diff options
author | Jon Spillett <jon.spillett@oracle.com> | 2021-02-17 17:56:36 +1000 |
---|---|---|
committer | Pauli <pauli@openssl.org> | 2021-04-30 09:15:50 +1000 |
commit | b536880c45722777df5ebe62897a6efcef757945 (patch) | |
tree | 015ad29f74586e3407079864fa686ffcde658fad /apps/pkcs12.c | |
parent | d77ba503a2cf1c83098baca345327761b991d191 (diff) |
Add library context and property query support into the PKCS12 API
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
Diffstat (limited to 'apps/pkcs12.c')
-rw-r--r-- | apps/pkcs12.c | 50 |
1 files changed, 37 insertions, 13 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 306bcda7b4..c5a8fcdeda 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -58,13 +58,19 @@ typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS, OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER, - OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, +#ifndef OPENSSL_NO_DES + OPT_DESCERT, +#endif + OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER, OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE, OPT_INKEY, OPT_CERTFILE, OPT_UNTRUSTED, OPT_PASSCERTS, OPT_NAME, OPT_CSP, OPT_CANAME, OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, - OPT_R_ENUM, OPT_PROV_ENUM, OPT_LEGACY_ALG + OPT_R_ENUM, OPT_PROV_ENUM, +#ifndef OPENSSL_NO_DES + OPT_LEGACY_ALG +#endif } OPTION_CHOICE; const OPTIONS pkcs12_options[] = { @@ -79,13 +85,15 @@ const OPTIONS pkcs12_options[] = { {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"}, {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"}, {"noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input"}, +#ifndef OPENSSL_NO_DES {"legacy", OPT_LEGACY_ALG, '-', -#ifdef OPENSSL_NO_RC2 +# ifdef OPENSSL_NO_RC2 "Use legacy encryption algorithm 3DES_CBC for keys and certs" -#else +# else "Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs" -#endif +# endif }, +#endif #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif @@ -130,8 +138,10 @@ const OPTIONS pkcs12_options[] = { {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"}, {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"}, +#ifndef OPENSSL_NO_DES {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"}, +#endif {"macalg", OPT_MACALG, 's', "Digest algorithm to use in MAC (default SHA1)"}, {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"}, @@ -149,7 +159,10 @@ int pkcs12_main(int argc, char **argv) char *passcertsarg = NULL, *passcerts = NULL; char *name = NULL, *csp_name = NULL; char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = ""; - int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0, use_legacy = 0; + int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0; +#ifndef OPENSSL_NO_DES + int use_legacy = 0; +#endif /* use library defaults for the iter, maciter, cert, and key PBE */ int iter = 0, maciter = 0; int cert_pbe = NID_undef; @@ -214,9 +227,11 @@ int pkcs12_main(int argc, char **argv) case OPT_NOMACVER: macver = 0; break; +#ifndef OPENSSL_NO_DES case OPT_DESCERT: cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; break; +#endif case OPT_EXPORT: export_pkcs12 = 1; break; @@ -328,9 +343,11 @@ int pkcs12_main(int argc, char **argv) case OPT_ENGINE: e = setup_engine(opt_arg(), 0); break; +#ifndef OPENSSL_NO_DES case OPT_LEGACY_ALG: use_legacy = 1; break; +#endif case OPT_PROV_CASES: if (!opt_provider(o)) goto end; @@ -410,6 +427,7 @@ int pkcs12_main(int argc, char **argv) if (cert_pbe == -1 && maciter == -1) WARN_NO_EXPORT("nomac"); } +#ifndef OPENSSL_NO_DES if (use_legacy) { /* load the legacy provider if not loaded already*/ if (!OSSL_PROVIDER_available(app_get0_libctx(), "legacy")) { @@ -421,11 +439,11 @@ int pkcs12_main(int argc, char **argv) } if (cert_pbe == NID_undef) { /* Adapt default algorithm */ -#ifndef OPENSSL_NO_RC2 +# ifndef OPENSSL_NO_RC2 cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; -#else +# else cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; -#endif +# endif } if (key_pbe == NID_undef) @@ -435,7 +453,7 @@ int pkcs12_main(int argc, char **argv) if (macalg == NULL) macalg = "sha1"; } - +#endif private = 1; @@ -643,8 +661,9 @@ int pkcs12_main(int argc, char **argv) if (!twopass) OPENSSL_strlcpy(macpass, pass, sizeof(macpass)); - p12 = PKCS12_create(cpass, name, key, ee_cert, certs, - key_pbe, cert_pbe, iter, -1, keytype); + p12 = PKCS12_create_ex(cpass, name, key, ee_cert, certs, + key_pbe, cert_pbe, iter, -1, keytype, + app_get0_libctx(), app_get0_propq()); if (p12 == NULL) { BIO_printf(bio_err, "Error creating PKCS12 structure for %s\n", @@ -694,7 +713,12 @@ int pkcs12_main(int argc, char **argv) if (out == NULL) goto end; - if ((p12 = d2i_PKCS12_bio(in, NULL)) == NULL) { + p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq()); + if (p12 == NULL) { + ERR_print_errors(bio_err); + goto end; + } + if ((p12 = d2i_PKCS12_bio(in, &p12)) == NULL) { ERR_print_errors(bio_err); goto end; } |