Hi,
I am trying to use OpenSSL 3 in FIPS mode to load a PKCS#12. First, I got this
error:
[root@q032 ~]# openssl pkcs12 -nokeys -info -in agent.p12 -passin
pass:opsware_admin
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
Error verifying PKCS12 MAC; no PKCS12KDF support.
Use -nomacver if MAC verification is not required.
To my understanding, PKCS12KDF used for PKCS12 MAC is non-FIPS. On
openssl-pkcs12 man page I found the following two options: "-nomac" &
"-nomacver" that can be useful in FIPS mode. Used "-nomac" to re-create the
PKCS#12, and "-nomacver" when loading the PKCS#12 to get rid of "Warning: MAC
is absent!".
The objective is to do the same thing via PKCS12_parse API. The problem that
I'm facing is that there is no API equivalent for -nomacver and the following
error occurs:
4087FE21197F0000:error:1180006C:PKCS12 routines:(unknown function):mac
absent:crypto/pkcs12/p12_mutl.c:182:
4087FE21197F0000:error:11800071:PKCS12 routines:(unknown function):mac
verify failure:crypto/pkcs12/p12_kiss.c:71:
The error only occurs if PKCS#12 password is not empty. If password is empty,
MAC is not verified.
Am I missing something, or this is actually impossible to achieve?
Thanks,
Florin Spatar
