mirror of https://github.com/openssl/openssl
Add -iter option to pkcs12 command
Fixes #8194 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10130)
This commit is contained in:
Ibrahim M. Ghazal
parent
e7b834b6bb
commit
1fdde9170c
|
|
@ -53,7 +53,7 @@ typedef enum OPTION_choice {
|
|||
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
|
||||
OPT_CIPHER, OPT_NOKEYS, OPT_KEYEX, OPT_KEYSIG, OPT_NOCERTS, OPT_CLCERTS,
|
||||
OPT_CACERTS, OPT_NOOUT, OPT_INFO, OPT_CHAIN, OPT_TWOPASS, OPT_NOMACVER,
|
||||
OPT_DESCERT, OPT_EXPORT, OPT_NOITER, OPT_MACITER, OPT_NOMACITER,
|
||||
OPT_DESCERT, OPT_EXPORT, OPT_ITER, OPT_NOITER, OPT_MACITER, OPT_NOMACITER,
|
||||
OPT_NOMAC, OPT_LMK, OPT_NODES, OPT_MACALG, OPT_CERTPBE, OPT_KEYPBE,
|
||||
OPT_INKEY, OPT_CERTFILE, OPT_NAME, OPT_CSP, OPT_CANAME,
|
||||
OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH,
|
||||
|
|
@ -121,8 +121,9 @@ const OPTIONS pkcs12_options[] = {
|
|||
{"descert", OPT_DESCERT, '-', "Encrypt output with 3DES (the default)"},
|
||||
{"certpbe", OPT_CERTPBE, 's', "Certificate PBE algorithm (default 3DES)"},
|
||||
# endif
|
||||
{"noiter", OPT_NOITER, '-', "Don't use encryption iteration"},
|
||||
{"maciter", OPT_MACITER, '-', "Use MAC iteration"},
|
||||
{"iter", OPT_ITER, 'p', "Specify the iteration count for encryption key and MAC"},
|
||||
{"noiter", OPT_NOITER, '-', "Don't use encryption key iteration"},
|
||||
{"maciter", OPT_MACITER, '-', "Unused, kept for backwards compatibility"},
|
||||
{"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration"},
|
||||
{"nomac", OPT_NOMAC, '-', "Don't generate MAC"},
|
||||
{"nodes", OPT_NODES, '-', "Don't encrypt private keys"},
|
||||
|
|
@ -214,11 +215,16 @@ int pkcs12_main(int argc, char **argv)
|
|||
if (!opt_cipher(opt_unknown(), &enc))
|
||||
goto opthelp;
|
||||
break;
|
||||
case OPT_ITER:
|
||||
if (!opt_int(opt_arg(), &iter))
|
||||
goto opthelp;
|
||||
maciter = iter;
|
||||
break;
|
||||
case OPT_NOITER:
|
||||
iter = 1;
|
||||
break;
|
||||
case OPT_MACITER:
|
||||
maciter = PKCS12_DEFAULT_ITER;
|
||||
/* no-op */
|
||||
break;
|
||||
case OPT_NOMACITER:
|
||||
maciter = 1;
|
||||
|
|
|
|||
|
|
@ -25,8 +25,9 @@ B<openssl> B<pkcs12>
|
|||
[B<-nokeys>]
|
||||
[B<-info>]
|
||||
[B<-des> B<-des3> B<-idea> B<-aes128> B<-aes192> B<-aes256> B<-aria128> B<-aria192> B<-aria256> B<-camellia128> B<-camellia192> B<-camellia256> B<-nodes>]
|
||||
[B<-noiter>]
|
||||
[B<-maciter> | B<-nomaciter> | B<-nomac>]
|
||||
[B<-iter> I<count> | B<-noiter> | B<-nomaciter>]
|
||||
[B<-maciter>]
|
||||
[B<-nomac>]
|
||||
[B<-twopass>]
|
||||
[B<-descert>]
|
||||
[B<-certpbe> I<cipher>]
|
||||
|
|
@ -233,17 +234,19 @@ the use of signing only keys for SSL client authentication.
|
|||
|
||||
Specify the MAC digest algorithm. If not included them SHA1 will be used.
|
||||
|
||||
=item B<-nomaciter>, B<-noiter>
|
||||
=item B<-iter> I<count>
|
||||
|
||||
These options affect the iteration counts on the MAC and key algorithms.
|
||||
Unless you wish to produce files compatible with MSIE 4.0 you should leave
|
||||
these options alone.
|
||||
This option specifies the iteration count for the encryption key and MAC. The
|
||||
default value is 2048.
|
||||
|
||||
To discourage attacks by using large dictionaries of common passwords the
|
||||
algorithm that derives keys from passwords can have an iteration count applied
|
||||
to it: this causes a certain part of the algorithm to be repeated and slows it
|
||||
down. The MAC is used to check the file integrity but since it will normally
|
||||
have the same password as the keys and certificates it could also be attacked.
|
||||
|
||||
=item B<-nomaciter>, B<-noiter>
|
||||
|
||||
By default both MAC and encryption iteration counts are set to 2048, using
|
||||
these options the MAC and encryption iteration counts can be set to 1, since
|
||||
this reduces the file security you should not use these options unless you
|
||||
|
|
|
|||
Loading…
Reference in New Issue