PKCS#8 support for alternative PRFs.

Add option to set an alternative to the default hmacWithSHA1 PRF for PKCS#8 private key encryptions. This is used automatically by PKCS8_encrypt if the nid specified is a PRF. Add option to pkcs8 utility. Update docs. (cherry picked from commit b60272b01fcb4f69201b3e1659b4f7e9e9298dfb)
author: Dr. Stephen Henson <steve@openssl.org> 2014-02-28 17:23:54 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2014-03-01 23:16:08 +0000
commit: 5693a30813a031d3921a016a870420e7eb93ec90 (patch)
tree: 0a9f590ad64e6df7d64a732e7f0c18f302e5b537 /crypto/pkcs12/p12_p8e.c
parent: 01757858feb3590b175b40d7e0e73da8255d6c50 (diff)
1 files changed, 9 insertions, 2 deletions
diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c
index bf20a77b4c..1adb969fc4 100644
--- a/crypto/pkcs12/p12_p8e.c
+++ b/crypto/pkcs12/p12_p8e.c
@@ -73,8 +73,15 @@ X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
 		goto err;
 	}
 
-	if(pbe_nid == -1) pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
-	else pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+	if(pbe_nid == -1)
+		pbe = PKCS5_pbe2_set(cipher, iter, salt, saltlen);
+	else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0))
+		pbe = PKCS5_pbe2_set_iv(cipher, iter, salt, saltlen, NULL, pbe_nid);
+	else
+		{
+		ERR_clear_error();
+		pbe = PKCS5_pbe_set(pbe_nid, iter, salt, saltlen);
+		}
 	if(!pbe) {
 		PKCS12err(PKCS12_F_PKCS8_ENCRYPT, ERR_R_ASN1_LIB);
 		goto err;
author	Dr. Stephen Henson <steve@openssl.org>	2014-02-28 17:23:54 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2014-03-01 23:16:08 +0000
commit	5693a30813a031d3921a016a870420e7eb93ec90 (patch)
tree	0a9f590ad64e6df7d64a732e7f0c18f302e5b537 /crypto/pkcs12/p12_p8e.c
parent	01757858feb3590b175b40d7e0e73da8255d6c50 (diff)