An interface to create PKCS #12 files in FIPS compliant way

Related: RHEL-36659
2024-08-09 14:19:59 +02:00 · 2024-08-09 14:19:59 +02:00 · 299b43d420
commit 299b43d420
parent a44bf0f715
2 changed files with 73 additions and 7 deletions
--- a/0124-PBMAC1-PKCS12-FIPS-support.patch
+++ b/0124-PBMAC1-PKCS12-FIPS-support.patch
@ -90,7 +90,7 @@ index 54323a9713393..cbe133742a8be 100644
             }
         }
         assert(private);
-@@ -774,11 +792,32 @@ int pkcs12_main(int argc, char **argv)
+@@ -774,23 +792,54 @@ int pkcs12_main(int argc, char **argv)
         X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
         BIO_puts(bio_err, "MAC: ");
         i2a_ASN1_OBJECT(bio_err, macobj);
@ -126,8 +126,38 @@ index 54323a9713393..cbe133742a8be 100644
 +                       tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L);
 +        }
     }
 +
     if (macver) {
-         EVP_KDF *pkcs12kdf;
+-        EVP_KDF *pkcs12kdf;
 +        const X509_ALGOR *macalgid;
 +        const ASN1_OBJECT *macobj;
 -        pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
 -                                  app_get0_propq());
 -        if (pkcs12kdf == NULL) {
 -            BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
 -            BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
 -            goto end;
 +        PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12);
 +        X509_ALGOR_get0(&macobj, NULL, NULL, macalgid);
 +
 +        if (OBJ_obj2nid(macobj) != NID_pbmac1) {
 +            EVP_KDF *pkcs12kdf;
 +
 +            pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF",
 +                                      app_get0_propq());
 +            if (pkcs12kdf == NULL) {
 +                BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n");
 +                BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n");
 +                goto end;
 +            }
 +            EVP_KDF_free(pkcs12kdf);
         }
 -        EVP_KDF_free(pkcs12kdf);
 +
         /* If we enter empty password try no password first */
         if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
             /* If mac and crypto pass the same set it to NULL too */
 diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
 index 8575d05bf6d5a..c22cc6b77075d 100644
 --- a/crypto/asn1/p5_pbev2.c
@ -1032,16 +1062,27 @@ diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
 index 999129a03074d..c14ef94998cde 100644
 --- a/test/recipes/80-test_pkcs12.t
 +++ b/test/recipes/80-test_pkcs12.t
-@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) {
+@@ -9,7 +9,7 @@
 use strict;
 use warnings;
 -use OpenSSL::Test qw/:DEFAULT srctop_file with/;
 +use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_dir with/;
 use OpenSSL::Test::Utils;
 use Encode;
@@ -54,7 +54,9 @@ if (eval { require Win32::API; 1; }) {
 }
 $ENV{OPENSSL_WIN32_UTF8}=1;
 -plan tests => 31;
-+plan tests => 45;
+my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 +
 +plan tests => $no_fips ? 45 : 51;
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
-@@ -170,6 +170,59 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0,
+@@ -170,6 +170,80 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0,
     ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr6_empty");
 }
@ -1060,7 +1101,7 @@ index 999129a03074d..c14ef94998cde 100644
 +                "-inkey", srctop_file(@path, "cert-key-cert.pem"),
 +                "-in", srctop_file(@path, "cert-key-cert.pem"),
 +                "-passout", "pass:1234",
-+		@$extra_args,
+                @$extra_args,
 +                "-out", "$pbmac1_id.p12"], stderr => "${pbmac1_id}_err.txt")),
 +        "test_export_pkcs12_${pbmac1_id}");
 +        open DATA, "${pbmac1_id}_err.txt";
@ -1086,6 +1127,27 @@ index 999129a03074d..c14ef94998cde 100644
 +      "test pbmac1 pkcs12 file $file");
 +}
 +
 +unless ($no_fips) {
 +    my $provpath = bldtop_dir("providers");
 +    my $provconf = srctop_file("test", "fips-and-base.cnf");
 +    my $provname = 'fips';
 +    my @prov = ("-provider-path", $provpath,
 +                "-provider", $provname);
 +    local $ENV{OPENSSL_CONF} = $provconf;
 +
 +# Test pbmac1 pkcs12 good files, RFC 9579
 +    for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
 +    {
 +        my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
 +        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-password", "pass:1234", "-noenc"])),
 +           "test pbmac1 pkcs12 file $file");
 +
 +        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-info", "-noout",
 +                    "-passin", "pass:1234"], stderr => "${file}_info.txt")),
 +           "test_export_pkcs12_${file}_info");
 +    }
 +}
 +
 +# Test pbmac1 pkcs12 bad files, RFC 9579
 +for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12")
 +{
--- a/openssl.spec
+++ b/openssl.spec
@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
 Version: 3.2.2
-Release: 8%{?dist}
+Release: 9%{?dist}
 Epoch: 1
 Source: openssl-%{version}.tar.gz
 Source2: Makefile.certificate
@ -505,6 +505,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs
 %changelog
 * Fri Aug 09 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-9
 - An interface to create PKCS #12 files in FIPS compliant way
  Related: RHEL-36659
 * Wed Aug 07 2024 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.2.2-8
 - An interface to create PKCS #12 files in FIPS compliant way
  Resolves: RHEL-36659