9 files changed, 349 insertions, 22 deletions

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 423fba5f58..714f6e80b4 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.77 2022/07/24 08:16:47 tb Exp $
+# $OpenBSD: Makefile,v 1.78 2022/08/03 20:16:06 tb Exp $
 
 LIB=    crypto
 LIBREBUILD=y
@@ -234,7 +234,7 @@ SRCS+= pem_x509.c pem_xaux.c pem_oth.c pem_pk8.c pem_pkey.c pvkfmt.c
 
 # pkcs12/
 SRCS+= p12_add.c p12_asn.c p12_attr.c p12_crpt.c p12_crt.c p12_decr.c
-SRCS+= p12_init.c p12_key.c p12_kiss.c p12_mutl.c
+SRCS+= p12_init.c p12_key.c p12_kiss.c p12_mutl.c p12_sbag.c
 SRCS+= p12_utl.c p12_npas.c pk12err.c p12_p8d.c p12_p8e.c
 
 # pkcs7/
diff --git a/src/lib/libcrypto/pkcs12/p12_add.c b/src/lib/libcrypto/pkcs12/p12_add.c
index 08bb75d312..e423c76411 100644
--- a/src/lib/libcrypto/pkcs12/p12_add.c
+++ b/src/lib/libcrypto/pkcs12/p12_add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_add.c,v 1.17 2018/05/13 14:24:07 tb Exp $ */
+/* $OpenBSD: p12_add.c,v 1.18 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -89,6 +89,9 @@ PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2)
         return safebag;
 }
 
+#if !defined(LIBRESSL_NEXT_API)
+#undef PKCS12_MAKE_KEYBAG
+#undef PKCS12_MAKE_SHKEYBAG
 /* Turn PKCS8 object into a keybag */
 
 PKCS12_SAFEBAG *
@@ -136,6 +139,7 @@ PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, int passlen,
 
         return bag;
 }
+#endif
 
 /* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */
 PKCS7 *
diff --git a/src/lib/libcrypto/pkcs12/p12_attr.c b/src/lib/libcrypto/pkcs12/p12_attr.c
index a35a148b11..01a7a3ea8c 100644
--- a/src/lib/libcrypto/pkcs12/p12_attr.c
+++ b/src/lib/libcrypto/pkcs12/p12_attr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_attr.c,v 1.15 2022/05/09 19:19:33 jsing Exp $ */
+/* $OpenBSD: p12_attr.c,v 1.16 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -138,12 +138,18 @@ PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid)
 char *
 PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag)
 {
-        ASN1_TYPE *atype;
+        const ASN1_TYPE *atype;
 
-        if (!(atype = PKCS12_get_attr(bag, NID_friendlyName)))
+        if (!(atype = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
                 return NULL;
         if (atype->type != V_ASN1_BMPSTRING)
                 return NULL;
         return OPENSSL_uni2asc(atype->value.bmpstring->data,
             atype->value.bmpstring->length);
 }
+
+const STACK_OF(X509_ATTRIBUTE) *
+PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag)
+{
+        return bag->attrib;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index f8ba3357e7..dbcfd25478 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_crt.c,v 1.18 2018/05/13 13:46:55 tb Exp $ */
+/* $OpenBSD: p12_crt.c,v 1.19 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -232,12 +232,12 @@ PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, int key_usage,
         if (key_usage && !PKCS8_add_keyusage(p8, key_usage))
                 goto err;
         if (nid_key != -1) {
-                bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0,
-                    iter, p8);
+                bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key, pass, -1,
+                    NULL, 0, iter, p8);
                 PKCS8_PRIV_KEY_INFO_free(p8);
                 p8 = NULL;
         } else {
-                bag = PKCS12_MAKE_KEYBAG(p8);
+                bag = PKCS12_SAFEBAG_create0_p8inf(p8);
                 if (bag != NULL)
                         p8 = NULL;
         }
diff --git a/src/lib/libcrypto/pkcs12/p12_kiss.c b/src/lib/libcrypto/pkcs12/p12_kiss.c
index 6bbfa2aeef..42a84a5458 100644
--- a/src/lib/libcrypto/pkcs12/p12_kiss.c
+++ b/src/lib/libcrypto/pkcs12/p12_kiss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_kiss.c,v 1.23 2022/07/24 18:51:16 tb Exp $ */
+/* $OpenBSD: p12_kiss.c,v 1.24 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -224,14 +224,14 @@ parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey,
 {
         PKCS8_PRIV_KEY_INFO *p8;
         X509 *x509;
-        ASN1_TYPE *attrib;
+        const ASN1_TYPE *attrib;
         ASN1_BMPSTRING *fname = NULL;
         ASN1_OCTET_STRING *lkid = NULL;
 
-        if ((attrib = PKCS12_get_attr(bag, NID_friendlyName)))
+        if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName)))
                 fname = attrib->value.bmpstring;
 
-        if ((attrib = PKCS12_get_attr(bag, NID_localKeyID)))
+        if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)))
                 lkid = attrib->value.octet_string;
 
         switch (OBJ_obj2nid(bag->type)) {
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 7474bf5ff3..5c9cea90db 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.30 2022/07/25 05:06:06 tb Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.31 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -72,6 +72,39 @@
 #include "hmac_local.h"
 #include "x509_lcl.h"
 
+int
+PKCS12_mac_present(const PKCS12 *p12)
+{
+        return p12->mac != NULL;
+}
+
+void
+PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, const X509_ALGOR **pmacalg,
+    const ASN1_OCTET_STRING **psalt, const ASN1_INTEGER **piter,
+    const PKCS12 *p12)
+{
+        if (p12->mac == NULL) {
+                if (pmac != NULL)
+                        *pmac = NULL;
+                if (pmacalg != NULL)
+                        *pmacalg = NULL;
+                if (psalt != NULL)
+                        *psalt = NULL;
+                if (piter != NULL)
+                        *piter = NULL;
+                return;
+        }
+
+        if (pmac != NULL)
+                *pmac = p12->mac->dinfo->digest;
+        if (pmacalg != NULL)
+                *pmacalg = p12->mac->dinfo->algor;
+        if (psalt != NULL)
+                *psalt = p12->mac->salt;
+        if (piter != NULL)
+                *piter = p12->mac->iter;
+}
+
 /* Generate a MAC */
 int
 PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
diff --git a/src/lib/libcrypto/pkcs12/p12_sbag.c b/src/lib/libcrypto/pkcs12/p12_sbag.c
new file mode 100644
index 0000000000..4e9f7ed3dd
--- /dev/null
+++ b/src/lib/libcrypto/pkcs12/p12_sbag.c
@@ -0,0 +1,224 @@
+/* $OpenBSD: p12_sbag.c,v 1.4 2022/08/03 20:16:06 tb Exp $ */
+/*
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * 1999-2018.
+ */
+/* ====================================================================
+ * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+
+#include "x509_lcl.h"
+
+const ASN1_TYPE *
+PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
+{
+        return PKCS12_get_attr_gen(bag->attrib, attr_nid);
+}
+
+ASN1_TYPE *
+PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
+{
+        return PKCS12_get_attr_gen(p8->attributes, attr_nid);
+}
+
+const PKCS8_PRIV_KEY_INFO *
+PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag)
+{
+        if (PKCS12_SAFEBAG_get_nid(bag) != NID_keyBag)
+                return NULL;
+
+        return bag->value.keybag;
+}
+
+const X509_SIG *
+PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag)
+{
+        if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag)
+                return NULL;
+
+        return bag->value.shkeybag;
+}
+
+const STACK_OF(PKCS12_SAFEBAG) *
+PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag)
+{
+        if (PKCS12_SAFEBAG_get_nid(bag) != NID_safeContentsBag)
+                return NULL;
+
+        return bag->value.safes;
+}
+
+const ASN1_OBJECT *
+PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag)
+{
+        return bag->type;
+}
+
+int
+PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag)
+{
+        return OBJ_obj2nid(bag->type);
+}
+
+int
+PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag)
+{
+        int bag_type;
+
+        bag_type = PKCS12_SAFEBAG_get_nid(bag);
+
+        if (bag_type == NID_certBag || bag_type == NID_crlBag ||
+            bag_type == NID_secretBag)
+                return OBJ_obj2nid(bag->value.bag->type);
+
+        return -1;
+}
+
+X509 *
+PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag)
+{
+        if (OBJ_obj2nid(bag->type) != NID_certBag)
+                return NULL;
+        if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate)
+                return NULL;
+        return ASN1_item_unpack(bag->value.bag->value.octet, &X509_it);
+}
+
+X509_CRL *
+PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag)
+{
+        if (OBJ_obj2nid(bag->type) != NID_crlBag)
+                return NULL;
+        if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl)
+                return NULL;
+        return ASN1_item_unpack(bag->value.bag->value.octet, &X509_CRL_it);
+}
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create_cert(X509 *x509)
+{
+        return PKCS12_item_pack_safebag(x509, &X509_it,
+            NID_x509Certificate, NID_certBag);
+}
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create_crl(X509_CRL *crl)
+{
+        return PKCS12_item_pack_safebag(crl, &X509_CRL_it,
+            NID_x509Crl, NID_crlBag);
+}
+
+/* Turn PKCS8 object into a keybag */
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8)
+{
+        PKCS12_SAFEBAG *bag;
+
+        if ((bag = PKCS12_SAFEBAG_new()) == NULL) {
+                PKCS12error(ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        bag->type = OBJ_nid2obj(NID_keyBag);
+        bag->value.keybag = p8;
+
+        return bag;
+}
+
+/* Turn PKCS8 object into a shrouded keybag */
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8)
+{
+        PKCS12_SAFEBAG *bag;
+
+        /* Set up the safe bag */
+        if ((bag = PKCS12_SAFEBAG_new()) == NULL) {
+                PKCS12error(ERR_R_MALLOC_FAILURE);
+                return NULL;
+        }
+
+        bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag);
+        bag->value.shkeybag = p8;
+
+        return bag;
+}
+
+PKCS12_SAFEBAG *
+PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, const char *pass, int passlen,
+    unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8info)
+{
+        const EVP_CIPHER *pbe_ciph;
+        X509_SIG *p8;
+        PKCS12_SAFEBAG *bag;
+
+        if ((pbe_ciph = EVP_get_cipherbynid(pbe_nid)) != NULL)
+                pbe_nid = -1;
+
+        if ((p8 = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen,
+            iter, p8info)) == NULL)
+                return NULL;
+
+        if ((bag = PKCS12_SAFEBAG_create0_pkcs8(p8)) == NULL) {
+                X509_SIG_free(p8);
+                return NULL;
+        }
+
+        return bag;
+}
diff --git a/src/lib/libcrypto/pkcs12/p12_utl.c b/src/lib/libcrypto/pkcs12/p12_utl.c
index ff3a035d3f..8efe7a2653 100644
--- a/src/lib/libcrypto/pkcs12/p12_utl.c
+++ b/src/lib/libcrypto/pkcs12/p12_utl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_utl.c,v 1.16 2018/05/30 15:32:11 tb Exp $ */
+/* $OpenBSD: p12_utl.c,v 1.17 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -148,6 +148,12 @@ d2i_PKCS12_fp(FILE *fp, PKCS12 **p12)
             return ASN1_item_d2i_fp(&PKCS12_it, fp, p12);
 }
 
+#if !defined(LIBRESSL_NEXT_API)
+#undef PKCS12_x5092certbag
+#undef PKCS12_x509crl2certbag
+#undef PKCS12_certbag2x509
+#undef PKCS12_certbag2x509crl
+
 PKCS12_SAFEBAG *
 PKCS12_x5092certbag(X509 *x509)
 {
@@ -183,3 +189,4 @@ PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag)
         return ASN1_item_unpack(bag->value.bag->value.octet,
             &X509_CRL_it);
 }
+#endif
diff --git a/src/lib/libcrypto/pkcs12/pkcs12.h b/src/lib/libcrypto/pkcs12/pkcs12.h
index 920b4be202..a40659fcf3 100644
--- a/src/lib/libcrypto/pkcs12/pkcs12.h
+++ b/src/lib/libcrypto/pkcs12/pkcs12.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.h,v 1.25 2022/07/12 14:42:50 kn Exp $ */
+/* $OpenBSD: pkcs12.h,v 1.26 2022/08/03 20:16:06 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -155,12 +155,63 @@ typedef struct pkcs12_bag_st {
 #define M_PKCS12_decrypt_skey PKCS12_decrypt_skey
 #define M_PKCS8_decrypt PKCS8_decrypt
 
+#if !defined(LIBRESSL_NEXT_API)
 #define M_PKCS12_bag_type(bg) OBJ_obj2nid((bg)->type)
 #define M_PKCS12_cert_bag_type(bg) OBJ_obj2nid((bg)->value.bag->type)
 #define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type
+#endif
 
 #endif /* !LIBRESSL_INTERNAL */
 
+#if defined(LIBRESSL_NEXT_API) || defined(LIBRESSL_INTERNAL)
+
+#define M_PKCS12_bag_type       PKCS12_bag_type
+#define M_PKCS12_cert_bag_type  PKCS12_cert_bag_type
+#define M_PKCS12_crl_bag_type   PKCS12_cert_bag_type
+
+#define PKCS12_bag_type         PKCS12_SAFEBAG_get_nid
+#define PKCS12_cert_bag_type    PKCS12_SAFEBAG_get_bag_nid
+
+#define PKCS12_certbag2x509     PKCS12_SAFEBAG_get1_cert
+#define PKCS12_certbag2x509crl  PKCS12_SAFEBAG_get1_crl
+
+#define PKCS12_x5092certbag     PKCS12_SAFEBAG_create_cert
+#define PKCS12_x509crl2certbag  PKCS12_SAFEBAG_create_crl
+#define PKCS12_MAKE_KEYBAG      PKCS12_SAFEBAG_create0_p8inf
+#define PKCS12_MAKE_SHKEYBAG    PKCS12_SAFEBAG_create_pkcs8_encrypt
+
+const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
+    int attr_nid);
+const STACK_OF(X509_ATTRIBUTE) *
+    PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag);
+int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag);
+int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag);
+
+X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag);
+X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag);
+
+ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid);
+int PKCS12_mac_present(const PKCS12 *p12);
+void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, const X509_ALGOR **pmacalg,
+    const ASN1_OCTET_STRING **psalt, const ASN1_INTEGER **piter,
+    const PKCS12 *p12);
+
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8);
+PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid,
+    const char *pass, int passlen, unsigned char *salt, int saltlen, int iter,
+    PKCS8_PRIV_KEY_INFO *p8);
+
+const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag);
+const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag);
+const STACK_OF(PKCS12_SAFEBAG) *
+    PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag);
+const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag);
+
+#else /* !LIBRESSL_NEXT_API && !LIBRESSL_INTERNAL*/
+
 #define PKCS12_get_attr(bag, attr_nid) \
                          PKCS12_get_attr_gen(bag->attrib, attr_nid)
 
@@ -169,15 +220,20 @@ typedef struct pkcs12_bag_st {
 
 #define PKCS12_mac_present(p12) ((p12)->mac ? 1 : 0)
 
-
 PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509);
 PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl);
 X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag);
 X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag);
 
+PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
+PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
+    int passlen, unsigned char *salt, int saltlen, int iter,
+    PKCS8_PRIV_KEY_INFO *p8);
+
+#endif /* !LIBRESSL_NEXT_API && !LIBRESSL_INTERNAL */
+
 PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
     int nid1, int nid2);
-PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8);
 PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass,
     int passlen);
 PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag,
@@ -185,9 +241,6 @@ PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag,
 X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher,
     const char *pass, int passlen, unsigned char *salt, int saltlen, int iter,
     PKCS8_PRIV_KEY_INFO *p8);
-PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
-    int passlen, unsigned char *salt, int saltlen, int iter,
-    PKCS8_PRIV_KEY_INFO *p8);
 PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk);
 STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7);
 PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,