Convert jdkTrustedKeyUsage to be a pkcs12 cmd line option

Creating JDK compatible pkcs12 files requires a bit more than just
adding the Trusted Key Usage OID to a certbag in the pkcs12 file.
Additionally the JDK currently requires that pkcs12 files setting this
oid _not_ contain any additional keys, and in response will produce
unpredictable results.

This could be solved by implying --nokeys when the pkcs12 utility is run
and the config option is set, but thatcould confuse users who didn't
specify nokeys on the command line.  As such, remove the config file
setting for this feature, and replace it with a -jdktrust command line
option, that is documented to assert nokeys when a users specifies the
new command line option.

Fixes #22215

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22422)

1 files changed, 10 insertions, 0 deletions

diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 144650f742..665b22bb64 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -68,6 +68,7 @@ PKCS#12 output (export) options:
 [B<-maciter>]
 [B<-macsaltlen>]
 [B<-nomac>]
+[B<-jdktrust> I<usage>]
 
 =head1 DESCRIPTION
 
@@ -381,6 +382,15 @@ Do not attempt to provide the MAC integrity. This can be useful with the FIPS
 provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
 algorithm and cannot be supported by the FIPS provider.
 
+=item B<-jdktrust>
+
+Export pkcs12 file in a format compatible with Java keystore usage. This option
+accepts a string parameter indicating the trust oid name to be granted to the
+certificate it is associated with.  Currently only "anyExtendedKeyUsage" is
+defined. Note that, as Java keystores do not accept PKCS12 files with both
+trusted certificates and keypairs, use of this option implies the setting of the
+B<-nokeys> option
+
 =back
 
 =head1 NOTES