Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: rhel-10.0.beta
Affects Version/s: rhel-10.0.beta
Component/s: openssl
Labels:

Fixed in Build:
openssl-3.2.2-8.el10
Regression:
None
Severity:
None
Epic Link:
CRYPTO-6153
Keywords:

FutureFeature
sprint_count:
1

Pool Team:

sst_security_crypto
Sub-System Group:

ssg_security

Internal Target Milestone:
26
Story Points:
1.5
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Sprint:
Crypto24Q3

Acceptance Criteria:

Hide

AC1) In FIPS mode OpenSSL creates valid FIPS-compliant PKCS #12 with PBMAC1 that doesn't use MD5 or SHA-1
AC2) In non-FIPS mode OpenSSL creates valid FIPS-compliant PKCS #12 with PBMAC1 ONLY when -pbmac1_pbkdf2 flag is used otherwise the PBMAC1 is not used.
AC3, stretch goal) Files created in FIPS mode by default can be used in non-FIPS mode
AC4, stretch goal) Files created in non-FIPS mode ONLY with -pbmac1_pbkdf2 flag can be used in FIPS mode by default

Show
AC1) In FIPS mode OpenSSL creates valid FIPS-compliant PKCS #12 with PBMAC1 that doesn't use MD5 or SHA-1 AC2) In non-FIPS mode OpenSSL creates valid FIPS-compliant PKCS #12 with PBMAC1 ONLY when -pbmac1_pbkdf2 flag is used otherwise the PBMAC1 is not used. AC3, stretch goal) Files created in FIPS mode by default can be used in non-FIPS mode AC4, stretch goal) Files created in non-FIPS mode ONLY with -pbmac1_pbkdf2 flag can be used in FIPS mode by default
Preliminary Testing:
Pass
Test Link:
https://tcms.engineering.redhat.com/case/617692/
Errata Link:
https://errata.engineering.redhat.com/advisory/133129
Gating Tests:

Not Needed
Test Coverage:

Automated

Release Note Type:
Enhancement
Release Note Text:

Hide
.OpenSSL can create FIPS-compliant PKCS #12 files

The OpenSSL secure communication suite has been updated and can now create PKCS #12 files in accordance with the RFC 9579 document.

Show
.OpenSSL can create FIPS-compliant PKCS #12 files The OpenSSL secure communication suite has been updated and can now create PKCS #12 files in accordance with the RFC 9579 document.
Release Note Status:
Done

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

OpenSSL should create PKCS #12 that are FIPS compliant by default: use the PBMAC1 for the PKCS #12 files MAC.

We should support reading files like this in normal mode, have ability to create them in normal mode, but probably not create them by default in normal mode.

IOW: add support for https://www.rfc-editor.org/info/rfc9579

links to

RHBA-2024:133129 OpenSSL bugfix release

Upstream issue to implement RFC 9579

Upstream PR to implement RFC 9579

Assignee:: Dmitry Belyavskiy

Reporter:: Alicja Kario

Developer:: Dmitry Belyavskiy

QA Contact:: George Pantelakis

Doc Contact:: Jan Fiala

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/05/16 1:19 PM

Updated:: 2024/10/03 4:00 PM

Target end:: 2024/08/26

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates