From 54f561982d7e7c231a90598984d141ee8d90aac5 Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Mon, 19 Jan 2026 13:23:24 +0000 Subject: [PATCH 1/2] Fix test_pkcs12.rb in FIPS. * OpenSSL::PKCS12.create calling the PKCS12_create() has the argument mac_iter which uses a MAC key using PKCS12KDF which is not FIPS-approved. * OpenSSL::PKCS12.new with base64-encoded example calling PKCS12_parse() verifies the MAC key using PKCS12KDF which is not FIPS-approved. * OpenSSL::PKCS12.create with key_pbe: PBE-SHA1-3DES, cert_pbe: PBE-SHA1-3DES and mac_iter: -1 to omit the MAC key, fails by trying to fetch PKCS12KDF. https://github.com/openssl/openssl/blob/1cb0d36b39f69367d63e940976faaa2c252763b4/crypto/pkcs12/p12_key.c#L92-L94 --- Rakefile | 1 - test/openssl/test_pkcs12.rb | 9 +++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/Rakefile b/Rakefile index f73cc21b7..06a7c1917 100644 --- a/Rakefile +++ b/Rakefile @@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do |t| t.test_files = FileList['test/**/test_*.rb'] - FileList[ 'test/openssl/test_hmac.rb', 'test/openssl/test_kdf.rb', - 'test/openssl/test_pkcs12.rb', 'test/openssl/test_ts.rb', ] t.warning = true diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb index 1b5328774..cb4f4d35a 100644 --- a/test/openssl/test_pkcs12.rb +++ b/test/openssl/test_pkcs12.rb @@ -3,6 +3,15 @@ if defined?(OpenSSL) +# OpenSSL::PKCS12.create calling the PKCS12_create() has the argument mac_iter +# which uses a MAC key using PKCS12KDF which is not FIPS-approved. +# OpenSSL::PKCS12.new with base64-encoded example calling PKCS12_parse() +# verifies the MAC key using PKCS12KDF which is not FIPS-approved. +# OpenSSL::PKCS12.create with key_pbe: PBE-SHA1-3DES, cert_pbe: PBE-SHA1-3DES +# and mac_iter: -1 to omit the MAC key, fails by trying to fetch PKCS12KDF. +# https://github.com/openssl/openssl/blob/1cb0d36b39f69367d63e940976faaa2c252763b4/crypto/pkcs12/p12_key.c#L92-L94 +return if OpenSSL.fips_mode + module OpenSSL class TestPKCS12 < OpenSSL::TestCase DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES" From 342049e8e34c209786fdedca00ca936186c7f77e Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Tue, 27 Jan 2026 19:01:27 +0000 Subject: [PATCH 2/2] Update the steps to generate the base64-based examples. * More precisely * Updating the rsa-1.pem file path. --- test/openssl/test_pkcs12.rb | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb index cb4f4d35a..4ea2aa4b4 100644 --- a/test/openssl/test_pkcs12.rb +++ b/test/openssl/test_pkcs12.rb @@ -219,8 +219,13 @@ def test_create_with_keytype end def test_new_with_no_keys - # generated with: - # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export + # Generated with the following steps: + # Print the value of the @mycert such as by `puts @mycert.to_s` and + # save the value as the file `mycert.pem`. + # Run the following commands: + # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <(cat mycert.pem) \ + # -nokeys -export -passout pass:abc123 -out /tmp/p12.out + # base64 -w 60 /tmp/p12.out str = <<~EOF.unpack1("m") MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3 DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw @@ -268,8 +273,10 @@ def test_new_with_no_keys end def test_new_with_no_certs - # generated with: - # openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export + # Generated with the folowing steps: + # openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \ + # -nocerts -export -passout pass:abc123 -out /tmp/p12.out + # base64 -w 60 /tmp/p12.out str = <<~EOF.unpack1("m") MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3 DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK