Re: Unable to load PKCS#12 with password and no MAC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Yes, unfortunately PKCS12_parse currently does not support PKCS12 files
without the MAC. Such support could be easily added. As a workaround
you can look at how the pkcs12 application is implemented and use these
calls instead.

Regards,

Tomas Mraz, OpenSSL

On Wed, 2022-02-16 at 14:09 +0000, Florin Spatar wrote:
> Hi, 
> 
> I am trying to use OpenSSL 3 in FIPS mode to load a PKCS#12. First, I
> got this error:
> 
>     [root@q032 ~]# openssl pkcs12 -nokeys -info -in agent.p12 -passin
> pass:opsware_admin
>     MAC: sha256, Iteration 2048 
>     MAC length: 32, salt length: 8 
>     Error verifying PKCS12 MAC; no PKCS12KDF support. 
>     Use -nomacver if MAC verification is not required. 
> 
> To my understanding, PKCS12KDF used for PKCS12 MAC is non-FIPS. On
> openssl-pkcs12 man page I found the following two options: "-nomac" &
> "-nomacver" that can be useful in FIPS mode. Used "-nomac" to re-
> create the PKCS#12, and "-nomacver" when loading the PKCS#12 to get
> rid of "Warning: MAC is absent!". 
> 
> The objective is to do the same thing via PKCS12_parse API. The
> problem that I'm facing is that there is no API equivalent for -
> nomacver and the following error occurs:
> 
>     4087FE21197F0000:error:1180006C:PKCS12 routines:(unknown
> function):mac absent:crypto/pkcs12/p12_mutl.c:182:
>     4087FE21197F0000:error:11800071:PKCS12 routines:(unknown
> function):mac verify failure:crypto/pkcs12/p12_kiss.c:71:
> 
> The error only occurs if PKCS#12 password is not empty. If password
> is empty, MAC is not verified.
> Am I missing something, or this is actually impossible to achieve? 
> 
> Thanks, 
> 
> Florin Spatar

-- 
Tomáš Mráz, OpenSSL





[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux