| PKCS12_create.pod (1.1.1.2) | PKCS12_create.pod (1.1.1.3) |
|---|---|
| 1=pod 2 3=head1 NAME 4 5PKCS12_create, PKCS12_create_ex - create a PKCS#12 structure 6 7=head1 SYNOPSIS 8 --- 28 unchanged lines hidden (view full) --- 37=head1 NOTES 38 39The parameters I<nid_key>, I<nid_cert>, I<iter>, I<mac_iter> and I<keytype> 40can all be set to zero and sensible defaults will be used. 41 42These defaults are: AES password based encryption (PBES2 with PBKDF2 and 43AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key 44derivation iteration count of B<PKCS12_DEFAULT_ITER> (currently 2048), and | 1=pod 2 3=head1 NAME 4 5PKCS12_create, PKCS12_create_ex - create a PKCS#12 structure 6 7=head1 SYNOPSIS 8 --- 28 unchanged lines hidden (view full) --- 37=head1 NOTES 38 39The parameters I<nid_key>, I<nid_cert>, I<iter>, I<mac_iter> and I<keytype> 40can all be set to zero and sensible defaults will be used. 41 42These defaults are: AES password based encryption (PBES2 with PBKDF2 and 43AES-256-CBC) for private keys and certificates, the PBKDF2 and MAC key 44derivation iteration count of B<PKCS12_DEFAULT_ITER> (currently 2048), and |
| 45MAC algorithm HMAC with SHA2-256. | 45MAC algorithm HMAC with SHA2-256. The MAC key derivation algorithm used 46for the outer PKCS#12 structure is PKCS12KDF. |
| 46 47The default MAC iteration count is 1 in order to retain compatibility with 48old software which did not interpret MAC iteration counts. If such compatibility 49is not required then I<mac_iter> should be set to PKCS12_DEFAULT_ITER. 50 51I<keytype> adds a flag to the store private key. This is a non standard extension 52that is only currently interpreted by MSIE. If set to zero the flag is omitted, 53if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX> --- 9 unchanged lines hidden (view full) --- 63Either I<pkey>, I<cert> or both can be B<NULL> to indicate that no key or 64certificate is required. In previous versions both had to be present or 65a fatal error is returned. 66 67I<nid_key> or I<nid_cert> can be set to -1 indicating that no encryption 68should be used. 69 70I<mac_iter> can be set to -1 and the MAC will then be omitted entirely. | 47 48The default MAC iteration count is 1 in order to retain compatibility with 49old software which did not interpret MAC iteration counts. If such compatibility 50is not required then I<mac_iter> should be set to PKCS12_DEFAULT_ITER. 51 52I<keytype> adds a flag to the store private key. This is a non standard extension 53that is only currently interpreted by MSIE. If set to zero the flag is omitted, 54if set to B<KEY_SIG> the key can be used for signing only, if set to B<KEY_EX> --- 9 unchanged lines hidden (view full) --- 64Either I<pkey>, I<cert> or both can be B<NULL> to indicate that no key or 65certificate is required. In previous versions both had to be present or 66a fatal error is returned. 67 68I<nid_key> or I<nid_cert> can be set to -1 indicating that no encryption 69should be used. 70 71I<mac_iter> can be set to -1 and the MAC will then be omitted entirely. |
| 72This can be useful when running with the FIPS provider as the PKCS12KDF 73is not a FIPS approvable algorithm. |
|
| 71 72PKCS12_create() makes assumptions regarding the encoding of the given pass 73phrase. 74See L<passphrase-encoding(7)> for more information. 75 76=head1 RETURN VALUES 77 78PKCS12_create() returns a valid B<PKCS12> structure or NULL if an error occurred. 79 80=head1 CONFORMING TO 81 82IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>) 83 84=head1 SEE ALSO 85 | 74 75PKCS12_create() makes assumptions regarding the encoding of the given pass 76phrase. 77See L<passphrase-encoding(7)> for more information. 78 79=head1 RETURN VALUES 80 81PKCS12_create() returns a valid B<PKCS12> structure or NULL if an error occurred. 82 83=head1 CONFORMING TO 84 85IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>) 86 87=head1 SEE ALSO 88 |
| 89L<EVP_KDF-PKCS12KDF(7)>, |
|
| 86L<d2i_PKCS12(3)>, | 90L<d2i_PKCS12(3)>, |
| 91L<OSSL_PROVIDER-FIPS(7)>, |
|
| 87L<passphrase-encoding(7)> 88 89=head1 HISTORY 90 91PKCS12_create_ex() was added in OpenSSL 3.0. 92 93The defaults for encryption algorithms, MAC algorithm, and the MAC key 94derivation iteration count were changed in OpenSSL 3.0 to more modern 95standards. 96 97=head1 COPYRIGHT 98 | 92L<passphrase-encoding(7)> 93 94=head1 HISTORY 95 96PKCS12_create_ex() was added in OpenSSL 3.0. 97 98The defaults for encryption algorithms, MAC algorithm, and the MAC key 99derivation iteration count were changed in OpenSSL 3.0 to more modern 100standards. 101 102=head1 COPYRIGHT 103 |
| 99Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. | 104Copyright 2002-2023 The OpenSSL Project Authors. All Rights Reserved. |
| 100 101Licensed under the Apache License 2.0 (the "License"). You may not use 102this file except in compliance with the License. You can obtain a copy 103in the file LICENSE in the source distribution or at 104L<https://www.openssl.org/source/license.html>. 105 106=cut | 105 106Licensed under the Apache License 2.0 (the "License"). You may not use 107this file except in compliance with the License. You can obtain a copy 108in the file LICENSE in the source distribution or at 109L<https://www.openssl.org/source/license.html>. 110 111=cut |