Rakefile

-Original file line number
+Diff line change
@@ Expand Up / @@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do |t| @@
       t.test_files = FileList['test/**/test_*.rb'] - FileList[
         'test/openssl/test_hmac.rb',
         'test/openssl/test_kdf.rb',
-        'test/openssl/test_pkcs12.rb',
         'test/openssl/test_ts.rb',
       ]
       t.warning = true
@@ Expand Down @@

test/openssl/test_pkcs12.rb

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,29 @@ @@
     if defined?(OpenSSL)
+    # OpenSSL::PKCS12.create calling the PKCS12_create() has the argument mac_iter
+    # which uses a MAC key using PKCS12KDF which is not FIPS-approved.
+    # OpenSSL::PKCS12.new with base64-encoded example calling PKCS12_parse()
+    # verifies the MAC key using PKCS12KDF which is not FIPS-approved.
+    #
+    # PBE-SHA1-3DES uses PKCS12KDF which is not FIPS-approved according to the RFC
+    # 7292 PKCS#12.
+    # https://datatracker.ietf.org/doc/html/rfc7292#appendix-C
+    # > The PBES1 encryption scheme defined in PKCS #5 provides a number of
+    # > algorithm identifiers for deriving keys and IVs; here, we specify a
+    # > few more, all of which use the procedure detailed in Appendices B.2
+    # > and B.3 to construct keys (and IVs, where needed).  As is implied by
+    # > their names, all of the object identifiers below use the hash
+    # > function SHA-1.
+    # > ...
+    # > pbeWithSHAAnd3-KeyTripleDES-CBC  OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3}
+    #
+    # Note that the pbeWithSHAAnd3-KeyTripleDES-CBC (pkcs12-pbeids 3) in the RFC
+    # 7292 PKCS#12 means PBE-SHA1-3DES in OpenSSL. PKCS12KDF is used in PKCS#12.
+    # https://oidref.com/1.2.840.113549.1.12.1.3
+    # https://github.com/openssl/openssl/blob/ed57d1e06dca28689190e00d9893e0fd7ecc67c1/crypto/objects/objects.txt#L385
+    return if OpenSSL.fips_mode
     module OpenSSL
       class TestPKCS12 < OpenSSL::TestCase
         DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
@@ Expand Down Expand Up / @@ -210,8 +233,13 @@ def test_create_with_keytype @@
         end
         def test_new_with_no_keys
-          # generated with:
-          #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
+          # Generated with the following steps:
+          #   Print the value of the @mycert such as by `puts @mycert.to_s` and
+          #   save the value as the file `mycert.pem`.
+          #   Run the following commands:
+          #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <(cat mycert.pem) \
+          #     -nokeys -export -passout pass:abc123 -out /tmp/p12.out
+          #   base64 -w 60 /tmp/p12.out
           str = <<~EOF.unpack1("m")
     MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3
     DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
@@ Expand Down Expand Up / @@ -259,8 +287,10 @@ def test_new_with_no_keys @@
         end
         def test_new_with_no_certs
-          # generated with:
-          #   openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export
+          # Generated with the folowing steps:
+          #   openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \
+          #     -nocerts -export -passout pass:abc123 -out /tmp/p12.out
+          #   base64 -w 60 /tmp/p12.out
           str = <<~EOF.unpack1("m")
     MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3
     DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK
@@ Expand Down @@

Fix test_pkcs12.rb in FIPS. #997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

junaruga wants to merge 2 commits into ruby:master from junaruga:wip/fips-test-pkcs12

+34 −5

-Original file line number
+Diff line change
@@ Expand Up / @@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do |t| @@
       t.test_files = FileList['test/**/test_*.rb'] - FileList[
         'test/openssl/test_hmac.rb',
         'test/openssl/test_kdf.rb',
-        'test/openssl/test_pkcs12.rb',
         'test/openssl/test_ts.rb',
       ]
       t.warning = true
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,29 @@ @@
     if defined?(OpenSSL)
+    # OpenSSL::PKCS12.create calling the PKCS12_create() has the argument mac_iter
+    # which uses a MAC key using PKCS12KDF which is not FIPS-approved.
+    # OpenSSL::PKCS12.new with base64-encoded example calling PKCS12_parse()
+    # verifies the MAC key using PKCS12KDF which is not FIPS-approved.
+    #
+    # PBE-SHA1-3DES uses PKCS12KDF which is not FIPS-approved according to the RFC
+    # 7292 PKCS#12.
+    # https://datatracker.ietf.org/doc/html/rfc7292#appendix-C
+    # > The PBES1 encryption scheme defined in PKCS #5 provides a number of
+    # > algorithm identifiers for deriving keys and IVs; here, we specify a
+    # > few more, all of which use the procedure detailed in Appendices B.2
+    # > and B.3 to construct keys (and IVs, where needed).  As is implied by
+    # > their names, all of the object identifiers below use the hash
+    # > function SHA-1.
+    # > ...
+    # > pbeWithSHAAnd3-KeyTripleDES-CBC  OBJECT IDENTIFIER ::= {pkcs-12PbeIds 3}
+    #
+    # Note that the pbeWithSHAAnd3-KeyTripleDES-CBC (pkcs12-pbeids 3) in the RFC
+    # 7292 PKCS#12 means PBE-SHA1-3DES in OpenSSL. PKCS12KDF is used in PKCS#12.
+    # https://oidref.com/1.2.840.113549.1.12.1.3
+    # https://github.com/openssl/openssl/blob/ed57d1e06dca28689190e00d9893e0fd7ecc67c1/crypto/objects/objects.txt#L385
+    return if OpenSSL.fips_mode
     module OpenSSL
       class TestPKCS12 < OpenSSL::TestCase
         DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
@@ Expand Down Expand Up / @@ -210,8 +233,13 @@ def test_create_with_keytype @@
         end
         def test_new_with_no_keys
-          # generated with:
-          #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
+          # Generated with the following steps:
+          #   Print the value of the @mycert such as by `puts @mycert.to_s` and
+          #   save the value as the file `mycert.pem`.
+          #   Run the following commands:
+          #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <(cat mycert.pem) \
+          #     -nokeys -export -passout pass:abc123 -out /tmp/p12.out
+          #   base64 -w 60 /tmp/p12.out
           str = <<~EOF.unpack1("m")
     MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3
     DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
@@ Expand Down Expand Up / @@ -259,8 +287,10 @@ def test_new_with_no_keys @@
         end
         def test_new_with_no_certs
-          # generated with:
-          #   openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export
+          # Generated with the folowing steps:
+          #   openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \
+          #     -nocerts -export -passout pass:abc123 -out /tmp/p12.out
+          #   base64 -w 60 /tmp/p12.out
           str = <<~EOF.unpack1("m")
     MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3
     DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix test_pkcs12.rb in FIPS. #997

Diff view

Diff view

There are no files selected for viewing

Fix test_pkcs12.rb in FIPS. #997

Are you sure you want to change the base?

Fix test_pkcs12.rb in FIPS. #997

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing