Skip to content

Comments

apps/pkcs12.c: Add -untrusted option and improve option documentation#12643

Closed
DDvO wants to merge 2 commits intoopenssl:masterfrom
siemens:add_pkcs12_passcert_untrusted
Closed

apps/pkcs12.c: Add -untrusted option and improve option documentation#12643
DDvO wants to merge 2 commits intoopenssl:masterfrom
siemens:add_pkcs12_passcert_untrusted

Conversation

@DDvO
Copy link
Contributor

@DDvO DDvO commented Aug 13, 2020

This PR adds the option -untrusted to the PKCS#12 app and
improves the user guidance for various options both in the app and the man page.

So far, lists of certificates to be used for chain building (with the -chain option)
could be done only by adding them along with trusted certs (via, e.g., the -CAfile option).
This is not only inconvenient but also inadequate: they should not be trusted
but used only as candidates for intermediate CA certs as far as needed for building the chain.

In analogy of the -untrusted option of the verify app,
the new -untrusted option offers the possibility to provide intermediate CA certs in a separate file
and passes them (rather than NULL) to X509_STORE_CTX_init().

I also improved the handling of end entity certs (in particular with the -nokeys option),
made some error messages more informative, added many warnings on inconsistent option use,
and clarified the use of various options in the app help output and documentation.

  • documentation is added or updated
  • tests are added or updated

@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from a1dcb6c to 1f5b057 Compare August 16, 2020 10:17
@DDvO DDvO changed the title apps/pkcs12.c: Add -untrusted and -passcert options; improve option documentation apps/pkcs12.c: Add -untrusted option and improve option documentation Aug 16, 2020
@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from 1f5b057 to aa0594d Compare August 16, 2020 12:44
@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from aa0594d to 60672e2 Compare August 19, 2020 09:11
@DDvO
Copy link
Contributor Author

DDvO commented Aug 19, 2020

Thanks @FdaSilvaYY and @t8m for your comments.
Anything more to do?

@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from 60672e2 to ee763c1 Compare August 21, 2020 07:06
@DDvO
Copy link
Contributor Author

DDvO commented Aug 21, 2020

Rebased in order to solve merge conflicts.

Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few more nits.

@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from ee763c1 to 1683af8 Compare August 21, 2020 20:59
@DDvO
Copy link
Contributor Author

DDvO commented Aug 24, 2020

Just a few more nits.

Thanks @t8m for pointing these out; I've meanwhile handled them.
Can this be approved now?

Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now

@t8m t8m added approval: done This pull request has the required number of approvals branch: master Applies to master branch and removed approval: otc review pending labels Aug 26, 2020
@openssl-machine openssl-machine removed the approval: done This pull request has the required number of approvals label Aug 27, 2020
@openssl-machine
Copy link
Collaborator

This pull request is ready to merge

@openssl-machine openssl-machine added the approval: ready to merge The 24 hour grace period has passed, ready to merge label Aug 27, 2020
openssl-machine pushed a commit that referenced this pull request Aug 27, 2020
openssl-machine pushed a commit that referenced this pull request Aug 27, 2020
Also improve EE cert selection, user guidance, and documentation.

Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #12643)
@DDvO
Copy link
Contributor Author

DDvO commented Aug 27, 2020

Merged - thanks @t8m

@DDvO DDvO closed this Aug 27, 2020
swenkeratmicrosoft pushed a commit to swenkeratmicrosoft/openssl that referenced this pull request Sep 1, 2020
swenkeratmicrosoft pushed a commit to swenkeratmicrosoft/openssl that referenced this pull request Sep 1, 2020
Also improve EE cert selection, user guidance, and documentation.

Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#12643)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Applies to master branch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants