1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
|
From 119b88bb3d572b2c5deacf466b5c1dce6acc13eb Mon Sep 17 00:00:00 2001
From: olszomal <Malgorzata.Olszowka@stunnel.org>
Date: Tue, 29 Nov 2022 10:01:39 +0100
Subject: [PATCH] Legacy pkcs12 ciphers support
---
osslsigncode.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 78 insertions(+)
diff --git a/osslsigncode.c b/osslsigncode.c
index e4cbd52..d520ce7 100644
--- a/osslsigncode.c
+++ b/osslsigncode.c
@@ -113,6 +113,9 @@
#ifndef OPENSSL_NO_ENGINE
#include <openssl/engine.h>
#endif /* OPENSSL_NO_ENGINE */
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+#include <openssl/provider.h>
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
#include "msi.h"
@@ -248,6 +251,9 @@ typedef struct {
char *tsa_crlfile;
char *leafhash;
int jp;
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+ int legacy;
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
} GLOBAL_OPTIONS;
typedef struct {
@@ -1198,6 +1204,9 @@ static void usage(const char *argv0, const char *cmd)
printf("%1s[ sign ] ( -certs | -spc <certfile> -key <keyfile> | -pkcs12 <pkcs12file> |\n", "");
printf("%12s [ -pkcs11engine <engine> ] -pkcs11module <module> -pkcs11cert <pkcs11 cert id> |\n", "");
printf("%12s -certs <certfile> -key <pkcs11 key id>)\n", "");
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+ printf("%12s[ -nolegacy ]\n", "");
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
printf("%12s[ -pass <password>", "");
#ifdef PROVIDE_ASKPASS
printf("%1s [ -askpass ]", "");
@@ -1288,6 +1297,9 @@ static void help_for(const char *argv0, const char *cmd)
const char *cmds_in[] = {"add", "attach-signature", "extract-signature", "remove-signature", "sign", "verify", NULL};
const char *cmds_jp[] = {"sign", NULL};
const char *cmds_key[] = {"sign", NULL};
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+ const char *cmds_nolegacy[] = {"sign", NULL};
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
const char *cmds_n[] = {"sign", NULL};
const char *cmds_nest[] = {"attach-signature", "sign", NULL};
#ifdef ENABLE_CURL
@@ -1400,6 +1412,10 @@ static void help_for(const char *argv0, const char *cmd)
printf("%26slevels of permissions in Microsoft Internet Explorer 4.x for CAB files\n", "");
printf("%26sonly \"low\" level is now supported\n", "");
}
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+ if (on_list(cmd, cmds_nolegacy))
+ printf("%-24s= disable legacy mode and don't automatically load the legacy provider\n", "-nolegacy");
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
if (on_list(cmd, cmds_key))
printf("%-24s= the private key to use or PKCS#11 URI identifies a key in the token\n", "-key");
if (on_list(cmd, cmds_n))
@@ -5736,6 +5752,52 @@ static cmd_type_t get_command(char **argv)
return CMD_SIGN;
}
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+DEFINE_STACK_OF(OSSL_PROVIDER)
+static STACK_OF(OSSL_PROVIDER) *providers = NULL;
+
+static void provider_free(OSSL_PROVIDER *prov)
+{
+ OSSL_PROVIDER_unload(prov);
+}
+
+static void providers_cleanup(void)
+{
+ sk_OSSL_PROVIDER_pop_free(providers, provider_free);
+ providers = NULL;
+}
+
+static int provider_load(OSSL_LIB_CTX *libctx, const char *pname)
+{
+ OSSL_PROVIDER *prov= OSSL_PROVIDER_load(libctx, pname);
+ if (prov == NULL) {
+ printf("Unable to load provider: %s\n", pname);
+ return 0; /* FAILED */
+ }
+ if (providers == NULL) {
+ providers = sk_OSSL_PROVIDER_new_null();
+ }
+ if (providers == NULL || !sk_OSSL_PROVIDER_push(providers, prov)) {
+ providers_cleanup();
+ return 0; /* FAILED */
+ }
+ return 1; /* OK */
+}
+
+static int use_legacy(void)
+{
+ /* load the legacy provider if not loaded already */
+ if (!OSSL_PROVIDER_available(NULL, "legacy")) {
+ if (!provider_load(NULL, "legacy"))
+ return 0; /* FAILED */
+ /* load the default provider explicitly */
+ if (!provider_load(NULL, "default"))
+ return 0; /* FAILED */
+ }
+ return 1; /* OK */
+}
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
+
static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS *options)
{
int i;
@@ -5751,6 +5813,10 @@ static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS
options->md = EVP_sha256();
options->time = INVALID_TIME;
options->jp = -1;
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+/* Use legacy PKCS#12 container with RC2-40-CBC private key and certificate encryption algorithm */
+ options->legacy = 1;
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
if (*cmd == CMD_HELP) {
return 0; /* FAILED */
@@ -5824,6 +5890,10 @@ static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS
}
options->p11module = *(++argv);
#endif /* OPENSSL_NO_ENGINE */
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+ } else if ((*cmd == CMD_SIGN) && !strcmp(*argv, "-nolegacy")) {
+ options->legacy = 0;
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
} else if ((*cmd == CMD_SIGN) && !strcmp(*argv, "-pass")) {
if (options->askpass || options->readpass) {
usage(argv0, "all");
@@ -6051,6 +6121,11 @@ static int main_configure(int argc, char **argv, cmd_type_t *cmd, GLOBAL_OPTIONS
return 0; /* FAILED */
}
#endif /* WIN32 */
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+ if (*cmd == CMD_SIGN && options->legacy && !use_legacy()) {
+ printf("Warning: Legacy mode disabled\n");
+ }
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
return 1; /* OK */
}
@@ -6313,6 +6388,9 @@ int main(int argc, char **argv)
free_msi_params(&msiparams);
free_crypto_params(&cparams);
free_options(&options);
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
+ providers_cleanup();
+#endif /* OPENSSL_VERSION_NUMBER>=0x30000000L */
if (ret)
ERR_print_errors_fp(stdout);
if (cmd == CMD_HELP)
|