From 15c9aa3aef77c642ef2b6c84bba2b57b35ed083e Mon Sep 17 00:00:00 2001
From: Sahana Prasad <sahana@redhat.com>
Date: Wed, 22 Jul 2020 13:36:36 +0200
Subject: [PATCH] apps/pkcs12: Change defaults from RC2 to PBES2 with PBKDF2

Fixes #11672

Add "-legacy" option to load the legacy provider and
fall back to the old legacy default algorithms.

doc/man1/openssl-pkcs12.pod.in: updates documentation about the new
"-legacy" option

Signed-off-by: Sahana Prasad <sahana@redhat.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12540)
---
 apps/pkcs12.c                  | 46 ++++++++++++++++++++++++++--------
 doc/man1/openssl-pkcs12.pod.in | 24 ++++++++++++++++--
 2 files changed, 57 insertions(+), 13 deletions(-)

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index ca83e2d1be..3398250efd 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -18,6 +18,7 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
+#include <openssl/provider.h>
 
 DEFINE_STACK_OF(X509)
 DEFINE_STACK_OF(PKCS7)
@@ -61,12 +62,13 @@ typedef enum OPTION_choice {
     OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME,
     OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
     OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE,
-    OPT_R_ENUM, OPT_PROV_ENUM
+    OPT_R_ENUM, OPT_PROV_ENUM, OPT_LEGACY_ALG
 } OPTION_CHOICE;
 
 const OPTIONS pkcs12_options[] = {
     OPT_SECTION("General"),
     {"help", OPT_HELP, '-', "Display this summary"},
+    {"legacy", OPT_LEGACY_ALG, '-', "use legacy algorithms"},
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -117,9 +119,9 @@ const OPTIONS pkcs12_options[] = {
     OPT_SECTION("Encryption"),
 #ifndef OPENSSL_NO_RC2
     {"descert", OPT_DESCERT, '-',
-     "Encrypt output with 3DES (default RC2-40)"},
+     "Encrypt output with 3DES (default PBES2 with PBKDF2 and AES-256 CBC)"},
     {"certpbe", OPT_CERTPBE, 's',
-     "Certificate PBE algorithm (default RC2-40)"},
+     "Certificate PBE algorithm (default PBES2 with PBKDF2 and AES-256 CBC)"},
 #else
     {"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
     {"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
@@ -143,14 +145,10 @@ int pkcs12_main(int argc, char **argv)
     char *infile = NULL, *outfile = NULL, *keyname = NULL, *certfile = NULL;
     char *name = NULL, *csp_name = NULL;
     char pass[PASSWD_BUF_SIZE] = "", macpass[PASSWD_BUF_SIZE] = "";
-    int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0;
+    int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0, use_legacy = 0;
     int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER;
-#ifndef OPENSSL_NO_RC2
-    int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
-#else
-    int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-#endif
-    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    int cert_pbe = NID_aes_256_cbc;
+    int key_pbe = NID_aes_256_cbc;
     int ret = 1, macver = 1, add_lmk = 0, private = 0;
     int noprompt = 0;
     char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
@@ -162,7 +160,7 @@ int pkcs12_main(int argc, char **argv)
     BIO *in = NULL, *out = NULL;
     PKCS12 *p12 = NULL;
     STACK_OF(OPENSSL_STRING) *canames = NULL;
-    const EVP_CIPHER *enc = EVP_des_ede3_cbc();
+    const EVP_CIPHER *enc = EVP_aes_256_cbc();
     OPTION_CHOICE o;
 
     prog = opt_init(argc, argv, pkcs12_options);
@@ -313,6 +311,9 @@ int pkcs12_main(int argc, char **argv)
         case OPT_ENGINE:
             e = setup_engine(opt_arg(), 0);
             break;
+        case OPT_LEGACY_ALG:
+            use_legacy = 1;
+            break;
         case OPT_PROV_CASES:
             if (!opt_provider(o))
                 goto end;
@@ -320,6 +321,29 @@ int pkcs12_main(int argc, char **argv)
         }
     }
     argc = opt_num_rest();
+
+    if (use_legacy) {
+        /* load the legacy provider if not loaded already*/
+        if (!OSSL_PROVIDER_available(app_get0_libctx(), "legacy")) {
+            if (!app_provider_load(app_get0_libctx(), "legacy"))
+                goto end;
+            /* load the default provider explicitly */
+            if (!app_provider_load(app_get0_libctx(), "default"))
+                goto end;
+        }
+        if (cert_pbe != NID_pbe_WithSHA1And3_Key_TripleDES_CBC) {
+            /* Restore default algorithms */
+#ifndef OPENSSL_NO_RC2
+            cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+#else
+            cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+#endif
+        }
+
+        key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+        enc = EVP_des_ede3_cbc();
+    }
+
     if (argc != 0)
         goto opthelp;
 
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 3a97a81517..90d8a7e19e 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -44,6 +44,7 @@ B<openssl> B<pkcs12>
 [B<-maciter>]
 [B<-nomac>]
 [B<-twopass>]
+[B<-legacy>]
 [B<-descert>]
 [B<-certpbe> I<cipher>]
 [B<-keypbe> I<cipher>]
@@ -166,6 +167,16 @@ always assumes these are the same so this option will render such
 PKCS#12 files unreadable. Cannot be used in combination with the options
 B<-password>, B<-passin> if importing, or B<-passout> if exporting.
 
+=item B<-legacy>
+
+Use legacy mode of operation and automatically load the legacy provider.
+In the legacy mode, the default algorithm for certificate encryption
+is RC2_CBC or 3DES_CBC depending on whether the RC2 cipher is enabled
+in the build. The default algorithm for private key encryption is 3DES_CBC.
+If the legacy option is not specified, then the legacy provider is not loaded
+and the default encryption algorithm for both certificates and private keys is
+AES_256_CBC with PBKDF2 for key derivation by default.
+
 =back
 
 =head1 FILE CREATION OPTIONS
@@ -229,8 +240,9 @@ for this search. If the search fails it is considered a fatal error.
 
 Encrypt the certificate using triple DES, this may render the PKCS#12
 file unreadable by some "export grade" software. By default the private
-key is encrypted using triple DES and the certificate using 40 bit RC2
-unless RC2 is disabled in which case triple DES is used.
+key is encrypted using AES and the certificate using triple DES unless
+the '-legacy' option is used. If '-descert' is used with the '-legacy'
+then both, the private key and the certificate are encrypted using triple DES.
 
 =item B<-keypbe> I<alg>, B<-certpbe> I<alg>
 
@@ -355,6 +367,10 @@ Print some info about a PKCS#12 file:
 
  openssl pkcs12 -in file.p12 -info -noout
 
+Print some info about a PKCS#12 file in legacy mode:
+
+ openssl pkcs12 -in file.p12 -info -noout -legacy
+
 Create a PKCS#12 file:
 
  openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate"
@@ -364,6 +380,10 @@ Include some extra certificates:
  openssl pkcs12 -export -in file.pem -out file.p12 -name "My Certificate" \
   -certfile othercerts.pem
 
+Export a PKCS#12 file with default encryption algorithms as in the legacy provider:
+
+ openssl pkcs12 -export -in cert.pem -inkey key.pem -out file.p12 -legacy
+
 =head1 SEE ALSO
 
 L<openssl(1)>,
-- 
GitLab