RFC 9579 support - documentation

beldmit · Jun 6, 2024 · d20797e · d20797e
1 parent e385a0f
commit d20797e
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 5 deletions.
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
@@ -62,6 +62,8 @@ PKCS#12 output (export) options:
 [B<-certpbe> I<cipher>]
 [B<-descert>]
 [B<-macalg> I<digest>]
+[B<-pbmac1>]
+[B<-pbmac1_kdf_md> I<digest>]
 [B<-iter> I<count>]
 [B<-noiter>]
 [B<-nomaciter>]
@@ -341,10 +343,18 @@ key and the certificates are encrypted using AES-256-CBC unless
 the '-legacy' option is used. If '-descert' is used with the '-legacy'
 then both, the private key and the certificates are encrypted using triple DES.
 
+=item B<-pbmac1> I<digest>
+
+Use PBMAC1 for MAC protection of the PKCS#12 file.
+
 =item B<-macalg> I<digest>
 
 Specify the MAC digest algorithm. If not included SHA256 will be used.
 
+=item B<-pbmac1_kdf_md> I<digest>
+
+Specify the PBMAC1 KDF digest algorithm. If not included SHA256 will be used.
+
 =item B<-iter> I<count>
 
 This option specifies the iteration count for the encryption key and MAC. The

diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod
@@ -15,6 +15,9 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure
  int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
                     unsigned char *salt, int saltlen, int iter,
                     const EVP_MD *md_type);
+ int PKCS12_set_pbmac1(PKCS12 *p12, const char *pass, int passlen,
+                   unsigned char *salt, int saltlen, int iter,
+                   const EVP_MD *md_type, const char *prf_md_name);
  int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
                       int saltlen, const EVP_MD *md_type);
 
@@ -31,10 +34,12 @@ PKCS12_setup_mac() sets the MAC part of the PKCS#12 structure with the supplied
 parameters.
 
 PKCS12_set_mac() sets the MAC and MAC parameters into the PKCS#12 object.
+PKCS12_set_pbmac1() sets the MAC and MAC parameters into the PKCS#12 object
+when B<PBMAC1> is used for protection of the PKCS#12 object.
 
 I<pass> is the passphrase to use in the HMAC. I<salt> is the salt value to use,
 I<iter> is the iteration count and I<md_type> is the message digest
-function to use.
+function to use. I<prf_md_name> specifies the digest used for PBMAC1 KDF.
 
 =head1 NOTES
 
@@ -43,9 +48,9 @@ If I<salt> is NULL then a suitable salt will be generated and used.
 If I<iter> is 1 then an iteration count will be omitted from the PKCS#12
 structure.
 
-PKCS12_gen_mac(), PKCS12_verify_mac() and PKCS12_set_mac() make assumptions
-regarding the encoding of the given passphrase. See L<passphrase-encoding(7)>
-for more information.
+PKCS12_gen_mac(), PKCS12_verify_mac(), PKCS12_set_mac() and PKCS12_set_pbmac1()
+make assumptions regarding the encoding of the given passphrase. See
+L<passphrase-encoding(7)> for more information.
 
 =head1 RETURN VALUES
 
@@ -54,6 +59,7 @@ All functions return 1 on success and 0 if an error occurred.
 =head1 CONFORMING TO
 
 IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)
+IETF RFC 9579 (L<https://tools.ietf.org/html/rfc9579>)
 
 =head1 SEE ALSO
 
@@ -64,7 +70,7 @@ L<passphrase-encoding(7)>
 
 =head1 COPYRIGHT
 
-Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy