Yes, unfortunately PKCS12_parse currently does not support PKCS12 files without the MAC. Such support could be easily added. As a workaround you can look at how the pkcs12 application is implemented and use these calls instead. Regards, Tomas Mraz, OpenSSL On Wed, 2022-02-16 at 14:09 +0000, Florin Spatar wrote: > Hi, > > I am trying to use OpenSSL 3 in FIPS mode to load a PKCS#12. First, I > got this error: > > [root@q032 ~]# openssl pkcs12 -nokeys -info -in agent.p12 -passin > pass:opsware_admin > MAC: sha256, Iteration 2048 > MAC length: 32, salt length: 8 > Error verifying PKCS12 MAC; no PKCS12KDF support. > Use -nomacver if MAC verification is not required. > > To my understanding, PKCS12KDF used for PKCS12 MAC is non-FIPS. On > openssl-pkcs12 man page I found the following two options: "-nomac" & > "-nomacver" that can be useful in FIPS mode. Used "-nomac" to re- > create the PKCS#12, and "-nomacver" when loading the PKCS#12 to get > rid of "Warning: MAC is absent!". > > The objective is to do the same thing via PKCS12_parse API. The > problem that I'm facing is that there is no API equivalent for - > nomacver and the following error occurs: > > 4087FE21197F0000:error:1180006C:PKCS12 routines:(unknown > function):mac absent:crypto/pkcs12/p12_mutl.c:182: > 4087FE21197F0000:error:11800071:PKCS12 routines:(unknown > function):mac verify failure:crypto/pkcs12/p12_kiss.c:71: > > The error only occurs if PKCS#12 password is not empty. If password > is empty, MAC is not verified. > Am I missing something, or this is actually impossible to achieve? > > Thanks, > > Florin Spatar -- Tomáš Mráz, OpenSSL
