Skip to content

Comments

apps/pkcs12.c: Add -untrusted option and improve option documentation#12643

Closed
DDvO wants to merge 2 commits intoopenssl:masterfrom
siemens:add_pkcs12_passcert_untrusted
Closed

apps/pkcs12.c: Add -untrusted option and improve option documentation#12643
DDvO wants to merge 2 commits intoopenssl:masterfrom
siemens:add_pkcs12_passcert_untrusted

Conversation

@DDvO
Copy link
Contributor

@DDvO DDvO commented Aug 13, 2020
edited
Loading

This PR adds the option -untrusted to the PKCS#12 app and
improves the user guidance for various options both in the app and the man page.

So far, lists of certificates to be used for chain building (with the -chain option)
could be done only by adding them along with trusted certs (via, e.g., the -CAfile option).
This is not only inconvenient but also inadequate: they should not be trusted
but used only as candidates for intermediate CA certs as far as needed for building the chain.

In analogy of the -untrusted option of the verify app,
the new -untrusted option offers the possibility to provide intermediate CA certs in a separate file
and passes them (rather than NULL) to X509_STORE_CTX_init().

I also improved the handling of end entity certs (in particular with the -nokeys option),
made some error messages more informative, added many warnings on inconsistent option use,
and clarified the use of various options in the app help output and documentation.

  • documentation is added or updated
  • tests are added or updated

@DDvO DDvO mentioned this pull request Aug 14, 2020
Merged
2 tasks
FdaSilvaYY
FdaSilvaYY reviewed Aug 15, 2020
View reviewed changes
@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from a1dcb6c to 1f5b057 Compare August 16, 2020 10:17
@DDvO DDvO changed the title apps/pkcs12.c: Add -untrusted and -passcert options; improve option documentation apps/pkcs12.c: Add -untrusted option and improve option documentation Aug 16, 2020
@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from 1f5b057 to aa0594d Compare August 16, 2020 12:44
slontis
slontis reviewed Aug 19, 2020
View reviewed changes
@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from aa0594d to 60672e2 Compare August 19, 2020 09:11
@DDvO
Copy link
Contributor Author

DDvO commented Aug 19, 2020

Thanks @FdaSilvaYY and @t8m for your comments.
Anything more to do?

@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from 60672e2 to ee763c1 Compare August 21, 2020 07:06
@DDvO
Copy link
Contributor Author

DDvO commented Aug 21, 2020

Rebased in order to solve merge conflicts.

t8m
t8m requested changes Aug 21, 2020
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few more nits.

@DDvO DDvO force-pushed the add_pkcs12_passcert_untrusted branch from ee763c1 to 1683af8 Compare August 21, 2020 20:59
@DDvO
Copy link
Contributor Author

DDvO commented Aug 24, 2020

Just a few more nits.

Thanks @t8m for pointing these out; I've meanwhile handled them.
Can this be approved now?

t8m
t8m approved these changes Aug 26, 2020
View reviewed changes
Copy link
Member

@t8m t8m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now

@t8m t8m added approval: done This pull request has the required number of approvals branch: master Applies to master branch and removed approval: otc review pending labels Aug 26, 2020
@openssl-machine openssl-machine removed the approval: done This pull request has the required number of approvals label Aug 27, 2020
@openssl-machine
Copy link
Collaborator

openssl-machine commented Aug 27, 2020

This pull request is ready to merge

@openssl-machine openssl-machine added the approval: ready to merge The 24 hour grace period has passed, ready to merge label Aug 27, 2020
openssl-machine pushed a commit that referenced this pull request Aug 27, 2020
@DDvO
X509_add_certs(): Add to doc some warning notes on memory management
77a9bb8 
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #12643)
openssl-machine pushed a commit that referenced this pull request Aug 27, 2020
@DDvO
apps/pkcs12.c: Add -untrusted option
1d6c867 
Also improve EE cert selection, user guidance, and documentation.

Reviewed-by: Tomas Mraz <[email protected]>
(Merged from #12643)
@DDvO
Copy link
Contributor Author

DDvO commented Aug 27, 2020

Merged - thanks @t8m

@DDvO DDvO closed this Aug 27, 2020
swenkeratmicrosoft pushed a commit to swenkeratmicrosoft/openssl that referenced this pull request Sep 1, 2020
@DDvO
X509_add_certs(): Add to doc some warning notes on memory management
c078630 
Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#12643)
swenkeratmicrosoft pushed a commit to swenkeratmicrosoft/openssl that referenced this pull request Sep 1, 2020
@DDvO
apps/pkcs12.c: Add -untrusted option
1be4dfb 
Also improve EE cert selection, user guidance, and documentation.

Reviewed-by: Tomas Mraz <[email protected]>
(Merged from openssl#12643)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slontis slontis slontis left review comments

@t8m t8m t8m approved these changes

+1 more reviewer

@FdaSilvaYY FdaSilvaYY FdaSilvaYY left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approval: ready to merge The 24 hour grace period has passed, ready to merge branch: master Applies to master branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@DDvO @openssl-machine @t8m @FdaSilvaYY @slontis