Convert jdkTrustedKeyUsage to be a pkcs12 cmd line option

Creating JDK compatible pkcs12 files requires a bit more than just adding the Trusted Key Usage OID to a certbag in the pkcs12 file. Additionally the JDK currently requires that pkcs12 files setting this oid _not_ contain any additional keys, and in response will produce unpredictable results. This could be solved by implying --nokeys when the pkcs12 utility is run and the config option is set, but thatcould confuse users who didn't specify nokeys on the command line. As such, remove the config file setting for this feature, and replace it with a -jdktrust command line option, that is documented to assert nokeys when a users specifies the new command line option. Fixes #22215 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22422)
author: Neil Horman <nhorman@openssl.org> 2023-10-18 10:01:21 -0400
committer: Matt Caswell <matt@openssl.org> 2023-10-20 16:30:43 +0100
commit: 21f7a09ca256eee0ccc9a8fc498e8427469ab506 (patch)
tree: 85f689c3a442ace25edd6436f72ed9149da5bc5e /apps
parent: 7757f5ef731ad4e8d6c0f59ef752e4f726ba4f90 (diff)
3 files changed, 11 insertions, 32 deletions
diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index d6d5f58db6..8203d9ea0c 100644
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -388,10 +388,3 @@ oldcert = $insta::certout # insta.cert.pem
 # Certificate revocation
 cmd = rr
 oldcert = $insta::certout # insta.cert.pem
-
-[pkcs12]
-certBagAttr = cb_attr
-
-# Uncomment this if you need Java compatible PKCS12 files
-[cb_attr]
-#jdkTrustedKeyUsage = anyExtendedKeyUsage
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 0d564d3ba5..2833b6f30b 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -388,10 +388,3 @@ oldcert = $insta::certout # insta.cert.pem
 # Certificate revocation
 cmd = rr
 oldcert = $insta::certout # insta.cert.pem
-
-[pkcs12]
-certBagAttr = cb_attr
-
-# Uncomment this if you need Java compatible PKCS12 files
-[cb_attr]
-#jdkTrustedKeyUsage = anyExtendedKeyUsage
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 8e8c771819..1fa0abd3d4 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -71,7 +71,7 @@ typedef enum OPTION_choice {
     OPT_NAME, OPT_CSP, OPT_CANAME,
     OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
     OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
-    OPT_R_ENUM, OPT_PROV_ENUM,
+    OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST,
 #ifndef OPENSSL_NO_DES
     OPT_LEGACY_ALG
 #endif
@@ -154,6 +154,7 @@ const OPTIONS pkcs12_options[] = {
     {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
     {"macsaltlen", OPT_MACSALTLEN, 'p', "Specify the salt len for MAC"},
     {"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
+    {"jdktrust", OPT_JDKTRUST, 's', "Mark certificate in PKCS#12 store as trusted for JDK compatibility"},
     {NULL}
 };
 
@@ -165,6 +166,7 @@ int pkcs12_main(int argc, char **argv)
     char *name = NULL, *csp_name = NULL;
     char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
     int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
+    char *jdktrust = NULL;
 #ifndef OPENSSL_NO_DES
     int use_legacy = 0;
 #endif
@@ -222,6 +224,11 @@ int pkcs12_main(int argc, char **argv)
         case OPT_NOOUT:
             options |= (NOKEYS | NOCERTS);
             break;
+        case OPT_JDKTRUST:
+            jdktrust = opt_arg();
+            /* Adding jdk trust implies nokeys */
+            options |= NOKEYS;
+            break;
         case OPT_INFO:
             options |= INFO;
             break;
@@ -530,9 +537,6 @@ int pkcs12_main(int argc, char **argv)
         int i;
         CONF *conf = NULL;
         ASN1_OBJECT *obj = NULL;
-        STACK_OF(CONF_VALUE) *cb_sk = NULL;
-        const char *cb_attr = NULL;
-        const CONF_VALUE *val = NULL;
 
         if ((options & (NOCERTS | NOKEYS)) == (NOCERTS | NOKEYS)) {
             BIO_printf(bio_err, "Nothing to export due to -noout or -nocerts and -nokeys\n");
@@ -682,20 +686,9 @@ int pkcs12_main(int argc, char **argv)
             goto export_end;
         if (!app_load_modules(conf))
             goto export_end;
-        /* Find the cert bag section */
-        cb_attr = app_conf_try_string(conf, "pkcs12", "certBagAttr");
-        if (cb_attr != NULL) {
-            if ((cb_sk = NCONF_get_section(conf, cb_attr)) != NULL) {
-                for (i = 0; i < sk_CONF_VALUE_num(cb_sk); i++) {
-                    val = sk_CONF_VALUE_value(cb_sk, i);
-                    if (strcmp(val->name, "jdkTrustedKeyUsage") == 0) {
-                        obj = OBJ_txt2obj(val->value, 0);
-                        break;
-                    }
-                }
-            } else {
-                ERR_clear_error();
-            }
+
+        if (jdktrust != NULL) {
+            obj = OBJ_txt2obj(jdktrust, 0);
         }
 
         p12 = PKCS12_create_ex2(cpass, name, key, ee_cert, certs,
author	Neil Horman <nhorman@openssl.org>	2023-10-18 10:01:21 -0400
committer	Matt Caswell <matt@openssl.org>	2023-10-20 16:30:43 +0100
commit	21f7a09ca256eee0ccc9a8fc498e8427469ab506 (patch)
tree	85f689c3a442ace25edd6436f72ed9149da5bc5e /apps
parent	7757f5ef731ad4e8d6c0f59ef752e4f726ba4f90 (diff)