Prepare to provide PKCS12 accessors

In order to be able to make pkcs12/ opaque, we need an entire family of
accessors. These are in a particularly nasty tangle since this was done
in about a dozen steps while sprinkling const, renaming functions, etc.
The public API also adds backward compat macros for functions that were
in the tree for half a day and then renamed. Of course some of them got
picked up by some ports.

Some of the gruesome hacks in here will go away with the next bump, but
that doesn't mean that the pkcs12 directory will be prettier afterward.

ok jsing

9 files changed, 349 insertions, 22 deletions

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 423fba5f58..714f6e80b4 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.77 2022/07/24 08:16:47 tb Exp $
+# $OpenBSD: Makefile,v 1.78 2022/08/03 20:16:06 tb Exp $
 
 LIB=    crypto
 LIBREBUILD=y
@@ -234,7 +234,7 @@ SRCS+= pem_x509.c pem_xaux.c pem_oth.c pem_pk8.c pem_pkey.c pvkfmt.c
 
 # pkcs12/
 SRCS+= p12_add.c p12_asn.c p12_attr.c p12_crpt.c p12_crt.c p12_decr.c
-SRCS+= p12_init.c p12_key.c p12_kiss.c p12_mutl.c
+SRCS+= p12_init.c p12_key.c p12_kiss.c p12_mutl.c p12_sbag.c
 SRCS+= p12_utl.c p12_npas.c pk12err.c p12_p8d.c p12_p8e.c
 
 # pkcs7/
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index 08bb75d312..e423c76411 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_add.c,v 1.17 2018/05/13 14:24:07 tb Exp $ */
+/* $OpenBSD: p12_add.c,v 1.18 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -89,6 +89,9 @@ PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2)
         return safebag;
 }
 
+#if !defined(LIBRESSL_NEXT_API)
+#undef PKCS12_MAKE_KEYBAG
+#undef PKCS12_MAKE_SHKEYBAG
 /* Turn PKCS8 object into a keybag */
 
 PKCS12_SAFEBAG *
@@ -136,6 +139,7 @@ PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, int passlen,
 
         return bag;
 }
+#endif
 
 /* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
 PKCS7 *
diff --git a/src/lib/libcrypto/pkcs12/p12_attr.c b/src/lib/libcrypto/pkcs12/p12_attr.c
index a35a148b11..01a7a3ea8c 100644
--- a/src/lib/libcrypto/pkcs12/p12_attr.c
+++ b/src/lib/libcrypto/pkcs12/p12_attr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_attr.c,v 1.15 2022/05/09 19:19:33 jsing Exp $ */
+/* $OpenBSD: p12_attr.c,v 1.16 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -138,12 +138,18 @@ PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
 char *
 PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
 {
-        ASN1_TYPE *atype;
+        const ASN1_TYPE *atype;
 
-        if (!(atype = PKCS12_get_attr(bag, NID_friendlyName)))
+        if (!(atype = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
                 return NULL;
         if (atype->type != V_ASN1_BMPSTRING)
                 return NULL;
         return OPENSSL_uni2asc(atype->value.bmpstring->data,
             atype->value.bmpstring->length);
 }
+
+const STACK_OF(X509_ATTRIBUTE) *
+PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag)
+{
+        return bag->attrib;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index f8ba3357e7..dbcfd25478 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_crt.c,v 1.18 2018/05/13 13:46:55 tb Exp $ */
+/* $OpenBSD: p12_crt.c,v 1.19 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -232,12 +232,12 @@ PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, int key_usage,
         if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
                 goto err;
         if (nid_key != -1) {
-                bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0,
-                    iter, p8);
+                bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key, pass, -1,
+                    NULL, 0, iter, p8);
                 PKCS8_PRIV_KEY_INFO_free(p8);
                 p8 = NULL;
         } else {
-                bag = PKCS12_MAKE_KEYBAG(p8);
+                bag = PKCS12_SAFEBAG_create0_p8inf(p8);
                 if (bag != NULL)
                         p8 = NULL;
         }
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 6bbfa2aeef..42a84a5458 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_kiss.c,v 1.23 2022/07/24 18:51:16 tb Exp $ */
+/* $OpenBSD: p12_kiss.c,v 1.24 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -224,14 +224,14 @@ parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey,
 {
         PKCS8_PRIV_KEY_INFO *p8;
         X509 *x509;
-        ASN1_TYPE *attrib;
+        const ASN1_TYPE *attrib;
         ASN1_BMPSTRING *fname = NULL;
         ASN1_OCTET_STRING *lkid = NULL;
 
-        if ((attrib = PKCS12_get_attr(bag, NID_friendlyName)))
+        if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
                 fname = attrib->value.bmpstring;
 
-        if ((attrib = PKCS12_get_attr(bag, NID_localKeyID)))
+        if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
                 lkid = attrib->value.octet_string;
 
         switch (OBJ_obj2nid(bag->type)) {
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 7474bf5ff3..5c9cea90db 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.30 2022/07/25 05:06:06 tb Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.31 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -72,6 +72,39 @@
 #include "hmac_local.h"
 #include "x509_lcl.h"
 
+int
+PKCS12_mac_present(const PKCS12 *p12)
+{
+        return p12->mac != NULL;
+}
+
+void
+PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, const X509_ALGOR **pmacalg,
+    const ASN1_OCTET_STRING **psalt, const ASN1_INTEGER **piter,
+    const PKCS12 *p12)
+{
+        if (p12->mac == NULL) {
+                if (pmac != NULL)
+                        *pmac = NULL;
+                if (pmacalg != NULL)
+                        *pmacalg = NULL;
+                if (psalt != NULL)
+                        *psalt = NULL;
+                if (piter != NULL)
+                        *piter = NULL;
+                return;
+        }
+
+        if (pmac != NULL)
+                *pmac = p12->mac->dinfo->digest;
+        if (pmacalg != NULL)
+                *pmacalg = p12->mac->dinfo->algor;
+        if (psalt != NULL)
+                *psalt = p12->mac->salt;
+        if (piter != NULL)
+                *piter = p12->mac->iter;
+}
+
 /* Generate a MAC */
 int
 PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
diff --git a/src/lib/libcrypto/pkcs12/p12_sbag.c b/src/lib/libcrypto/pkcs12/p12_sbag.c
new file mode 100644
index 0000000000..4e9f7ed3dd
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_sbag.c
@@ -0,0 +1,224 @@
+/* $OpenBSD: p12_sbag.c,v 1.4 2022/08/03 20:16:06 tb Exp $ */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999-2018.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+#include "x509_lcl.h"
+
+const ASN1_TYPE *
+PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
+{
+        return PKCS12_get_attr_gen(bag->attrib, attr_nid);
+}
+
+ASN1_TYPE *
+PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
+{
+        return PKCS12_get_attr_gen(p8->attributes, attr_nid);
+}
+
+const PKCS8_PRIV_KEY_INFO *
+PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag)
+{
+        if (PKCS12_SAFEBAG_get_nid(bag) != NID_keyBag)
+                return NULL;
+
+        return bag->value.keybag;
+}
+
+const X509_SIG *
+PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag)
+{
+        if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag)
+                return NULL;
+
+        return bag->value.shkeybag;
+}
+
+const STACK_OF(PKCS12_SAFEBAG) *
+PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag)
+{
+        if (PKCS12_SAFEBAG_get_nid(bag) != NID_safeContentsBag)
+                return NULL;
+
+        return bag->value.safes;
+}
+
+const ASN1_OBJECT *
+PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag)
+{
+        return bag->type;
+}
+
+int
+PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag)
+{
+        return OBJ_obj2nid(bag->type);
+}
+
+int
+PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
+{
+        int bag_type;
+
+        bag_type = PKCS12_SAFEBAG_get_nid(bag);
+
+        if (bag_type == NID_certBag || bag_type == NID_crlBag ||
+            bag_type == NID_secretBag)
+                return OBJ_obj2nid(bag->value.bag->type);
+
+        return -1;
+}
+
+X509 *
+PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag)
+{
+        if (OBJ_obj2nid(bag->type) != NID_certBag)
+                return NULL;
+        if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate)
+                return NULL;
+        return ASN1_item_unpack(bag->value.bag->value.octet, &X509_it);
+}
+
+X509_CRL *
+PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag)
+{
+        if (OBJ_obj2nid(bag->type) != NID_crlBag)
+                return NULL;
+        if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl)
+                return NULL;
+        return ASN1_item_unpack(bag->value.bag->value.octet, &X509_CRL_it);
+}
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create_cert(X509 *x509)
+{
+        return PKCS12_item_pack_safebag(x509, &X509_it,
+            NID_x509Certificate, NID_certBag);
+}
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create_crl(X509_CRL *crl)
+{
+        return PKCS12_item_pack_safebag(crl, &X509_CRL_it,
+            NID_x509Crl, NID_crlBag);
+}
+
+/* Turn PKCS8 object into a keybag */
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8)
+{
+        PKCS12_SAFEBAG *bag;
+
+        if ((bag = PKCS12_SAFEBAG_new()) == NULL) {
+                PKCS12error(ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        bag->type = OBJ_nid2obj(NID_keyBag);
+        bag->value.keybag = p8;
+
+        return bag;
+}
+
+/* Turn PKCS8 object into a shrouded keybag */
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8)
+{
+        PKCS12_SAFEBAG *bag;
+
+        /* Set up the safe bag */
+        if ((bag = PKCS12_SAFEBAG_new()) == NULL) {
+                PKCS12error(ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+        bag->value.shkeybag = p8;
+
+        return bag;
+}
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, const char *pass, int passlen,
+    unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8info)
+{
+        const EVP_CIPHER *pbe_ciph;
+        X509_SIG *p8;
+        PKCS12_SAFEBAG *bag;
+
+        if ((pbe_ciph = EVP_get_cipherbynid(pbe_nid)) != NULL)
+                pbe_nid = -1;
+
+        if ((p8 = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen,
+            iter, p8info)) == NULL)
+                return NULL;
+
+        if ((bag = PKCS12_SAFEBAG_create0_pkcs8(p8)) == NULL) {
+                X509_SIG_free(p8);
+                return NULL;
+        }
+
+        return bag;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_utl.c b/src/lib/libcrypto/pkcs12/p12_utl.c
index ff3a035d3f..8efe7a2653 100644
--- a/src/lib/libcrypto/pkcs12/p12_utl.c
+++ b/src/lib/libcrypto/pkcs12/p12_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_utl.c,v 1.16 2018/05/30 15:32:11 tb Exp $ */
+/* $OpenBSD: p12_utl.c,v 1.17 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -148,6 +148,12 @@ d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
             return ASN1_item_d2i_fp(&PKCS12_it, fp, p12);
 }
 
+#if !defined(LIBRESSL_NEXT_API)
+#undef PKCS12_x5092certbag
+#undef PKCS12_x509crl2certbag
+#undef PKCS12_certbag2x509
+#undef PKCS12_certbag2x509crl
+
 PKCS12_SAFEBAG *
 PKCS12_x5092certbag(X509 *x509)
 {
@@ -183,3 +189,4 @@ PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag)
         return ASN1_item_unpack(bag->value.bag->value.octet,
             &X509_CRL_it);
 }
+#endif
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 920b4be202..a40659fcf3 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.h,v 1.25 2022/07/12 14:42:50 kn Exp $ */
+/* $OpenBSD: pkcs12.h,v 1.26 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -155,12 +155,63 @@ typedef struct pkcs12_bag_st {
 #define M_PKCS12_decrypt_skey PKCS12_decrypt_skey
 #define M_PKCS8_decrypt PKCS8_decrypt
 
+#if !defined(LIBRESSL_NEXT_API)
 #define M_PKCS12_bag_type(bg) OBJ_obj2nid((bg)->type)
 #define M_PKCS12_cert_bag_type(bg) OBJ_obj2nid((bg)->value.bag->type)
 #define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
+#endif
 
 #endif /* !LIBRESSL_INTERNAL */
 
+#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
+
+#define M_PKCS12_bag_type       PKCS12_bag_type
+#define M_PKCS12_cert_bag_type  PKCS12_cert_bag_type
+#define M_PKCS12_crl_bag_type   PKCS12_cert_bag_type
+
+#define PKCS12_bag_type         PKCS12_SAFEBAG_get_nid
+#define PKCS12_cert_bag_type    PKCS12_SAFEBAG_get_bag_nid
+
+#define PKCS12_certbag2x509     PKCS12_SAFEBAG_get1_cert
+#define PKCS12_certbag2x509crl  PKCS12_SAFEBAG_get1_crl
+
+#define PKCS12_x5092certbag     PKCS12_SAFEBAG_create_cert
+#define PKCS12_x509crl2certbag  PKCS12_SAFEBAG_create_crl
+#define PKCS12_MAKE_KEYBAG      PKCS12_SAFEBAG_create0_p8inf
+#define PKCS12_MAKE_SHKEYBAG    PKCS12_SAFEBAG_create_pkcs8_encrypt
+
+const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
+    int attr_nid);
+const STACK_OF(X509_ATTRIBUTE) *
+    PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag);
+int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag);
+int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag);
+
+X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag);
+X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag);
+
+ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid);
+int PKCS12_mac_present(const PKCS12 *p12);
+void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, const X509_ALGOR **pmacalg,
+    const ASN1_OCTET_STRING **psalt, const ASN1_INTEGER **piter,
+    const PKCS12 *p12);
+
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
+    const char *pass, int passlen, unsigned char *salt, int saltlen, int iter,
+    PKCS8_PRIV_KEY_INFO *p8);
+
+const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag);
+const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag);
+const STACK_OF(PKCS12_SAFEBAG) *
+    PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag);
+const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag);
+
+#else /* !LIBRESSL_NEXT_API && !LIBRESSL_INTERNAL*/
+
 #define PKCS12_get_attr(bag, attr_nid) \
                          PKCS12_get_attr_gen(bag->attrib, attr_nid)
 
@@ -169,15 +220,20 @@ typedef struct pkcs12_bag_st {
 
 #define PKCS12_mac_present(p12) ((p12)->mac ? 1 : 0)
 
-
 PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509);
 PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl);
 X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag);
 X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag);
 
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
+    int passlen, unsigned char *salt, int saltlen, int iter,
+    PKCS8_PRIV_KEY_INFO *p8);
+
+#endif /* !LIBRESSL_NEXT_API && !LIBRESSL_INTERNAL */
+
 PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
     int nid1, int nid2);
-PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass,
     int passlen);
 PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag,
@@ -185,9 +241,6 @@ PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag,
 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
     const char *pass, int passlen, unsigned char *salt, int saltlen, int iter,
     PKCS8_PRIV_KEY_INFO *p8);
-PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
-    int passlen, unsigned char *salt, int saltlen, int iter,
-    PKCS8_PRIV_KEY_INFO *p8);
 PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk);
 STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7);
 PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,