs12_data/jdk_trusted.cnf deleted file mode 100644 index 57d11fccf2..0000000000 --- a/test/recipes/80-test_pkcs12_data/jdk_trusted.cnf +++ /dev/null @@ -1,8 +0,0 @@ -# -[pkcs12] -certBagAttr = cb_attr - -# Uncomment this if you need Java compatible PKCS12 files -[cb_attr] -jdkTrustedKeyUsage = anyExtendedKeyUsage -