diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-11-26 11:03:24 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-12-01 17:50:56 +0100 |
commit | 9ab9b16bb795f1081e86f11e16a1606790231400 (patch) | |
tree | 9a1241e1c18fc64e7238abce37251ca8c2e154a9 /apps/pkcs12.c | |
parent | 9feb2fce6553df7b2d75cf283826b97407eea55b (diff) |
apps/pkcs12.c: Correct default legacy algs and make related doc consistent
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13534)
Diffstat (limited to 'apps/pkcs12.c')
-rw-r--r-- | apps/pkcs12.c | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 6bc06e370f..e12b359de8 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -64,7 +64,13 @@ typedef enum OPTION_choice { const OPTIONS pkcs12_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, - {"legacy", OPT_LEGACY_ALG, '-', "use legacy algorithms"}, + {"legacy", OPT_LEGACY_ALG, '-', +#ifdef OPENSSL_NO_RC2 + "Use legacy encryption algorithm 3DES_CBC for keys and certs" +#else + "Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs" +#endif + }, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif @@ -116,18 +122,13 @@ const OPTIONS pkcs12_options[] = { {"keysig", OPT_KEYSIG, '-', "Set key type to MS key signature"}, OPT_SECTION("PKCS12 output encryption and MAC"), -#ifndef OPENSSL_NO_RC2 {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"}, {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"}, -#else - {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"}, - {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"}, -#endif - {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"}, - {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption key and MAC"}, - {"noiter", OPT_NOITER, '-', "Don't use encryption key iteration"}, + {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"}, + {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"}, + {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"}, {"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"}, {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"}, {"macalg", OPT_MACALG, 's', @@ -142,6 +143,8 @@ const OPTIONS pkcs12_options[] = { {NULL} }; +#define PKCS12_DEFAULT_PBE NID_aes_256_cbc + int pkcs12_main(int argc, char **argv) { char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL; @@ -151,8 +154,8 @@ int pkcs12_main(int argc, char **argv) char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0, use_legacy = 0; int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; - int cert_pbe = NID_aes_256_cbc; - int key_pbe = NID_aes_256_cbc; + int cert_pbe = PKCS12_DEFAULT_PBE; + int key_pbe = PKCS12_DEFAULT_PBE; int ret = 1, macver = 1, add_lmk = 0, private = 0; int noprompt = 0; char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; @@ -164,7 +167,8 @@ int pkcs12_main(int argc, char **argv) BIO *in = NULL, *out = NULL; PKCS12 *p12 = NULL; STACK_OF(OPENSSL_STRING) *canames = NULL; - const EVP_CIPHER *enc = EVP_aes_256_cbc(); + const EVP_CIPHER *const default_enc = EVP_aes_256_cbc(); + const EVP_CIPHER *enc = default_enc; OPTION_CHOICE o; prog = opt_init(argc, argv, pkcs12_options); @@ -373,8 +377,8 @@ int pkcs12_main(int argc, char **argv) if (!app_provider_load(app_get0_libctx(), "default")) goto end; } - if (cert_pbe != NID_pbe_WithSHA1And3_Key_TripleDES_CBC) { - /* Restore default algorithms */ + if (cert_pbe == PKCS12_DEFAULT_PBE) { + /* Adapt default algorithm */ #ifndef OPENSSL_NO_RC2 cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; #else @@ -382,8 +386,10 @@ int pkcs12_main(int argc, char **argv) #endif } - key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - enc = EVP_des_ede3_cbc(); + if (key_pbe == PKCS12_DEFAULT_PBE) + key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; + if (enc == default_enc) + enc = EVP_des_ede3_cbc(); } if (argc != 0) |