1=pod
2
3=head1 NAME
4
5PKCS12_gen_mac, PKCS12_setup_mac, PKCS12_set_mac,
6PKCS12_set_pbmac1_pbkdf2, PKCS12_verify_mac, PKCS12_get0_mac -
7Functions to create and manipulate a PKCS#12 MAC structure
8
9=head1 SYNOPSIS
10
11 #include <openssl/pkcs12.h>
12
13 int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
14                    unsigned char *mac, unsigned int *maclen);
15 int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen);
16 int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen,
17                    unsigned char *salt, int saltlen, int iter,
18                    const EVP_MD *md_type);
19 int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen,
20                                   unsigned char *salt, int saltlen, int iter,
21                                   const EVP_MD *md_type,
22                                   const char *prf_md_name);
23 int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt,
24                      int saltlen, const EVP_MD *md_type);
25
26 void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
27                      const X509_ALGOR **pmacalg,
28                      const ASN1_OCTET_STRING **psalt,
29                      const ASN1_INTEGER **piter,
30                      const PKCS12 *p12);
31
32=head1 DESCRIPTION
33
34PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the
35supplied password along with a set of already configured parameters.
36The default key generation mechanism used is PKCS12KDF.
37
38PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
39password.
40
41PKCS12_setup_mac() sets the MAC part of the PKCS#12 structure with the supplied
42parameters.
43
44PKCS12_set_mac() sets the MAC and MAC parameters into the PKCS#12 object.
45PKCS12_set_pbmac1_pbkdf2() sets the MAC and MAC parameters into the PKCS#12
46object when B<PBMAC1> with PBKDF2 is used for protection of the PKCS#12 object.
47
48I<pass> is the passphrase to use in the HMAC. I<salt> is the salt value to use,
49I<iter> is the iteration count and I<md_type> is the message digest function to
50use. I<prf_md_name> specifies the digest used for the PBKDF2 in PBMAC1 KDF.
51
52PKCS12_get0_mac() retrieves any included MAC value, B<X509_ALGOR> object,
53I<salt>, and I<iter> count from the PKCS12 object.
54
55=head1 NOTES
56
57If I<salt> is NULL then a suitable salt will be generated and used.
58
59If I<iter> is 1 then an iteration count will be omitted from the PKCS#12
60structure.
61
62PKCS12_gen_mac(), PKCS12_verify_mac(), PKCS12_set_mac() and
63PKCS12_set_pbmac1_pbkdf2() make assumptions regarding the encoding of the
64given passphrase. See L<passphrase-encoding(7)> for more information.
65
66=head1 RETURN VALUES
67
68All functions returning an integer return 1 on success and 0 if an error occurred.
69
70=head1 ENVIRONMENT
71
72=over 4
73
74=item B<LEGACY_GOST_PKCS12>
75
76=for comment
77https://tc26.ru/standarts/metodicheskie-rekomendatsii/transportnyy-klyuchevoy-konteyner.html section 5.1
78https://tc26.ru/standard/rs/%D0%A0%2050.1.112-2016.pdf section 5
79https://meganorm.ru/mega_doc/norm/prikaz/25/r_1323565_1_041-2022_rekomendatsii_po_standartizatsii.html section 7.1
80
81If this environment variable is set, MAC generation that utilises
82GOST R 34.11-94 or GOST 34.11-2012 hashing algorithms is performed the usual
83way and not in accordance with the specification provided in the methodical
84recommendation MP 26.2.002-2012 (or in its later versions, standartisation
85recommendation P 50.1.112-2016 or P 1323565.1.041-2022)
86of Technical Committee 26, that specifies that the key used for MAC
87generation should be the last 32 bytes of the 96-byte sequence generated
88by L<PKCS5_PBKDF2_HMAC(3)> and not the whole sequence.
89
90=back
91
92=head1 CONFORMING TO
93
94IETF RFC 7292 (L<https://tools.ietf.org/html/rfc7292>)
95IETF RFC 9579 (L<https://tools.ietf.org/html/rfc9579>)
96
97=head1 SEE ALSO
98
99L<d2i_PKCS12(3)>,
100L<EVP_KDF-PKCS12KDF(7)>,
101L<PKCS12_create(3)>,
102L<passphrase-encoding(7)>
103
104=head1 HISTORY
105
106The I<PKCS12_set_pbmac1_pbkdf2> function was added in OpenSSL 3.4.
107
108=head1 COPYRIGHT
109
110Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
111
112Licensed under the Apache License 2.0 (the "License").  You may not use
113this file except in compliance with the License.  You can obtain a copy
114in the file LICENSE in the source distribution or at
115L<https://www.openssl.org/source/license.html>.
116
117=cut
118