Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-39732

Create FIPS-compliant PKCS#12 when in FIPS mode

    • None
    • None
    • FutureFeature
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 24
    • 28
    • 0.1
    • Hide

      Already upstream, will be picked up in the rebase.

      Show
      Already upstream, will be picked up in the rebase.
    • False
    • Hide

      None

      Show
      None
    • Yes
    • Crypto24Q3
    • Hide
      • verify that PBMAC1 is used by default by pk12util when in FIPS mode
      • verify that PBMAC1 is not used by default by pk12util when in normal mode, PBMAC1 files are still readable
      • verify that PBMAC1 files created by OpenSSL and GnuTLS are readable by pk12util, and vice versa: files created by pk12util are readable by OpenSSL and GnuTLS
      Show
      verify that PBMAC1 is used by default by pk12util when in FIPS mode verify that PBMAC1 is not used by default by pk12util when in normal mode, PBMAC1 files are still readable verify that PBMAC1 files created by OpenSSL and GnuTLS are readable by pk12util, and vice versa: files created by pk12util are readable by OpenSSL and GnuTLS
    • Pass
    • Enabled
    • Automated
    • Feature
    • Hide
      .NSS creates FIPS-compliant PKCS #12 in FIPS mode

      PKCS #12 uses an ad-hoc mechanism for integrity checks. Since the publication of PKCS #12 version 1.1, more rigorous methods of integrity checks have been created in PKCS #5 Version 2.0: the password-based message authentication code 1 (PBMAC1). This update adds PBMAC1 support in PKCS #12 files to Network Security Services (NSS) in accordance with the RFC 9579 document. As a result, NSS can now read any `.p12` file that uses RFC 9579 and can generate RFC-9579-compliant message authentication codes (MAC) when requested by the user. For compatibility, NSS generates old MACs by default when not in FIPS mode. For more information on generating new MACs, see the `pk12util(1)` man page on your system.
      Show
      .NSS creates FIPS-compliant PKCS #12 in FIPS mode PKCS #12 uses an ad-hoc mechanism for integrity checks. Since the publication of PKCS #12 version 1.1, more rigorous methods of integrity checks have been created in PKCS #5 Version 2.0: the password-based message authentication code 1 (PBMAC1). This update adds PBMAC1 support in PKCS #12 files to Network Security Services (NSS) in accordance with the RFC 9579 document. As a result, NSS can now read any `.p12` file that uses RFC 9579 and can generate RFC-9579-compliant message authentication codes (MAC) when requested by the user. For compatibility, NSS generates old MACs by default when not in FIPS mode. For more information on generating new MACs, see the `pk12util(1)` man page on your system.
    • Done
    • None

      NSS should create PKCS #12 that are FIPS compliant by default: use the PBMAC1 for the PKCS #12 files MAC.

      We should support reading files like this in normal mode, have ability to create them in normal mode, but probably not create them by default in normal mode.

      IOW: implement RFC 9579 and use it by default in FIPS mode

              rrelyea@redhat.com Robert Relyea
              hkario@redhat.com Alicja Kario
              Robert Relyea Robert Relyea
              Ondrej Moris Ondrej Moris
              Jan Fiala Jan Fiala
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: