diff options
| author | Neil Horman <nhorman@openssl.org> | 2023-10-18 10:01:21 -0400 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2023-10-20 16:30:43 +0100 |
| commit | 21f7a09ca256eee0ccc9a8fc498e8427469ab506 (patch) | |
| tree | 85f689c3a442ace25edd6436f72ed9149da5bc5e /apps/openssl.cnf | |
| parent | 7757f5ef731ad4e8d6c0f59ef752e4f726ba4f90 (diff) | |
Convert jdkTrustedKeyUsage to be a pkcs12 cmd line option
Creating JDK compatible pkcs12 files requires a bit more than just
adding the Trusted Key Usage OID to a certbag in the pkcs12 file.
Additionally the JDK currently requires that pkcs12 files setting this
oid _not_ contain any additional keys, and in response will produce
unpredictable results.
This could be solved by implying --nokeys when the pkcs12 utility is run
and the config option is set, but thatcould confuse users who didn't
specify nokeys on the command line. As such, remove the config file
setting for this feature, and replace it with a -jdktrust command line
option, that is documented to assert nokeys when a users specifies the
new command line option.
Fixes #22215
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22422)
Diffstat (limited to 'apps/openssl.cnf')
| -rw-r--r-- | apps/openssl.cnf | 7 |
1 files changed, 0 insertions, 7 deletions
diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 0d564d3ba5..2833b6f30b 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -388,10 +388,3 @@ oldcert = $insta::certout # insta.cert.pem # Certificate revocation cmd = rr oldcert = $insta::certout # insta.cert.pem - -[pkcs12] -certBagAttr = cb_attr - -# Uncomment this if you need Java compatible PKCS12 files -[cb_attr] -#jdkTrustedKeyUsage = anyExtendedKeyUsage |