Fix test_pkcs12.rb in FIPS. #997
Conversation
|
I feel these existing tests should simply be skipped. My impression is that PKCS#12 is currently effectively unsupported in FIPS environments as I doubt password-based PKCS#12 is actually used without a MAC. I think On a side note, RFC 9579 / RFC 9879 introduced an alternative MAC algorithm based on PBMAC1 from PKCS#5v2, which I think is FIPS-compatible. However, this is still pretty new and we don't have a wrapper for it yet: https://docs.openssl.org/master/man3/PKCS12_gen_mac/ |
* Use the `AES-256-CBC` using `PBKDF2` which is FIPS-approved, instead of the `PBE-SHA1-3DES` using `PKCS12KDF` which is not FIPS-approved. As the `AES-256-CBC` is also used as `openssl pkcs12`'s default algorithm, the case is typical. See also the man page openssl-pkcs12(1). * `OpenSSL::PKCS12.create` calling the `PKCS12_create` uses a MAC key using `PKCS12KDF` which is not FIPS-approved. * The test data `OpenSSL::PKCS12.new` calling `PKCS12_parse` verifies the MAC using `PKCS12KDF` which is not FIPS-approved.
junaruga
force-pushed
the
wip/fips-test-pkcs12
branch
from
24b8de6 to
4c7ffa6
Compare
Okay. That makes sense. I think we want to test popular use cases. I rebased the PR without MAC less key. I am still using the However, LibreSSL's https://man.openbsd.org/PKCS12_newpass.3
And AWS-LC's If you don't like this conditional logic, I can change this PR's source code back to use the What do you think? |
| # OpenSSL::PKCS12.create calling the PKCS12_create() has the argument | ||
| # mac_iter which uses a MAC key using PKCS12KDF which is not | ||
| # FIPS-approved. | ||
| omit_on_fips |
There was a problem hiding this comment.
Why not just do return if OpenSSL.fips_mode at the top of this file since we skip all of them?
There was a problem hiding this comment.
You are right. I didn't notice I skipped all of the tests in the test_pkcs12.rb on this PR. Yes, just skipping all the tests at the top of this file is much better. Let me fix it.
| # algorithm, the case is typical. See also the man page openssl-pkcs12(1). | ||
| # OpenSSL::PKCS12.create raises UNKNOWN_ALGORITHM in AWS-LC with AES-256-CBC. | ||
| DEFAULT_PBE_PKEYS = aws_lc? ? "PBE-SHA1-3DES" : "AES-256-CBC" | ||
| DEFAULT_PBE_CERTS = aws_lc? ? "PBE-SHA1-3DES" : "AES-256-CBC" |
There was a problem hiding this comment.
To be precise, PBE-SHA1-3DES uses PBKDF1 in PKCS#5 rather than PKCS12KDF. PKCS12KDF is only used for the outer MAC. I'd drop the FIPS reference because it's not relevant.
I noticed you updated the base64-encoded examples to use PBES2, and these tests are passing even with AWS-LC. Did we run into an incompatibility in PKCS12_create()? If so, it might be better to just skip these tests.
This is interesting. It appears that the underlying function in OpenSSL, I also think using PBES2/AES is better, but I'd prefer to reduce conditionals because I'm not very familiar with PKCS#12 and want to keep it simple. |
2 participants
This PR is working in progress.
I see the test failures on LibreSSL and AWS-LC cases.
AES-256-CBCusingPBKDF2which is FIPS-approved, instead of thePBE-SHA1-3DESusingPKCS12KDFwhich is not FIPS-approved. See also the man page openssl-pkcs12(1).OpenSSL::PKCS12.createcalling thePKCS12_createhas the argumentmac_iterwhich uses a MAC key usingPKCS12KDFwhich is not FIPS-approved. In the FIPS case, set themac_iter = -1to omit the MAC key. See also the man page PKCS12_create(3).OpenSSL::PKCS12.newcallingPKCS12_parseverifies the MAC usingPKCS12KDFwhich is not FIPS-approved, I created the test data without MAC by theopenssl pkcs12 -nomac.