[openssl] master update
dev at ddvo.net
dev at ddvo.net
Tue Dec 1 16:51:10 UTC 2020
The branch master has been updated
via 9ab9b16bb795f1081e86f11e16a1606790231400 (commit)
from 9feb2fce6553df7b2d75cf283826b97407eea55b (commit)
- Log -----------------------------------------------------------------
commit 9ab9b16bb795f1081e86f11e16a1606790231400
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Nov 26 11:03:24 2020 +0100
apps/pkcs12.c: Correct default legacy algs and make related doc consistent
Reviewed-by: Paul Dale <paul.dale at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/13534)
-----------------------------------------------------------------------
Summary of changes:
apps/pkcs12.c | 38 ++++++++++++++++++++++----------------
doc/man1/openssl-pkcs12.pod.in | 7 ++++---
2 files changed, 26 insertions(+), 19 deletions(-)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 6bc06e370f..e12b359de8 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -64,7 +64,13 @@ typedef enum OPTION_choice {
const OPTIONS pkcs12_options[] = {
OPT_SECTION("General"),
{"help", OPT_HELP, '-', "Display this summary"},
- {"legacy", OPT_LEGACY_ALG, '-', "use legacy algorithms"},
+ {"legacy", OPT_LEGACY_ALG, '-',
+#ifdef OPENSSL_NO_RC2
+ "Use legacy encryption algorithm 3DES_CBC for keys and certs"
+#else
+ "Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs"
+#endif
+ },
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
#endif
@@ -116,18 +122,13 @@ const OPTIONS pkcs12_options[] = {
{"keysig", OPT_KEYSIG, '-', "Set key type to MS key signature"},
OPT_SECTION("PKCS12 output encryption and MAC"),
-#ifndef OPENSSL_NO_RC2
{"descert", OPT_DESCERT, '-',
"Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"},
{"certpbe", OPT_CERTPBE, 's',
"Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"},
-#else
- {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
- {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
-#endif
- {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default 3DES)"},
- {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption key and MAC"},
- {"noiter", OPT_NOITER, '-', "Don't use encryption key iteration"},
+ {"keypbe", OPT_KEYPBE, 's', "Private key PBE algorithm (default AES-256 CBC)"},
+ {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"},
+ {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
{"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
{"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"},
{"macalg", OPT_MACALG, 's',
@@ -142,6 +143,8 @@ const OPTIONS pkcs12_options[] = {
{NULL}
};
+#define PKCS12_DEFAULT_PBE NID_aes_256_cbc
+
int pkcs12_main(int argc, char **argv)
{
char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL;
@@ -151,8 +154,8 @@ int pkcs12_main(int argc, char **argv)
char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0, use_legacy = 0;
int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
- int cert_pbe = NID_aes_256_cbc;
- int key_pbe = NID_aes_256_cbc;
+ int cert_pbe = PKCS12_DEFAULT_PBE;
+ int key_pbe = PKCS12_DEFAULT_PBE;
int ret = 1, macver = 1, add_lmk = 0, private = 0;
int noprompt = 0;
char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
@@ -164,7 +167,8 @@ int pkcs12_main(int argc, char **argv)
BIO *in = NULL, *out = NULL;
PKCS12 *p12 = NULL;
STACK_OF(OPENSSL_STRING) *canames = NULL;
- const EVP_CIPHER *enc = EVP_aes_256_cbc();
+ const EVP_CIPHER *const default_enc = EVP_aes_256_cbc();
+ const EVP_CIPHER *enc = default_enc;
OPTION_CHOICE o;
prog = opt_init(argc, argv, pkcs12_options);
@@ -373,8 +377,8 @@ int pkcs12_main(int argc, char **argv)
if (!app_provider_load(app_get0_libctx(), "default"))
goto end;
}
- if (cert_pbe != NID_pbe_WithSHA1And3_Key_TripleDES_CBC) {
- /* Restore default algorithms */
+ if (cert_pbe == PKCS12_DEFAULT_PBE) {
+ /* Adapt default algorithm */
#ifndef OPENSSL_NO_RC2
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
#else
@@ -382,8 +386,10 @@ int pkcs12_main(int argc, char **argv)
#endif
}
- key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
- enc = EVP_des_ede3_cbc();
+ if (key_pbe == PKCS12_DEFAULT_PBE)
+ key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+ if (enc == default_enc)
+ enc = EVP_des_ede3_cbc();
}
if (argc != 0)
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 6c4fbfb563..e5da1ec980 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -76,6 +76,7 @@ There are a lot of options the meaning of some depends of whether a PKCS#12 file
is being created or parsed. By default a PKCS#12 file is parsed.
A PKCS#12 file can be created by using the B<-export> option (see below).
Many further options such as B<-chain> make sense only with B<-export>.
+The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation.
=head1 PARSING OPTIONS
@@ -134,7 +135,7 @@ Use DES to encrypt private keys before outputting.
=item B<-des3>
-Use triple DES to encrypt private keys before outputting, this is the default.
+Use triple DES to encrypt private keys before outputting.
=item B<-idea>
@@ -263,7 +264,7 @@ as well as any untrusted CA certificates given with the B<-untrusted> option.
Encrypt the certificate using triple DES, this may render the PKCS#12
file unreadable by some "export grade" software. By default the private
-key is encrypted using AES and the certificate using triple DES unless
+key and the certificates are encrypted using AES-256-CBC unless
the '-legacy' option is used. If '-descert' is used with the '-legacy'
then both, the private key and the certificate are encrypted using triple DES.
@@ -405,7 +406,7 @@ Include some extra certificates:
openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
-certfile othercerts.pem
-Export a PKCS#12 file with default encryption algorithms as in the legacy provider:
+Export a PKCS#12 file with default algorithms as in the legacy provider:
openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
More information about the openssl-commits
mailing list