Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-36659

OpenSSL can't create PKCS #12 files in FIPS compliant way

    • openssl-3.2.2-8.el10
    • None
    • None
    • FutureFeature
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 26
    • 1.5
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide

      AC1) In FIPS mode OpenSSL creates valid FIPS-compliant PKCS #12 with PBMAC1 that doesn't use MD5 or SHA-1
      AC2) In non-FIPS mode OpenSSL creates valid FIPS-compliant PKCS #12 with PBMAC1 ONLY when -pbmac1_pbkdf2 flag is used otherwise the PBMAC1 is not used.
      AC3, stretch goal) Files created in FIPS mode by default can be used in non-FIPS mode
      AC4, stretch goal) Files created in non-FIPS mode ONLY with -pbmac1_pbkdf2 flag can be used in FIPS mode by default

      Show
      AC1) In FIPS mode OpenSSL creates valid FIPS-compliant PKCS #12 with PBMAC1 that doesn't use MD5 or SHA-1 AC2) In non-FIPS mode OpenSSL creates valid FIPS-compliant PKCS #12 with PBMAC1 ONLY when -pbmac1_pbkdf2 flag is used otherwise the PBMAC1 is not used. AC3, stretch goal) Files created in FIPS mode by default can be used in non-FIPS mode AC4, stretch goal) Files created in non-FIPS mode ONLY with -pbmac1_pbkdf2 flag can be used in FIPS mode by default
    • Pass
    • Not Needed
    • Automated
    • Enhancement
    • Hide
      .OpenSSL can create FIPS-compliant PKCS #12 files

      The OpenSSL secure communication suite has been updated and can now create PKCS #12 files in accordance with the RFC 9579 document.
      Show
      .OpenSSL can create FIPS-compliant PKCS #12 files The OpenSSL secure communication suite has been updated and can now create PKCS #12 files in accordance with the RFC 9579 document.
    • Done
    • All
    • None

      OpenSSL should create PKCS #12 that are FIPS compliant by default: use the PBMAC1 for the PKCS #12 files MAC.

      We should support reading files like this in normal mode, have ability to create them in normal mode, but probably not create them by default in normal mode.

      IOW: add support for https://www.rfc-editor.org/info/rfc9579

              dbelyavs@redhat.com Dmitry Belyavskiy
              hkario@redhat.com Alicja Kario
              Dmitry Belyavskiy Dmitry Belyavskiy
              George Pantelakis George Pantelakis
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: