From 05034cf3497dd09a4fdbdecb13152ebab1c2bed4 Mon Sep 17 00:00:00 2001 From: tb Date: Thu, 22 Aug 2024 12:14:33 +0000 Subject: [PATCH] openssl pkcs12: remove support for LMK and CSP attributes Documentation on what the Microsoft-specific local machine keyset and the cryptographic service provider are actually good for is hard to find. For some reason (perhaps one million and two arguments for PKCS12_create() was considered two too many) these hang off the EVP_PKEY in the attributes member, which serves no other purpose. Every use of EVP_PKEY (of which there are far too many) pays extra memory taxes for this fringe use case. This complication is not worth it. ok miod --- usr.bin/openssl/pkcs12.c | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/usr.bin/openssl/pkcs12.c b/usr.bin/openssl/pkcs12.c index c8706904f1a..69e230eff9e 100644 --- a/usr.bin/openssl/pkcs12.c +++ b/usr.bin/openssl/pkcs12.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs12.c,v 1.27 2024/02/28 17:04:38 tb Exp $ */ +/* $OpenBSD: pkcs12.c,v 1.28 2024/08/22 12:14:33 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -93,14 +93,12 @@ static int alg_print(BIO *x, const X509_ALGOR *alg); static int set_pbe(BIO *err, int *ppbe, const char *str); static struct { - int add_lmk; char *CAfile; STACK_OF(OPENSSL_STRING) *canames; char *CApath; int cert_pbe; char *certfile; int chain; - char *csp_name; const EVP_CIPHER *enc; int export_cert; int key_pbe; @@ -321,13 +319,6 @@ static const struct option pkcs12_options[] = { .opt.value = &cfg.options, .value = CLCERTS, }, - { - .name = "CSP", - .argname = "name", - .desc = "Microsoft CSP name", - .type = OPTION_ARG, - .opt.arg = &cfg.csp_name, - }, { .name = "descert", .desc = "Encrypt PKCS#12 certificates with triple DES (default RC2-40)", @@ -383,12 +374,6 @@ static const struct option pkcs12_options[] = { .opt.value = &cfg.keytype, .value = KEY_SIG, }, - { - .name = "LMK", - .desc = "Add local machine keyset attribute to private key", - .type = OPTION_FLAG, - .opt.flag = &cfg.add_lmk, - }, { .name = "macalg", .argname = "alg", @@ -719,15 +704,6 @@ pkcs12_main(int argc, char **argv) X509_alias_set1(sk_X509_value(certs, i), catmp, -1); } - if (cfg.csp_name != NULL && key != NULL) - EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name, - MBSTRING_ASC, - (unsigned char *) cfg.csp_name, -1); - - if (cfg.add_lmk && key != NULL) - EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, - -1); - if (!cfg.noprompt && EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:", 1)) { -- 2.20.1