Conversation
|
I feel these existing tests should simply be skipped. My impression is that PKCS#12 is currently effectively unsupported in FIPS environments as I doubt password-based PKCS#12 is actually used without a MAC. I think On a side note, RFC 9579 / RFC 9879 introduced an alternative MAC algorithm based on PBMAC1 from PKCS#5v2, which I think is FIPS-compatible. However, this is still pretty new and we don't have a wrapper for it yet: https://docs.openssl.org/master/man3/PKCS12_gen_mac/ |
junaruga
force-pushed
the
wip/fips-test-pkcs12
branch
from
24b8de6 to
4c7ffa6
Compare
Okay. That makes sense. I think we want to test popular use cases. I rebased the PR without MAC less key. I am still using the However, LibreSSL's https://man.openbsd.org/PKCS12_newpass.3
And AWS-LC's If you don't like this conditional logic, I can change this PR's source code back to use the What do you think? |
This is interesting. It appears that the underlying function in OpenSSL, I also think using PBES2/AES is better, but I'd prefer to reduce conditionals because I'm not very familiar with PKCS#12 and want to keep it simple. |
Yes your preference makes sense to me. I will revert the conditional logic to the original logic. |
junaruga
force-pushed
the
wip/fips-test-pkcs12
branch
from
4c7ffa6 to
342049e
Compare
|
I rebased this PR, fixing mentioned from you. Now there are 2 commits in the PR. The first commit is to the main. The 2nd commit is to update the comments. Could you review the PR again? Thanks. |
* OpenSSL::PKCS12.create calling the PKCS12_create() has the argument mac_iter which uses a MAC key using PKCS12KDF which is not FIPS-approved. * OpenSSL::PKCS12.new with base64-encoded example calling PKCS12_parse() verifies the MAC key using PKCS12KDF which is not FIPS-approved. * PBE-SHA1-3DES uses PKCS12KDF which is not FIPS-approved according to the RFC 7292 PKCS#12. https://datatracker.ietf.org/doc/html/rfc7292#appendix-C > The PBES1 encryption scheme defined in PKCS ruby#5 provides a number of > algorithm identifiers for deriving keys and IVs; here, we specify a > few more, all of which use the procedure detailed in Appendices B.2 > and B.3 to construct keys (and IVs, where needed). As is implied by > their names, all of the object identifiers below use the hash > function SHA-1. > ... > pbeWithSHAAnd3-KeyTripleDES-CBC OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3} Note that the pbeWithSHAAnd3-KeyTripleDES-CBC (pkcs12-pbeids 3) in the RFC 7292 PKCS#12 means PBE-SHA1-3DES in OpenSSL. PKCS12KDF is used in PKCS#12. https://oidref.com/1.2.840.113549.1.12.1.3 https://github.com/openssl/openssl/blob/ed57d1e06dca28689190e00d9893e0fd7ecc67c1/crypto/objects/objects.txt#L385
* More precisely * Updating the rsa-1.pem file path.
junaruga
force-pushed
the
wip/fips-test-pkcs12
branch
from
342049e to
d86270d
Compare
|
I rebased this PR again, updating the following part of the comment and commit message, reflecting our conversation. Could you review the PR again? Thank you. |
|
Thank you for the review. |
2 participants
This PR is working in progress.
I see the test failures on LibreSSL and AWS-LC cases.
AES-256-CBCusingPBKDF2which is FIPS-approved, instead of thePBE-SHA1-3DESusingPKCS12KDFwhich is not FIPS-approved. See also the man page openssl-pkcs12(1).OpenSSL::PKCS12.createcalling thePKCS12_createhas the argumentmac_iterwhich uses a MAC key usingPKCS12KDFwhich is not FIPS-approved. In the FIPS case, set themac_iter = -1to omit the MAC key. See also the man page PKCS12_create(3).OpenSSL::PKCS12.newcallingPKCS12_parseverifies the MAC usingPKCS12KDFwhich is not FIPS-approved, I created the test data without MAC by theopenssl pkcs12 -nomac.