From b536880c45722777df5ebe62897a6efcef757945 Mon Sep 17 00:00:00 2001
From: Jon Spillett <jon.spillett@oracle.com>
Date: Wed, 17 Feb 2021 17:56:36 +1000
Subject: Add library context and property query support into the PKCS12 API

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14434)
---
 apps/build.info |  5 +----
 apps/pkcs12.c   | 50 +++++++++++++++++++++++++++++++++++++-------------
 apps/progs.pl   |  1 -
 3 files changed, 38 insertions(+), 18 deletions(-)

(limited to 'apps')

diff --git a/apps/build.info b/apps/build.info
index aa91ebbb95..cba9803c65 100644
--- a/apps/build.info
+++ b/apps/build.info
@@ -18,10 +18,7 @@ $OPENSSLSRC=\
         pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
         s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
         spkac.c verify.c version.c x509.c rehash.c storeutl.c \
-        list.c info.c fipsinstall.c
-IF[{- !$disabled{'des'} -}]
-  $OPENSSLSRC=$OPENSSLSRC pkcs12.c
-ENDIF
+        list.c info.c fipsinstall.c pkcs12.c
 IF[{- !$disabled{'ec'} -}]
   $OPENSSLSRC=$OPENSSLSRC ec.c ecparam.c
 ENDIF
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 306bcda7b4..c5a8fcdeda 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -58,13 +58,19 @@ typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
     OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS,
     OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER,
-    OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER,
+#ifndef OPENSSL_NO_DES
+    OPT_DESCERT,
+#endif
+    OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER,
     OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_NOENC, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
     OPT_INKEY, OPT_CERTFILE, OPT_UNTRUSTED, OPT_PASSCERTS,
     OPT_NAME, OPT_CSP, OPT_CANAME,
     OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
     OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
-    OPT_R_ENUM, OPT_PROV_ENUM, OPT_LEGACY_ALG
+    OPT_R_ENUM, OPT_PROV_ENUM, 
+#ifndef OPENSSL_NO_DES
+    OPT_LEGACY_ALG
+#endif
 } OPTION_CHOICE;
 
 const OPTIONS pkcs12_options[] = {
@@ -79,13 +85,15 @@ const OPTIONS pkcs12_options[] = {
     {"nokeys", OPT_NOKEYS, '-', "Don't output private keys"},
     {"nocerts", OPT_NOCERTS, '-', "Don't output certificates"},
     {"noout", OPT_NOOUT, '-', "Don't output anything, just verify PKCS#12 input"},
+#ifndef OPENSSL_NO_DES
     {"legacy", OPT_LEGACY_ALG, '-',
-#ifdef OPENSSL_NO_RC2
+# ifdef OPENSSL_NO_RC2
      "Use legacy encryption algorithm 3DES_CBC for keys and certs"
-#else
+# else
      "Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs"
-#endif
+# endif
     },
+#endif
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -130,8 +138,10 @@ const OPTIONS pkcs12_options[] = {
     {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"},
     {"certpbe", OPT_CERTPBE, 's',
      "Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"},
+#ifndef OPENSSL_NO_DES
     {"descert", OPT_DESCERT, '-',
      "Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"},
+#endif
     {"macalg", OPT_MACALG, 's',
      "Digest algorithm to use in MAC (default SHA1)"},
     {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"},
@@ -149,7 +159,10 @@ int pkcs12_main(int argc, char **argv)
     char *passcertsarg = NULL, *passcerts = NULL;
     char *name = NULL, *csp_name = NULL;
     char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
-    int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0, use_legacy = 0;
+    int export_pkcs12 = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
+#ifndef OPENSSL_NO_DES
+    int use_legacy = 0;
+#endif
     /* use library defaults for the iter, maciter, cert, and key PBE */
     int iter = 0, maciter = 0;
     int cert_pbe = NID_undef;
@@ -214,9 +227,11 @@ int pkcs12_main(int argc, char **argv)
         case OPT_NOMACVER:
             macver = 0;
             break;
+#ifndef OPENSSL_NO_DES
         case OPT_DESCERT:
             cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
             break;
+#endif
         case OPT_EXPORT:
             export_pkcs12 = 1;
             break;
@@ -328,9 +343,11 @@ int pkcs12_main(int argc, char **argv)
         case OPT_ENGINE:
             e = setup_engine(opt_arg(), 0);
             break;
+#ifndef OPENSSL_NO_DES
         case OPT_LEGACY_ALG:
             use_legacy = 1;
             break;
+#endif
         case OPT_PROV_CASES:
             if (!opt_provider(o))
                 goto end;
@@ -410,6 +427,7 @@ int pkcs12_main(int argc, char **argv)
         if (cert_pbe == -1 && maciter == -1)
             WARN_NO_EXPORT("nomac");
     }
+#ifndef OPENSSL_NO_DES
     if (use_legacy) {
         /* load the legacy provider if not loaded already*/
         if (!OSSL_PROVIDER_available(app_get0_libctx(), "legacy")) {
@@ -421,11 +439,11 @@ int pkcs12_main(int argc, char **argv)
         }
         if (cert_pbe == NID_undef) {
             /* Adapt default algorithm */
-#ifndef OPENSSL_NO_RC2
+# ifndef OPENSSL_NO_RC2
             cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
-#else
+# else
             cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-#endif
+# endif
         }
 
         if (key_pbe == NID_undef)
@@ -435,7 +453,7 @@ int pkcs12_main(int argc, char **argv)
         if (macalg == NULL)
             macalg = "sha1";
     }
-
+#endif
 
     private = 1;
 
@@ -643,8 +661,9 @@ int pkcs12_main(int argc, char **argv)
         if (!twopass)
             OPENSSL_strlcpy(macpass, pass, sizeof(macpass));
 
-        p12 = PKCS12_create(cpass, name, key, ee_cert, certs,
-                            key_pbe, cert_pbe, iter, -1, keytype);
+        p12 = PKCS12_create_ex(cpass, name, key, ee_cert, certs,
+                               key_pbe, cert_pbe, iter, -1, keytype,
+                               app_get0_libctx(), app_get0_propq());
 
         if (p12 == NULL) {
             BIO_printf(bio_err, "Error creating PKCS12 structure for %s\n",
@@ -694,7 +713,12 @@ int pkcs12_main(int argc, char **argv)
     if (out == NULL)
         goto end;
 
-    if ((p12 = d2i_PKCS12_bio(in, NULL)) == NULL) {
+    p12 = PKCS12_init_ex(NID_pkcs7_data, app_get0_libctx(), app_get0_propq());
+    if (p12 == NULL) {
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if ((p12 = d2i_PKCS12_bio(in, &p12)) == NULL) {
         ERR_print_errors(bio_err);
         goto end;
     }
diff --git a/apps/progs.pl b/apps/progs.pl
index a03b83139c..74461f5b3f 100644
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -98,7 +98,6 @@ EOF
         gendh    => "dh",
         dhparam  => "dh",
         ecparam  => "ec",
-        pkcs12   => "des",
     );
     my %cmd_deprecated = (
 # The format of this table is:
-- 
cgit v1.2.3