diff options
Diffstat (limited to 'doc/man3/PKCS12_create.pod')
-rw-r--r-- | doc/man3/PKCS12_create.pod | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/doc/man3/PKCS12_create.pod b/doc/man3/PKCS12_create.pod index be898c6795..dc0f06d9d3 100644 --- a/doc/man3/PKCS12_create.pod +++ b/doc/man3/PKCS12_create.pod @@ -2,7 +2,7 @@ =head1 NAME -PKCS12_create - create a PKCS#12 structure +PKCS12_create, PKCS12_create_ex - create a PKCS#12 structure =head1 SYNOPSIS @@ -11,6 +11,10 @@ PKCS12_create - create a PKCS#12 structure PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype); + PKCS12 *PKCS12_create_ex(const char *pass, const char *name, EVP_PKEY *pkey, + X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, + int iter, int mac_iter, int keytype, + OSSL_LIB_CTX *ctx, const char *propq); =head1 DESCRIPTION @@ -18,7 +22,7 @@ PKCS12_create() creates a PKCS#12 structure. I<pass> is the passphrase to use. I<name> is the B<friendlyName> to use for the supplied certificate and key. I<pkey> is the private key to include in -the structure and I<cert> its corresponding certificates. I<ca>, if not NULL +the structure and I<cert> its corresponding certificates. I<ca>, if not B<NULL> is an optional set of certificates to also include in the structure. I<nid_key> and I<nid_cert> are the encryption algorithms that should be used @@ -27,6 +31,9 @@ GCM, CCM, XTS, and OCB are unsupported. I<iter> is the encryption algorithm iteration count to use and I<mac_iter> is the MAC iteration count to use. I<keytype> is the type of key. +PKCS12_create_ex() is identical to PKCS12_create() but allows for a library context +I<ctx> and property query I<propq> to be used to select algorithm implementations. + =head1 NOTES The parameters I<nid_key>, I<nid_cert>, I<iter>, I<mac_iter> and I<keytype> @@ -37,6 +44,10 @@ AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key derivation iteration count of B<PKCS12_DEFAULT_ITER> (currently 2048), and MAC algorithm HMAC with SHA2-256. +The default MAC iteration count is 1 in order to retain compatibility with +old software which did not interpret MAC iteration counts. If such compatibility +is not required then I<mac_iter> should be set to PKCS12_DEFAULT_ITER. + I<keytype> adds a flag to the store private key. This is a non standard extension that is only currently interpreted by MSIE. If set to zero the flag is omitted, if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX> @@ -49,7 +60,7 @@ If a certificate contains an I<alias> or I<keyid> then this will be used for the corresponding B<friendlyName> or B<localKeyID> in the PKCS12 structure. -Either I<pkey>, I<cert> or both can be NULL to indicate that no key or +Either I<pkey>, I<cert> or both can be B<NULL> to indicate that no key or certificate is required. In previous versions both had to be present or a fatal error is returned. @@ -66,6 +77,10 @@ See L<passphrase-encoding(7)> for more information. PKCS12_create() returns a valid B<PKCS12> structure or NULL if an error occurred. +=head1 CONFORMING TO + +IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>) + =head1 SEE ALSO L<d2i_PKCS12(3)>, @@ -73,6 +88,8 @@ L<passphrase-encoding(7)> =head1 HISTORY +PKCS12_create_ex() was added in OpenSSL 3.0. + The defaults for encryption algorithms, MAC algorithm, and the MAC key derivation iteration count were changed in OpenSSL 3.0 to more modern standards. |