git.ipfire.org Git - thirdparty/openssl.git/commit

author	Clemens Lang <cllang@redhat.com>
	Sun, 3 Aug 2025 18:47:36 +0000 (20:47 +0200)
committer	Dmitry Belyavskiy <beldmit@gmail.com>
	Mon, 11 Aug 2025 10:00:38 +0000 (12:00 +0200)
commit	6b93db7bfd572e81fac581c5be7b0d7509febb80
tree	7fce722fb0e8fcda5ddcdb3710dc67eb335439e9	tree
parent	c5ef06f4abcda15056f9316b3fb4697a0b289d9b	commit \| diff

x509: Accept 'contentCommitment' as alias

ITU-T X.509 (10/2019) section 9.2.2.3 [1] defines 'contentCommitment' as
the current name for what had previously been called 'nonRepudiation',
and deprecates the old name:

> It is not incorrect to refer to this keyUsage bit using the identifier
> nonRepudiation. However, the use of this identifier has been
> deprecated.

Allow 'contentCommitment' as an alias wherever 'nonRepudiation' has been
accepted before, so that passing

-addext keyUsage=critical,contentCommitment

works as expected.

Add a test that checks that contentCommitment sets the same keyUsage bit
as nonRepudiation. Adjust the docs to mention the available alias name.

[1]: https://www.itu.int/rec/T-REC-X.509-201910-I/en

Signed-off-by: Clemens Lang <cllang@redhat.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/28161)

crypto/asn1/t_bitst.c		diff \| blob \| blame \| history
crypto/x509/v3_bitst.c		diff \| blob \| blame \| history
doc/man1/openssl-verification-options.pod		diff \| blob \| blame \| history
doc/man5/x509v3_config.pod		diff \| blob \| blame \| history
test/recipes/25-test_req.t		diff \| blob \| blame \| history