rpms/openssl
8
1
Fork 1
Code Issues Pull Requests Releases Activity

An interface to create PKCS #12 files in FIPS compliant way

Browse Source 
Related: RHEL-36659
This commit is contained in:
Dmitry Belyavskiy 2024-08-09 14:19:59 +02:00
parent a44bf0f715
commit 299b43d420
2 changed files with 73 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
0124-PBMAC1-PKCS12-FIPS-support.patch
View File

@ -90,7 +90,7 @@ index 54323a9713393..cbe133742a8be 100644
} }
} }
assert(private); assert(private);
@@ -774,11 +792,32 @@ int pkcs12_main(int argc, char **argv) @@ -774,23 +792,54 @@ int pkcs12_main(int argc, char **argv)
X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
BIO_puts(bio_err, "MAC: "); BIO_puts(bio_err, "MAC: ");
i2a_ASN1_OBJECT(bio_err, macobj); i2a_ASN1_OBJECT(bio_err, macobj);
@ -126,8 +126,38 @@ index 54323a9713393..cbe133742a8be 100644
+ tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L); + tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
+ } + }
} }
+
if (macver) { if (macver) {
EVP_KDF *pkcs12kdf; - EVP_KDF *pkcs12kdf;
+ const X509_ALGOR *macalgid;
+ const ASN1_OBJECT *macobj;
- pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
- app_get0_propq());
- if (pkcs12kdf == NULL) {
- BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
- BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
- goto end;
+ PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12);
+ X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
+
+ if (OBJ_obj2nid(macobj) != NID_pbmac1) {
+ EVP_KDF *pkcs12kdf;
+
+ pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
+ app_get0_propq());
+ if (pkcs12kdf == NULL) {
+ BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
+ BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
+ goto end;
+ }
+ EVP_KDF_free(pkcs12kdf);
}
- EVP_KDF_free(pkcs12kdf);
+
/* If we enter empty password try no password first */
if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
/* If mac and crypto pass the same set it to NULL too */
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index 8575d05bf6d5a..c22cc6b77075d 100644 index 8575d05bf6d5a..c22cc6b77075d 100644
--- a/crypto/asn1/p5_pbev2.c --- a/crypto/asn1/p5_pbev2.c
@ -1032,16 +1062,27 @@ diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 999129a03074d..c14ef94998cde 100644 index 999129a03074d..c14ef94998cde 100644
--- a/test/recipes/80-test_pkcs12.t --- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t +++ b/test/recipes/80-test_pkcs12.t
@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { @@ -9,7 +9,7 @@
use strict;
use warnings;
-use OpenSSL::Test qw/:DEFAULT srctop_file with/;
+use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_dir with/;
use OpenSSL::Test::Utils;
use Encode;
@@ -54,7 +54,9 @@ if (eval { require Win32::API; 1; }) {
} }
$ENV{OPENSSL_WIN32_UTF8}=1; $ENV{OPENSSL_WIN32_UTF8}=1;
-plan tests => 31; -plan tests => 31;
+plan tests => 45; +my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
+
+plan tests => $no_fips ? 45 : 51;
# Test different PKCS#12 formats # Test different PKCS#12 formats
ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -170,6 +170,59 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0, @@ -170,6 +170,80 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0,
ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr6_empty"); ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr6_empty");
} }
@ -1086,6 +1127,27 @@ index 999129a03074d..c14ef94998cde 100644
+ "test pbmac1 pkcs12 file $file"); + "test pbmac1 pkcs12 file $file");
+} +}
+ +
+unless ($no_fips) {
+ my $provpath = bldtop_dir("providers");
+ my $provconf = srctop_file("test", "fips-and-base.cnf");
+ my $provname = 'fips';
+ my @prov = ("-provider-path", $provpath,
+ "-provider", $provname);
+ local $ENV{OPENSSL_CONF} = $provconf;
+
+# Test pbmac1 pkcs12 good files, RFC 9579
+ for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
+ {
+ my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
+ ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-password", "pass:1234", "-noenc"])),
+ "test pbmac1 pkcs12 file $file");
+
+ ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-info", "-noout",
+ "-passin", "pass:1234"], stderr => "${file}_info.txt")),
+ "test_export_pkcs12_${file}_info");
+ }
+}
+
+# Test pbmac1 pkcs12 bad files, RFC 9579 +# Test pbmac1 pkcs12 bad files, RFC 9579
+for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12") +for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12")
+{ +{

6
openssl.spec
View File

@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl Name: openssl
Version: 3.2.2 Version: 3.2.2
Release: 8%{?dist} Release: 9%{?dist}
Epoch: 1 Epoch: 1
Source: openssl-%{version}.tar.gz Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate Source2: Makefile.certificate
@ -505,6 +505,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
%ldconfig_scriptlets libs %ldconfig_scriptlets libs
%changelog %changelog
* Fri Aug 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-9
- An interface to create PKCS #12 files in FIPS compliant way
Related: RHEL-36659
* Wed Aug 07 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-8 * Wed Aug 07 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-8
- An interface to create PKCS #12 files in FIPS compliant way - An interface to create PKCS #12 files in FIPS compliant way
Resolves: RHEL-36659 Resolves: RHEL-36659