2002-10-09 20:06:58 +08:00
|
|
|
=pod
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
2022-08-19 15:46:47 +08:00
|
|
|
PKCS12_create, PKCS12_create_ex, PKCS12_create_cb, PKCS12_create_ex2 - create a PKCS#12 structure
|
2002-10-09 20:06:58 +08:00
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
#include <openssl/pkcs12.h>
|
|
|
|
|
2016-06-08 06:01:33 +08:00
|
|
|
PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey,
|
|
|
|
X509 *cert, STACK_OF(X509) *ca,
|
|
|
|
int nid_key, int nid_cert, int iter, int mac_iter, int keytype);
|
2021-02-17 15:56:36 +08:00
|
|
|
PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey,
|
|
|
|
X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert,
|
|
|
|
int iter, int mac_iter, int keytype,
|
|
|
|
OSSL_LIB_CTX *ctx, const char *propq);
|
2002-10-09 20:06:58 +08:00
|
|
|
|
2022-08-19 15:46:47 +08:00
|
|
|
typedef int PKCS12_create_cb(PKCS12_SAFEBAG *bag, void *cbarg);
|
|
|
|
|
|
|
|
PKCS12 *PKCS12_create_ex2(const char *pass, const char *name, EVP_PKEY *pkey,
|
|
|
|
X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert,
|
|
|
|
int iter, int mac_iter, int keytype,
|
|
|
|
OSSL_LIB_CTX *ctx, const char *propq,
|
|
|
|
PKCS12_create_cb *cb, void *cbarg);
|
2002-10-09 20:06:58 +08:00
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
|
|
PKCS12_create() creates a PKCS#12 structure.
|
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
I<pass> is the passphrase to use. I<name> is the B<friendlyName> to use for
|
|
|
|
the supplied certificate and key. I<pkey> is the private key to include in
|
2021-02-17 15:56:36 +08:00
|
|
|
the structure and I<cert> its corresponding certificates. I<ca>, if not B<NULL>
|
2002-10-09 20:06:58 +08:00
|
|
|
is an optional set of certificates to also include in the structure.
|
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
I<nid_key> and I<nid_cert> are the encryption algorithms that should be used
|
2018-05-11 03:14:12 +08:00
|
|
|
for the key and certificate respectively. The modes
|
2021-03-06 05:11:49 +08:00
|
|
|
GCM, CCM, XTS, and OCB are unsupported. I<iter> is the encryption algorithm
|
|
|
|
iteration count to use and I<mac_iter> is the MAC iteration count to use.
|
|
|
|
I<keytype> is the type of key.
|
2002-10-09 20:06:58 +08:00
|
|
|
|
2021-02-17 15:56:36 +08:00
|
|
|
PKCS12_create_ex() is identical to PKCS12_create() but allows for a library context
|
|
|
|
I<ctx> and property query I<propq> to be used to select algorithm implementations.
|
|
|
|
|
2022-08-19 15:46:47 +08:00
|
|
|
PKCS12_create_ex2() is identical to PKCS12_create_ex() but allows for a user defined
|
2023-12-07 08:54:34 +08:00
|
|
|
callback I<cb> of type B<PKCS12_create_cb> to be specified and also allows for an
|
2022-08-19 15:46:47 +08:00
|
|
|
optional argument I<cbarg> to be passed back to the callback.
|
|
|
|
|
|
|
|
The I<cb> if specified will be called for every safebag added to the
|
|
|
|
PKCS12 structure and allows for optional application processing on the associated
|
|
|
|
safebag. For example one such use could be to add attributes to the safebag.
|
|
|
|
|
2002-10-09 20:06:58 +08:00
|
|
|
=head1 NOTES
|
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
The parameters I<nid_key>, I<nid_cert>, I<iter>, I<mac_iter> and I<keytype>
|
2002-10-09 20:06:58 +08:00
|
|
|
can all be set to zero and sensible defaults will be used.
|
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
These defaults are: AES password based encryption (PBES2 with PBKDF2 and
|
|
|
|
AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key
|
|
|
|
derivation iteration count of B<PKCS12_DEFAULT_ITER> (currently 2048), and
|
2023-09-05 17:13:47 +08:00
|
|
|
MAC algorithm HMAC with SHA2-256. The MAC key derivation algorithm used
|
|
|
|
for the outer PKCS#12 structure is PKCS12KDF.
|
2002-10-09 20:06:58 +08:00
|
|
|
|
2021-02-17 15:56:36 +08:00
|
|
|
The default MAC iteration count is 1 in order to retain compatibility with
|
|
|
|
old software which did not interpret MAC iteration counts. If such compatibility
|
|
|
|
is not required then I<mac_iter> should be set to PKCS12_DEFAULT_ITER.
|
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
I<keytype> adds a flag to the store private key. This is a non standard extension
|
2002-10-09 20:06:58 +08:00
|
|
|
that is only currently interpreted by MSIE. If set to zero the flag is omitted,
|
|
|
|
if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX>
|
|
|
|
it can be used for signing and encryption. This option was useful for old
|
|
|
|
export grade software which could use signing only keys of arbitrary size but
|
|
|
|
had restrictions on the permissible sizes of keys which could be used for
|
|
|
|
encryption.
|
|
|
|
|
2024-01-03 19:03:03 +08:00
|
|
|
If I<name> is B<NULL> and I<cert> contains an I<alias> then this will be
|
|
|
|
used for the corresponding B<friendlyName> in the PKCS12 structure instead.
|
|
|
|
Similarly, if I<pkey> is NULL and I<cert> contains a I<keyid> then this will be
|
|
|
|
used for the corresponding B<localKeyID> in the PKCS12 structure instead of the
|
|
|
|
id calculated from the I<pkey>.
|
|
|
|
|
|
|
|
For all certificates in I<ca> then if a certificate contains an I<alias> or
|
|
|
|
I<keyid> then this will be used for the corresponding B<friendlyName> or
|
|
|
|
B<localKeyID> in the PKCS12 structure.
|
2002-10-10 01:05:05 +08:00
|
|
|
|
2021-02-17 15:56:36 +08:00
|
|
|
Either I<pkey>, I<cert> or both can be B<NULL> to indicate that no key or
|
2015-04-14 02:05:13 +08:00
|
|
|
certificate is required. In previous versions both had to be present or
|
2002-10-09 20:06:58 +08:00
|
|
|
a fatal error is returned.
|
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
I<nid_key> or I<nid_cert> can be set to -1 indicating that no encryption
|
2016-05-20 20:11:46 +08:00
|
|
|
should be used.
|
2002-10-09 20:06:58 +08:00
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
I<mac_iter> can be set to -1 and the MAC will then be omitted entirely.
|
2023-09-05 17:13:47 +08:00
|
|
|
This can be useful when running with the FIPS provider as the PKCS12KDF
|
|
|
|
is not a FIPS approvable algorithm.
|
2002-10-09 20:06:58 +08:00
|
|
|
|
2018-05-13 17:35:14 +08:00
|
|
|
PKCS12_create() makes assumptions regarding the encoding of the given pass
|
|
|
|
phrase.
|
|
|
|
See L<passphrase-encoding(7)> for more information.
|
|
|
|
|
2022-08-19 15:46:47 +08:00
|
|
|
If I<cb> is specified, then it should return 1 for success and -1 for a fatal error.
|
|
|
|
A return of 0 is intended to mean to not add the bag after all.
|
|
|
|
|
2017-12-25 17:50:39 +08:00
|
|
|
=head1 RETURN VALUES
|
|
|
|
|
|
|
|
PKCS12_create() returns a valid B<PKCS12> structure or NULL if an error occurred.
|
|
|
|
|
2021-02-17 15:56:36 +08:00
|
|
|
=head1 CONFORMING TO
|
|
|
|
|
|
|
|
IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)
|
|
|
|
|
2002-10-09 20:06:58 +08:00
|
|
|
=head1 SEE ALSO
|
|
|
|
|
2023-09-05 17:13:47 +08:00
|
|
|
L<EVP_KDF-PKCS12KDF(7)>,
|
2018-05-13 17:35:14 +08:00
|
|
|
L<d2i_PKCS12(3)>,
|
2023-09-05 17:13:47 +08:00
|
|
|
L<OSSL_PROVIDER-FIPS(7)>,
|
2018-05-13 17:35:14 +08:00
|
|
|
L<passphrase-encoding(7)>
|
2002-10-09 20:06:58 +08:00
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
=head1 HISTORY
|
|
|
|
|
2021-02-17 15:56:36 +08:00
|
|
|
PKCS12_create_ex() was added in OpenSSL 3.0.
|
2022-10-05 23:52:46 +08:00
|
|
|
PKCS12_create_ex2() was added in OpenSSL 3.2.
|
2021-02-17 15:56:36 +08:00
|
|
|
|
2021-03-06 05:11:49 +08:00
|
|
|
The defaults for encryption algorithms, MAC algorithm, and the MAC key
|
|
|
|
derivation iteration count were changed in OpenSSL 3.0 to more modern
|
|
|
|
standards.
|
|
|
|
|
2016-05-18 23:44:05 +08:00
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
2024-03-20 20:07:54 +08:00
|
|
|
Copyright 2002-2024 The OpenSSL Project Authors. All Rights Reserved.
|
2016-05-18 23:44:05 +08:00
|
|
|
|
2018-12-06 21:04:44 +08:00
|
|
|
Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-18 23:44:05 +08:00
|
|
|
this file except in compliance with the License. You can obtain a copy
|
|
|
|
in the file LICENSE in the source distribution or at
|
|
|
|
L<https://www.openssl.org/source/license.html>.
|
|
|
|
|
|
|
|
=cut
|