Re: PKCS12 APIs with fips 3.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2021-01-25 17:53, Zeke Evans wrote:

Hi,

 

Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips provider.  It looks like that is because they try to load PKCS12KDF which is not implemented in the fips provider.  These were all working in 1.0.2 with the fips 2.0 module.  Will they be supported in 3.0 with fips?  If not, is there a way for applications running in fips approved mode to support the same functionality and use existing stores/files that contain PKCS12 objects?

 

This is an even larger issue: Is OpenSSL 3.x so badly designed
that the "providers" need to separately implement every standard
or non-standard combination of algorithm invocations?

In a properly abstracted design PKCS12KDF would be implemented by
invoking general EVP functions for underlying algorithms, which
would in turn invoke the provider versions of those algorithms.

The only exception would be if FIPS allowed implementing PKCS12KDF
using an otherwise unapproved algorithm such as SHA1.  In that
particular case, it would make sense to check if a provider offered
such as PKCS12KDF variant before trying (and failing) to run
provider-independent code that invokes the provider implementation
of a FIPS-unapproved algorithm.
Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux