Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 30 additions & 19 deletions apps/pkcs12.c
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,13 @@ const OPTIONS pkcs12_options[] = {
{ NULL }
};

#define WARN_DUP(opt, var) \
{ \
if (var) \
BIO_printf(bio_err, "Warning: earlier -%s option argument is ignored: %s\n", opt, var); \
}
#define SET_WARN_DUP(opt, var) { WARN_DUP(opt, var); var = opt_arg(); }
#define SET_INT_WARN_DUP(opt, var) { WARN_DUP(opt, var); var = opt_int_arg(); }
int pkcs12_main(int argc, char **argv)
{
char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL;
Expand Down Expand Up @@ -261,7 +268,7 @@ int pkcs12_main(int argc, char **argv)
options |= (NOKEYS | NOCERTS);
break;
case OPT_JDKTRUST:
jdktrust = opt_arg();
SET_WARN_DUP("jdktrust", jdktrust);
/* Adding jdk trust implies nokeys */
options |= NOKEYS;
break;
Expand Down Expand Up @@ -296,10 +303,12 @@ int pkcs12_main(int argc, char **argv)
ciphername = NULL;
break;
case OPT_CIPHER:
WARN_DUP("cipher", ciphername);
enc_name = ciphername = opt_unknown();
break;
case OPT_ITER:
maciter = iter = opt_int_arg();
SET_INT_WARN_DUP("iter", iter);
maciter = iter;
break;
case OPT_NOITER:
iter = 1;
Expand All @@ -311,26 +320,28 @@ int pkcs12_main(int argc, char **argv)
maciter = 1;
break;
case OPT_MACSALTLEN:
macsaltlen = opt_int_arg();
SET_INT_WARN_DUP("macsaltlen", macsaltlen)
break;
case OPT_NOMAC:
cert_pbe = -1;
maciter = -1;
break;
case OPT_MACALG:
macalg = opt_arg();
SET_WARN_DUP("macalg", macalg);
break;
case OPT_PBMAC1_PBKDF2:
pbmac1_pbkdf2 = 1;
break;
case OPT_PBMAC1_PBKDF2_MD:
pbmac1_pbkdf2_md = opt_arg();
SET_WARN_DUP("pbmac1_pbkdf2_md", pbmac1_pbkdf2_md);
break;
case OPT_CERTPBE:
WARN_DUP("certpbe", cert_pbe);
if (!set_pbe(&cert_pbe, opt_arg()))
goto opthelp;
break;
case OPT_KEYPBE:
WARN_DUP("keypbe", key_pbe);
if (!set_pbe(&key_pbe, opt_arg()))
goto opthelp;
break;
Expand All @@ -339,25 +350,25 @@ int pkcs12_main(int argc, char **argv)
goto end;
break;
case OPT_INKEY:
keyname = opt_arg();
SET_WARN_DUP("inkey", keyname);
break;
case OPT_CERTFILE:
certfile = opt_arg();
SET_WARN_DUP("certfile", certfile);
break;
case OPT_UNTRUSTED:
untrusted = opt_arg();
SET_WARN_DUP("untrusted", untrusted);
break;
case OPT_PASSCERTS:
passcertsarg = opt_arg();
SET_WARN_DUP("passcerts", passcertsarg);
break;
case OPT_NAME:
name = opt_arg();
SET_WARN_DUP("name", name);
break;
case OPT_LMK:
add_lmk = 1;
break;
case OPT_CSP:
csp_name = opt_arg();
SET_WARN_DUP("csp", csp_name);
break;
case OPT_CANAME:
if (canames == NULL
Expand All @@ -367,28 +378,28 @@ int pkcs12_main(int argc, char **argv)
goto end;
break;
case OPT_IN:
infile = opt_arg();
SET_WARN_DUP("in", infile);
break;
case OPT_OUT:
outfile = opt_arg();
SET_WARN_DUP("out", outfile);
break;
case OPT_PASSIN:
passinarg = opt_arg();
SET_WARN_DUP("passin", passinarg);
break;
case OPT_PASSOUT:
passoutarg = opt_arg();
SET_WARN_DUP("passout", passoutarg);
break;
case OPT_PASSWORD:
passarg = opt_arg();
SET_WARN_DUP("password", passarg);
break;
case OPT_CAPATH:
CApath = opt_arg();
SET_WARN_DUP("CApath", CApath);
break;
case OPT_CASTORE:
CAstore = opt_arg();
SET_WARN_DUP("CAstore", CAstore);
break;
case OPT_CAFILE:
CAfile = opt_arg();
SET_WARN_DUP("CAfile", CAfile);
break;
case OPT_NOCAPATH:
noCApath = 1;
Expand Down
18 changes: 13 additions & 5 deletions doc/man1/openssl-pkcs12.pod.in
Original file line number Diff line number Diff line change
Expand Up @@ -77,19 +77,27 @@ PKCS#12 output (export) options:
=head1 DESCRIPTION

This command allows PKCS#12 files (sometimes referred to as
PFX files) to be created and parsed. PKCS#12 files are used by several
programs including Netscape, MSIE and MS Outlook.
PFX files) to be created and parsed.
These files are typically used to store a private key and related certificates
in a structure protected for confidentiality and integrity using a password,
also known as Personal Security Environment (PSE).

=head1 OPTIONS

There are a lot of options the meaning of some depends of whether a PKCS#12 file
is being created or parsed. By default a PKCS#12 file is parsed.
A PKCS#12 file can be created by using the B<-export> option (see below).
By default a PKCS#12 file is parsed.
To create a PKCS#12 file the B<-export> option (see below) needs to be given.

For some options the meaning depends of whether a PKCS#12 file
is being created or parsed.

The PKCS#12 export encryption and MAC options such as B<-certpbe> and B<-iter>
and many further options such as B<-chain> are relevant only with B<-export>.
Conversely, the options regarding encryption of private keys when outputting
PKCS#12 input are relevant only when the B<-export> option is not given.

Unless stated explcitly below, if an option is given multiple times
(possibly with different arguments), only the last one takes effect.

The default encryption algorithm is AES-256-CBC with PBKDF2 for key derivation.

When encountering problems loading legacy PKCS#12 files that involve,
Expand Down