Skip to content

Fix test_pkcs12.rb in FIPS. #997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
junaruga wants to merge 1 commit into
base: master
Choose a base branch
from
+135 −101
Open

Fix test_pkcs12.rb in FIPS. #997

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion Rakefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do |t|
t.test_files = FileList['test/**/test_*.rb'] - FileList[
'test/openssl/test_hmac.rb',
'test/openssl/test_kdf.rb',
'test/openssl/test_pkcs12.rb',
'test/openssl/test_ts.rb',
]
t.warning = true
Expand Down
235 changes: 135 additions & 100 deletions test/openssl/test_pkcs12.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,13 @@

module OpenSSL
class TestPKCS12 < OpenSSL::TestCase
DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"
# Use the AES-256-CBC using PBKDF2 which is FIPS-approved, instead of the
# PBE-SHA1-3DES using PKCS12KDF which is not FIPS-approved as much as
# possible. As the AES-256-CBC is also used as `openssl pkcs12`'s default
# algorithm, the case is typical. See also the man page openssl-pkcs12(1).
# OpenSSL::PKCS12.create raises UNKNOWN_ALGORITHM in AWS-LC with AES-256-CBC.
DEFAULT_PBE_PKEYS = aws_lc? ? "PBE-SHA1-3DES" : "AES-256-CBC"
DEFAULT_PBE_CERTS = aws_lc? ? "PBE-SHA1-3DES" : "AES-256-CBC"

def setup
super
Expand Down Expand Up @@ -34,6 +39,11 @@ def setup
end

def test_create_single_key_single_cert
# OpenSSL::PKCS12.create calling the PKCS12_create() has the argument
# mac_iter which uses a MAC key using PKCS12KDF which is not
# FIPS-approved.
omit_on_fips

pkcs12 = OpenSSL::PKCS12.create(
"omg",
"hello",
Expand All @@ -55,8 +65,14 @@ def test_create_single_key_single_cert
end

def test_create_no_pass
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

# LibreSSL doesn't accept the nil as no pass.
pass = libressl? ? "" : nil

pkcs12 = OpenSSL::PKCS12.create(
nil,
pass,
"hello",
@mykey,
@mycert,
Expand All @@ -73,6 +89,9 @@ def test_create_no_pass
end

def test_create_with_chain
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

chain = [@inter_cacert, @cacert]

pkcs12 = OpenSSL::PKCS12.create(
Expand All @@ -88,6 +107,9 @@ def test_create_with_chain
end

def test_create_with_chain_decode
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

chain = [@cacert, @inter_cacert]

passwd = "omg"
Expand Down Expand Up @@ -124,6 +146,9 @@ def test_create_with_bad_nid
end

def test_create_with_itr
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

OpenSSL::PKCS12.create(
"omg",
"hello",
Expand All @@ -150,6 +175,9 @@ def test_create_with_itr
end

def test_create_with_mac_itr
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

OpenSSL::PKCS12.create(
"omg",
"hello",
Expand Down Expand Up @@ -178,6 +206,9 @@ def test_create_with_mac_itr
end

def test_create_with_keytype
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

omit "AWS-LC does not support KEY_SIG and KEY_EX" if aws_lc?

OpenSSL::PKCS12.create(
Expand Down Expand Up @@ -210,45 +241,47 @@ def test_create_with_keytype
end

def test_new_with_no_keys
# generated with:
# openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

# Generated with the following steps:
# Print the value of the @mycert such as by `puts @mycert.to_s` and
# save the value as the file `mycert.pem`.
# Run the following commands:
# openssl pkcs12 -certpbe AES-256-CBC -in <(cat mycert.pem) \
# -nokeys -export -passout pass:abc123 -out /tmp/p12.out
# base64 /tmp/p12.out
str = <<~EOF.unpack1("m")
MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3
DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD
rh6oiwsgIRJZvYAWgU6ll9NV7N5SgvS2DDNVuc3tsP8TPWjp+bIxzS9qmGUV
kYWuURWLMKhpF12ZRDab8jcIwBgKoSGiDJk8xHjx6L613/XcRM6ln3VeQK+C
hlW5kXniNAUAgTft25Fn61Xa8xnhmsz/fk1ycGnyGjKCnr7Mgy7KV0C1vs23
18n8+b1ktDWLZPYgpmXuMFVh0o+HJTV3O86mkIhJonMcnOMgKZ+i8KeXaocN
JQlAPBG4+HOip7FbQT/h6reXv8/J+hgjLfqAb5aV3m03rUX9mXx66nR1tQU0
Jq+XPfDh5+V4akIczLlMyyo/xZjI1/qupcMjr+giOGnGd8BA3cuXW+ueLQiA
PpTp+DQLVHRfz9XTZbyqOReNEtEXvO9gOlKSEY5lp65ItXVEs2Oqyf9PfU9y
DUltN6fCMilwPyyrsIBKXCu2ZLM5h65KVCXAYEX9lNqj9zrQ7vTqvCNN8RhS
ScYouTX2Eqa4Z+gTZWLHa8RCQFoyP6hd+97/Tg2Gv2UTH0myQxIVcnpdi1wy
cqb+er7tyKbcO96uSlUjpj/JvjlodtjJcX+oinEqGb/caj4UepbBwiG3vv70
63bS3jTsOLNjDRsR9if3LxIhLa6DW8zOJiGC+EvMD1o4dzHcGVpQ/pZWCHZC
+YiNJpQOBApiZluE+UZ0m3XrtHFQYk7xblTrh+FJF91wBsok0rZXLAKd8m4p
OJsc7quCq3cuHRRTzJQ4nSe01uqbwGDAYwLvi6VWy3svU5qa05eDRmgzEFTG
e84Gp/1LQCtpQFr4txkjFchO2whWS80KoQKqmLPyGm1D9Lv53Q4ZsKMgNihs
rEepuaOZMKHl4yMAYFoOXZCAYzfbhN6b2phcFAHjMUHUw9e3F0QuDk9D0tsr
riYTrkocqlOKfK4QTomx27O0ON2J6f1rtEojGgfl9RNykN7iKGzjS3914QjW
W6gGiZejxHsDPEAa4gUp0WiSUSXtD5WJgoyAzLydR2dKWsQ4WlaUXi01CuGy
+xvncSn2nO3bbot8VD5H6XU1CjREVtnIfbeRYO/uofyLUP3olK5RqN6ne6Xo
eXnJ/bjYphA8NGuuuvuW1SCITmINkZDLC9cGlER9+K65RR/DR3TigkexXMeN
aJ70ivZYAl0OuhZt3TGIlAzS64TIoyORe3z7Ta1Pp9PZQarYJpF9BBIZIFor
757PHHuQKRuugiRkp8B7v4eq1BQ+VeAxCKpyZ7XrgEtbY/AWDiaKcGPKPjc3
AqQraVeQm7kMBT163wFmZArCphzkDOI3bz2oEO8YArMgLq2Vto9jAZlqKyWr
pi2bSJxuoP1aoD58CHcWMrf8/j1LVdQhKgHQXSik2ID0H2Wc/XnglhzlVFuJ
JsNIW/EGJlZh/5WDez9U0bXqnBlu3uasPEOezdoKlcCmQlmTO5+uLHYLEtNA
EH9MtnGZebi9XS5meTuS6z5LILt8O9IHZxmT3JRPHYj287FEzotlLdcJ4Ee5
enW41UHjLrfv4OaITO1hVuoLRGdzjESx/fHMWmxroZ1nVClxECOdT42zvIYJ
J3xBZ0gppzQ5fjoYiKjJpxTflRxUuxshk3ih6VUoKtqj/W18tBQ3g5SOlkgT
yCW8r74yZlfYmNrPyDMUQYpLUPWj2n71GF0KyPfTU5yOatRgvheh262w5BG3
omFY7mb3tCv8/U2jdMIoukRKacpZiagofz3SxojOJq52cHnCri+gTHBMX0cO
j58ygfntHWRzst0pV7Ze2X3fdCAJ4DokH6bNJNthcgmolFJ/y3V1tJjgsdtQ
7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw
CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII
AA==
MIIGhwIBAzCCBjUGCSqGSIb3DQEHAaCCBiYEggYiMIIGHjCCBhoGCSqGSIb3DQEHBqCCBgswggYH
AgEAMIIGAAYJKoZIhvcNAQcBMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBBmfu7YGPAk
YVG9zCy8SQefAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQtpZzo1fdoiTkeDBMwZUt
3YCCBZBYulEiz0dB/iLhIMGm7Pc0UV0dUdazwZHt9jgzjhejc6aZMfzyoRqTj7/Hl2D3ocslBywa
00HUcGA37E9d2RpNdKKiHEdlQR4VAYJl/cnuL85EDJxnMp/+W5TtTRDae08sjETCoMakH95TV3zo
Q5/xP42yORG6fg0YQ9Jb2c6UQ6zGP3nWtUlLkoHmkyHmDUI9M1TTldX/2R0d5A0Vd8GWSfTVhhMJ
bPuoa28aoWFKJo2etOa1crnX2yPBTh5C2AQEFi/HuO0zE+GGoRjpkM7c0O+Ravq25nmprDjGNajE
6zlRPkALszDIopuHnBiH9YxaMqPXdWwCn6LV4qGp/rBGQjJFqbQVDvlzosUdC00x8NdDiiZczMvB
VHOaHk7CpgFZhJvg3Dk6Of+S8BijXv3XKCWTY5O5LIwOHzeK3SWuLhBlD3WEjWBoeZZkdrGVs+0J
r696PlW6DUb1Wbw5NeYwwoV66w2KVsb7B0E3KWgVlWwlkur1ylReU2+u/bOD+or1+T/vS7Rku3zH
wVlBJpvp51k73AhoRaPHSjegqNVkMObUob1+GZ6ak07Sy+dH1EC1BR2iLiq9ON+jBm40c5f62dRm
Kri6gpv0/LHcVbv0a68JUzEpPMmVEaspX8dVG6+3+mhO+JvpuLdtQ0zZV/6sKfqd+yRc4p8ChMav
yhO6L4El52FIHv5iEpoHN2e+dBySL1fSnmkh+Z7TaMHR+arq3Y/GpRKrbuTkmspcuUALwiN6XpEL
dIiye3oUGL+VL5teNOBLHUlFPp73KR3ZBQQvCg8ybG90sjb7rxz6RvsPwYIrqdeOSnJrbnvOFmvU
j8pQ5T1RJqtaMg/D2Z+DcBD5lyeX2DeKQ/Pwk1uaHGJwsIKXaPzTmxcfdhOeBOaZg3THuu7kEqI9
RklL1XznXBjmVAI09y+02O6/Bg42TsyiCo+XSkN6aIbC1Gnmvm6e9MXlzw1RY3FKAWW8ZP0qjjup
08tFlt+s87ndpkMYBuJ/rN55fA/1nQgSDwgv3qDBxFgIoRsH6NEaF8Jycb/3DMVVaMe8mIDq+CFp
OfjbXAaq5j+3rzdcpcFvTZpn5uB0tLu+J/NhXYgWz+lhP0ghlktKBLiZ4SugCsXu+QJOK7Q3mv+H
5kDul6oLu8qk69IEBH2+bn7abwG6363pBBaweHMZQyaO8Xjhct3spWJluz5LoGKl8XUDma/9Wye1
UmKeA6W8YTyc5RLjLTEGM0T7aeaDGEqAMJ22lD1iNtA0E1Psw1xWeq83IWdk53v7RC9jLGBCHA/w
+O9jC1mbFyz0c/9N0aWFDd1a2Gk0WmuRCFT6a0AwhASUlp8qsJISJncxI0r+ZEs6OusiMkkSfzlS
SdSBOxVmIPFMJ2Vst4ku/PgZgCddaMz8MmDPowiB3P5IXnW7/j+LqHl8b/wirGyen82Ui9v99xBL
qZaL4lZwUNwIJRDptuSys4QPRtHzq0b3qegQpCCUwVzWO4S9lZ1RNciQN+VA8XUo3X9oErY68QQW
v9t0ljYKJhX17Vasnd99uCHaR6pjJB1nNgJj3+dGPoSfHL5sT8xQ31pxfZcLH+/Aesx/TGMrRCsF
PPWbc+7FroeGruSm0k2LPE53ExI11IFOgyHDUfoAHMqTXJiyxCgR0TqwsNkg5fZzOTsnTuSYjP/4
Avu9K5XAjZOhv6dddZQug/QIJ32DIMCynVN3WwQkiiam/3XV686Z8H1AB3dyB3JYOoSF6PuALYdr
uRffsH7IVksxWjK6WG8Q2vVEdHNZjIMoZIQjx5RJXKRTAh29uHLaO2nmJt8VGlo0CnUJ0ZInLXmv
81+9DIawctjedLGIYETYd9j3LYe3bxIA0qfecnP8IPpomRL6YOJCgJ5cw2sM/ZLSTxpicbjgChee
cfBR6TBJMDEwDQYJYIZIAWUDBAIBBQAEIGNRVdh6EXs63L/bK7mkiBsqSAIrzVOFqdAxlKeisVLF
BBCW+YZolO3mRPS/gzK4QiwbAgIIAA==
EOF
p12 = OpenSSL::PKCS12.new(str, "abc123")

Expand All @@ -259,66 +292,61 @@ def test_new_with_no_keys
end

def test_new_with_no_certs
# generated with:
# openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

# Generated with the folowing steps:
# openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \
# -nocerts -export -passout pass:abc123 -out /tmp/p12.out
# base64 /tmp/p12.out
str = <<~EOF.unpack1("m")
MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3
DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK
KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+
72L+ZOVXnlZ1MY9HSeg0RMkCJcm0mJ2UD7INUOGXvwpK9fr6WJUZM1IqTihQ
1dM0crRC2m23aP7KtAlXh2DYD3otseDtwoN/NE19RsiJzeIiy5TSW1d47weU
+D4Ig/9FYVFPTDgMzdCxXujhvO/MTbZIjqtcS+IOyF+91KkXrHkfkGjZC7KS
WRmYw9BBuIPQEewdTI35sAJcxT8rK7JIiL/9mewbSE+Z28Wq1WXwmjL3oZm9
lw6+f515b197GYEGomr6LQqJJamSYpwQbTGHonku6Tf3ylB4NLFqOnRCKE4K
zRSSYIqJBlKHmQ4pDm5awoupHYxMZLZKZvXNYyYN3kV8r1iiNVlY7KBR4CsX
rqUkXehRmcPnuqEMW8aOpuYe/HWf8PYI93oiDZjcEZMwW2IZFFrgBbqUeNCM
CQTkjAYxi5FyoaoTnHrj/aRtdLOg1xIJe4KKcmOXAVMmVM9QEPNfUwiXJrE7
n42gl4NyzcZpxqwWBT++9TnQGZ/lEpwR6dzkZwICNQLdQ+elsdT7mumywP+1
WaFqg9kpurimaiBu515vJNp9Iqv1Nmke6R8Lk6WVRKPg4Akw0fkuy6HS+LyN
ofdCfVUkPGN6zkjAxGZP9ZBwvXUbLRC5W3N5qZuAy5WcsS75z+oVeX9ePV63
cue23sClu8JSJcw3HFgPaAE4sfkQ4MoihPY5kezgT7F7Lw/j86S0ebrDNp4N
Y685ec81NRHJ80CAM55f3kGCOEhoifD4VZrvr1TdHZY9Gm3b1RYaJCit2huF
nlOfzeimdcv/tkjb6UsbpXx3JKkF2NFFip0yEBERRCdWRYMUpBRcl3ad6XHy
w0pVTgIjTxGlbbtOCi3siqMOK0GNt6UgjoEFc1xqjsgLwU0Ta2quRu7RFPGM
GoEwoC6VH23p9Hr4uTFOL0uHfkKWKunNN+7YPi6LT6IKmTQwrp+fTO61N6Xh
KlqTpwESKsIJB2iMnc8wBkjXJtmG/e2n5oTqfhICIrxYmEb7zKDyK3eqeTj3
FhQh2t7cUIiqcT52AckUqniPmlE6hf82yBjhaQUPfi/ExTBtTDSmFfRPUzq+
Rlla4OHllPRzUXJExyansgCxZbPqlw46AtygSWRGcWoYAKUKwwoYjerqIV5g
JoZICV9BOU9TXco1dHXZQTs/nnTwoRmYiL/Ly5XpvUAnQOhYeCPjBeFnPSBR
R/hRNqrDH2MOV57v5KQIH2+mvy26tRG+tVGHmLMaOJeQkjLdxx+az8RfXIrH
7hpAsoBb+g9jUDY1mUVavPk1T45GMpQH8u3kkzRvChfOst6533GyIZhE7FhN
KanC6ACabVFDUs6P9pK9RPQMp1qJfpA0XJFx5TCbVbPkvnkZd8K5Tl/tzNM1
n32eRao4MKr9KDwoDL93S1yJgYTlYjy1XW/ewdedtX+B4koAoz/wSXDYO+GQ
Zu6ZSpKSEHTRPhchsJ4oICvpriVaJkn0/Z7H3YjNMB9U5RR9+GiIg1wY1Oa1
S3WfuwrrI6eqfbQwj6PDNu3IKy6srEgvJwaofQALNBPSYWbauM2brc8qsD+t
n8jC/aD1aMcy00+9t3H/RVCjEOb3yKfUpAldIkEA2NTTnZpoDQDXeNYU2F/W
yhmFjJy8A0O4QOk2xnZK9kcxSRs0v8vI8HivvgWENoVPscsDC4742SSIe6SL
f/T08reIX11f0K70rMtLhtFMQdHdYOTNl6JzhkHPLr/f9MEZsBEQx52depnF
ARb3gXGbCt7BAi0OeCEBSbLr2yWuW4r55N0wRZSOBtgqgjsiHP7CDQSkbL6p
FPlQS1do9gBSHiNYvsmN1LN5bG+mhcVb0UjZub4mL0EqGadjDfDdRJmWqlX0
r5dyMcOWQVy4O2cPqYFlcP9lk8buc5otcyVI2isrAFdlvBK29oK6jc52Aq5Q
0b2ESDlgX8WRgiOPPxK8dySKEeuIwngCtJyNTecP9Ug06TDsu0znZGCXJ+3P
8JOpykgA8EQdOZOYHbo76ZfB2SkklI5KeRA5IBjGs9G3TZ4PHLy2DIwsbWzS
H1g01o1x264nx1cJ+eEgUN/KIiGFIib42RS8Af4D5e+Vj54Rt3axq+ag3kI+
53p8uotyu+SpvvXUP7Kv4xpQ/L6k41VM0rfrd9+DrlDVvSfxP2uh6I1TKF7A
CT5n8zguMbng4PGjxvyPBM5k62t6hN5fuw6Af0aZFexh+IjB/5wFQ6onSz23
fBzMW4St7RgSs8fDg3lrM+5rwXiey1jxY1ddaxOoUsWRMvvdd7rZxRZQoN5v
AcI5iMkK/vvpQgC/sfzhtXtrJ2XOPZ+GVgi7VcuDLKSkdFMcPbGzO8SdxUnS
SLV5XTKqKND+Lrfx7DAoKi5wbDFHu5496/MHK5qP4tBe6sJ5bZc+KDJIH46e
wTV1oWtB5tV4q46hOb5WRcn/Wjz3HSKaGZgx5QbK1MfKTzD5CTUn+ArMockX
2wJhPnFK85U4rgv8iBuh9bRjyw+YaKf7Z3loXRiE1eRG6RzuPF0ZecFiDumk
AC/VUXynJhzePBLqzrQj0exanACdullN+pSfHiRWBxR2VFUkjoFP5X45GK3z
OstSH6FOkMVU4afqEmjsIwozDFIyin5EyWTtdhJe3szdJSGY23Tut+9hUatx
9FDFLESOd8z3tyQSNiLk/Hib+e/lbjxqbXBG/p/oyvP3N999PLUPtpKqtYkV
H0+18sNh9CVfojiJl44fzxe8yCnuefBjut2PxEN0EFRBPv9P2wWlmOxkPKUq
NrCJP0rDj5aONLrNZPrR8bZNdIShkZ/rKkoTuA0WMZ+xUlDRxAupdMkWAlrz
8IcwNcdDjPnkGObpN5Ctm3vK7UGSBmPeNqkXOYf3QTJ9gStJEd0F6+DzTN5C
KGt1IyuGwZqL2Yk51FDIIkr9ykEnBMaA39LS7GFHEDNGlW+fKC7AzA0zfoOr
fXZlHMBuqHtXqk3zrsHRqGGoocigg4ctrhD1UREYKj+eIj1TBiRdf7c6+COf
NIOmej8pX3FmZ4ui+dDA8r2ctgsWHrb4A6iiH+v1DRA61GtoaA/tNRggewXW
VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O
M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg
BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA
MIIKUgIBAzCCCgAGCSqGSIb3DQEHAaCCCfEEggntMIIJ6TCCCeUGCSqGSIb3DQEHAaCCCdYEggnS
MIIJzjCCCcoGCyqGSIb3DQEMCgECoIIJuTCCCbUwXwYJKoZIhvcNAQUNMFIwMQYJKoZIhvcNAQUM
MCQEEI01CXHjkMt/msnpv5I8CuECAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBC88lPx
nXduPOMxkNGSAMzhBIIJUHXa+UzIw1TfeBBPu630vtrAYnGgwUiUrxbMt1hDKHq3mmuadAjghQSG
zzq61lU1KOYtsA7mYRwUGS3lXdTGTP4rbrIsDUjSkwo+6DX8d4IG2uhwhSK3Te2bMsygFBVaJF+k
X71DAyI6FF9rVo6npTdcDkW/aobuPysyE1vhGbitri+yAnMizutS/C3D1SfwK6BA3c2PfVgL63dO
8T3nbbIezJLuwxvuIg719MYXwFgvfqm/OHSpM+tfhnoWXwNhp78XH6t0tmHPtX1knKSmZyqZS5ZH
u3qJJaQv3it2G/v0gFahKBEL5SFBmFKdEXoLNBmeK34qm6OxMfh7FzJeicZjJBC696Nunm69iwSi
VQdYVeC9/qM0nc3GKdtPrWbcTE6mv1SQZYuRncfTpBpSMp18UdMa3mfpY3jab1Vm2H5NjeBHssJu
LHiyLYXumAss3CWU90MAET+PVzJp3gvB51GM/ULlunVB6pOgAuLOtXJRPvaQvty5K/S5AqkNRd07
yZZjxYXuhJIm0fPVe0kqVqJ8Skfp/v5a2rYcnCNYbrNG2/UH8cov9IXDlMcPQzVQRHPmiMstLDte
pjL711b0X3E0nJ9fXCJmaB/m9dmKBF2J/xjLj6A6dkzL4usv/QUpuoFWW2ATLm9YMOslSZvWCvPl
4DDwkzQRwhRQoxqOusWhttQBexLX6N0k/NOWukb5RxpTaEpc4fFK/AFa/t74+dufP0nciKGd12iG
WruMo25aMnnrqQM0vXRmoIwhG/puIgTLeXJOlC0BZrszVTrqlRHdUtrxsiumF1rNXUekZSNNvCDM
hZsRGulwQMNxbKvt0mZc04NuNcnBTHzCxDllKrI2SvWd+4fhzzqiIpGYcMdW5h7zw2+FQIyzmulB
xhB+SYH4Vm3g6+lws3yYNCLBxedtypTjppOergSQOrK1ZrB5YaVgw11uqkeSl8e0phbQPAp4NF+l
2HZNmybhj5ryX5niIyo9Wv7qtctqvxq6zuZ/AVIDpcEWLwUEL2H5bi+Uu2zBa/EGTCA0Kklgzsm4
L450xo1fbskLju1/PMt2Ssdlwt7cmkhK4OLzWnVYlqUCzWNyZBkUpuAdSfPq2pd+VwzpIAjTV8x/
PJ0Qm9T5ncOBokxIQDZW60mMiWTLN5i39onkcouO6OTsZApWG54duCXd7oAS29Wssuzf0uEYkdzU
w4YCY0wdjWwelMQOutJ9l+sNZcxWxcNEd389a33S6nhRJPNp61aW53zQFvFEpWCW4fRrqyxbSIFB
mqZwb/Ge3g2uqk/04euAh+mYMpjSB6T7Bza2J7pIwNnIoGwkJGWh0EeuiTCIQ8So+ThM1nEUy+ww
+k08XZm5rWwA76mpSiOliD8y1x7vxd09PWETis3pERhFfT4G5yxhTVTogwWm5QJ9Y9QCL51mV9MW
gfkbySL8nxC32nw7aYOSX2/m4HmqwEoVLrZxO2d1lGAN6qt+Ytw5ZS4j8rEvcKKg1NnyU9M+mrsB
6ESSSoEhKPMb5YUTr1RNi9RZ6uhd8pZniRttrX9S64KE/UU6ZEBcWB4gEUK/A1a6AOQgc6N5z2mI
qP2Guvt9dzXX45HTfVaZz1IwuSMJnPhvKgzdGsUX3v/A2Q+MyTuU16fxNDI8hBap/+OlgSfrTSmt
hmnTgnLIPcvv093CRFhhKY3wP1M6YlQst1ge1mLa4ZcA06golsvj/rQkbK4ZR2JCX2v1oWaUCGmF
3GfYsFjJn8/QxMf8nIQVKfHwmnXoy9yeghKSW0mbJ5o0iC82XJiewp+UeIOwScza2+SMnrV91w1F
/DpDbceBkl2m+/piMk27TQQhiWK8aEUpTdMdsjDAWDV8Qt/GNnrfQGrPWxuzmBo6NgdDUsJpPBEa
NuN+jEgIc9HbZL9seOcBRvy2Zk+ESznEVJFPj3ItLHCEsUrLU2WV4xEOc9zxbgTBUbmliQ4OMvJu
PvSzUhc7//N1OCrUSwqpvAecpLKOLkvE/k2+rshWasttx1by9+0YqrmmOV32+OdFTdaFyPh5jLXz
cdx+GRSiFMA2MpX44OMcJNGKMhAPTo7L0Xlhm9ZZzMpzt13gFualzTlc/wa1TBXdBO3wh5IHfFiI
I2my+By3n0WlJ7sxlIeBsUThdNWGuuu1vo9kUJ7TsiFrCikjoQg+eT/2q0nY/bwq916uEVfXJM5V
1FfEz64r7/yFqlti85jYPpfEdGASXOobIQ6q8XaHucDhDifBnWMLvFiFk9FOngOCQtb7MKu09Z6q
X+XIY2JQcIunB1mVNgkrKm4lPUpfkgfwVjyRXZJL25DXuSsfCpFmzYHrbm4971So58I9JOlrSfIf
wBC4ys9kJKmz3W4+9/8rJI9zDI0MShxvhF6LRVStRjm3Vi09y/C2XOZ+ygHHhaIfYlHJ8knq7NoD
fz/SOW8b2bvZnuC60MqkxrTwuobdk73HgjT8BKe+79zcBGNcnoTy0rmFmhOBBzfsbr5yOEWvxsux
83yJt6qOxf4KwKPP1RPRX5s/5npZWqGa6FtNBcznWYSFy4FvoY8ok0lL9xJXG2ugGeac+wSc1tRL
4rL6JlzcsBVTE8SV5D6ezGFtZKjBfmkSR4dXq6HcqiCqWhJQ1gdOKFsZknYvmWZodVjRRLJUl91f
9NsQ4bnEcfgow7/S30E4mUkgJDCG/SFLFrkkuR5DQZ3L3QV8AxLsLzYfb7MWYNYT3J+ya+zkGfdL
cfY/V7ejIFVz5BImmEvUR50x7kJcvcOp3iyU9TmDqF3DMsqGtU3dSRrbUUV3NxPkq58l2KeC9xlQ
p0emfEScWmiYJmZep8PeMMd0O9GkN0y7QrmzSarcsHnyuTy3pU/haLfgB2KTFK5rOw+4gJhFxZvL
ldpx/oWz1MmYRuM4923tESXMAe+QbCGClWlT2xXwjr1RBJF6FCh6iyDaU5t5twsa2pmMe7+z7UIJ
R/IUS6tBcF2UYRv+ebVDh7yE2srIMU/1GTyDVOnHsiJZ8QpxPD3vy0qN237cx09SyoXTCL8RSjfE
hFdl6Z8zT1LrKpqZ6BGfsg+mMX0kLV3VXGBA8NkEt5p0E4AADI2YufFSltdO3kCnwLjv+P+tBY7/
MKeIA0w3+mGnhnG9pEZakdnZdC4yp2D4REI8R2687ayT4ps+yFE35c5OwxnALvkyduFhuC1Cz2ye
4JS20ZePMEkwMTANBglghkgBZQMEAgEFAAQgvP8g52ab9MouQYsJaj8rqfc7qZI+l5wgTRI7rgd7
NVgEEG5jLuv43kXMoGSKg7M2SY4CAggA
EOF
p12 = OpenSSL::PKCS12.new(str, "abc123")

Expand All @@ -328,6 +356,9 @@ def test_new_with_no_certs
end

def test_dup
# PKCS12KDF used for a MAC key is not FIPS-approved.
omit_on_fips

p12 = OpenSSL::PKCS12.create(
"pass",
"name",
Expand All @@ -341,6 +372,10 @@ def test_dup
end

def test_set_mac_pkcs12kdf
# OpenSSL::PKCS12.create's argument mac_iter uses MAC key using PKCS12KDF
# which is not FIPS-approved.
omit_on_fips

p12 = OpenSSL::PKCS12.create(
"pass",
"name",
Expand Down