On Tue, Feb 05, 2013, Michael Ionescu wrote: > On 07.07.2012 23:27, Dr. Stephen Henson wrote: > > > > I added an option -force_pubkey to the OpenSSL 'x509' utility > > to do this. It is only in HEAD at present. > > > Hi Steve, > > that's excellent! If I am not mistaken, this is exactly what one would > also need in order to use the pubkey in individually trusted > S/MIME-Certs when the issuing CA is categorically untrusted. One could > simply create a cert for local use in encryption/signature-validation > from one's own trusty CA. >
There are problems with that approach. In the case of PKCS#7 certificates are identified by issuer name and serial number not public key. So a new CA wouldn't be recognised as it would have a different name. In the case of CMS you can identify the certificate by key identifier: but you'd have to make sure the SKID extension of the new certificate matched the old one. > Are there any plans to include your patch in vanilla openssl anytime soon? > It can be backported to OpenSSL 1.0.2 easily enough. Due to the versioning rules it can't appear in anything sooner. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org