diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-11-26 11:03:24 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-01 17:50:56 +0100 |
commit | 9ab9b16bb795f1081e86f11e16a1606790231400 (patch) | |
tree | 9a1241e1c18fc64e7238abce37251ca8c2e154a9 | |
parent | 9feb2fce6553df7b2d75cf283826b97407eea55b (diff) |
apps/pkcs12.c: Correct default legacy algs and make related doc consistent
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13534)
-rw-r--r-- | apps/pkcs12.c | 38 | ||||
-rw-r--r-- | doc/man1/openssl-pkcs12.pod.in | 7 |
2 files changed, 26 insertions, 19 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 6bc06e370f..e12b359de8 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -64,7 +64,13 @@ typedef enum OPTION_choice { const OPTIONS pkcs12_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"legacy", OPT_LEGACY_ALG, '-', "use legacy algorithms"}, + {"legacy", OPT_LEGACY_ALG, '-', +#ifdef OPENSSL_NO_RC2 + "Use legacy encryption algorithm 3DES_CBC for keys and certs" +#else + "Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs" +#endif + }, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif @@ -116,18 +122,13 @@ const OPTIONS pkcs12_options[] = { {"keysig", OPT_KEYSIG, '-', "Set key type to MS key signature"}, OPT_SECTION("PKCS12 output encryption and MAC"), -#ifndef OPENSSL_NO_RC2 {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"}, {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"}, -#else - {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"}, - {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"}, -#endif - {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"}, - {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption key and MAC"}, - {"noiter", OPT_NOITER, '-', "Don't use encryption key iteration"}, + {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"}, + {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"}, + {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"}, {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"}, {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"}, {"macalg", OPT_MACALG, 's', @@ -142,6 +143,8 @@ const OPTIONS pkcs12_options[] = { {NULL} }; +#define PKCS12_DEFAULT_PBE NID_aes_256_cbc + int pkcs12_main(int argc, char **argv) { char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; @@ -151,8 +154,8 @@ int pkcs12_main(int argc, char **argv) char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0, use_legacy = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; - int cert_pbe = NID_aes_256_cbc; - int key_pbe = NID_aes_256_cbc; + int cert_pbe = PKCS12_DEFAULT_PBE; + int key_pbe = PKCS12_DEFAULT_PBE; int ret = 1, macver = 1, add_lmk = 0, private = 0; int noprompt = 0; char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; @@ -164,7 +167,8 @@ int pkcs12_main(int argc, char **argv) BIO *in = NULL, *out = NULL; PKCS12 *p12 = NULL; STACK_OF(OPENSSL_STRING) *canames = NULL; - const EVP_CIPHER *enc = EVP_aes_256_cbc(); + const EVP_CIPHER *const default_enc = EVP_aes_256_cbc(); + const EVP_CIPHER *enc = default_enc; OPTION_CHOICE o; prog = opt_init(argc, argv, pkcs12_options); @@ -373,8 +377,8 @@ int pkcs12_main(int argc, char **argv) if (!app_provider_load(app_get0_libctx(), "default")) goto end; } - if (cert_pbe != NID_pbe_WithSHA1And3_Key_TripleDES_CBC) { - /* Restore default algorithms */ + if (cert_pbe == PKCS12_DEFAULT_PBE) { + /* Adapt default algorithm */ #ifndef OPENSSL_NO_RC2 cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; #else @@ -382,8 +386,10 @@ int pkcs12_main(int argc, char **argv) #endif } - key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - enc = EVP_des_ede3_cbc(); + if (key_pbe == PKCS12_DEFAULT_PBE) + key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + if (enc == default_enc) + enc = EVP_des_ede3_cbc(); } if (argc != 0) diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 6c4fbfb563..e5da1ec980 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -76,6 +76,7 @@ There are a lot of options the meaning of some depends of whether a PKCS#12 file is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 file can be created by using the B<-export> option (see below). Many further options such as B<-chain> make sense only with B<-export>. +The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation. =head1 PARSING OPTIONS @@ -134,7 +135,7 @@ Use DES to encrypt private keys before outputting. =item B<-des3> -Use triple DES to encrypt private keys before outputting, this is the default. +Use triple DES to encrypt private keys before outputting. =item B<-idea> @@ -263,7 +264,7 @@ as well as any untrusted CA certificates given with the B<-untrusted> option. Encrypt the certificate using triple DES, this may render the PKCS#12 file unreadable by some "export grade" software. By default the private -key is encrypted using AES and the certificate using triple DES unless +key and the certificates are encrypted using AES-256-CBC unless the '-legacy' option is used. If '-descert' is used with the '-legacy' then both, the private key and the certificate are encrypted using triple DES. @@ -405,7 +406,7 @@ Include some extra certificates: openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \ -certfile othercerts.pem -Export a PKCS#12 file with default encryption algorithms as in the legacy provider: +Export a PKCS#12 file with default algorithms as in the legacy provider: openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy |