Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Dr Paul Dale
ing forward that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 AP

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
If that is a hypothetical context, what context is the official design goal of the OpenSSL Foundation for their validation effort? On 2021-01-28 11:26, Tomas Mraz wrote: This is a purely hypothetical context. Besides, as I said below - the PKCS12KDF should not be used with modern PKCS12 files.

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
This is a purely hypothetical context. Besides, as I said below - the PKCS12KDF should not be used with modern PKCS12 files. Because it can be used only with obsolete encryption algorithms anyway - the best one being 3DES for the encryption and SHA1 for the KDF. Tomas On Thu, 2021-01-28 at 11:08

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
forward that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -----Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
t; allow > > > > > PKCS12KDF in the default provider as well as the crypto > > > > > methods > > > > > in > > > > > the fips provider? I have tried "provider=default,fips=yes" > > > > > but > > > >

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
--Original Message----- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Matt Caswell
onable workaround for >>> reading in PKCS12 files in order to maintain backwards >>> compatibility.  Is there a recommended method going forward that >>> would allow reading and writing to a key store while only using the >>> fips provider? >>> >>> Tha

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
able workaround > > > for > > > reading in PKCS12 files in order to maintain backwards > > > compatibility. Is there a recommended method going forward that > > > would allow reading and writing to a key store while only using > > > the > > >

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
ider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can

RE: PKCS12 APIs with fips 3.0

2021-01-27 Thread Zeke Evans
That works. Thanks! -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 6:01 PM You could set the default property query to "?fips=yes". This will prefer FIPS algorithms over any others but will not prevent other algorithms from being fet

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Dr Paul Dale
going forward that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re

RE: PKCS12 APIs with fips 3.0

2021-01-26 Thread Zeke Evans
uesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in the FIPS provider. Pauli On 26/1/21 10:48 pm, Tomas Mraz wrote: > On Tue

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Dr Paul Dale
I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in the FIPS provider. Pauli On 26/1/21 10:48 pm, Tomas Mraz wrote: On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote: On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: On 2021-01

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Tomas Mraz
On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote: > > On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: > > On 2021-01-25 17:53, Zeke Evans wrote: > > > Hi, > > > > > > > > > > > > Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, > > > PKCS12_verify_mac) do not work in Ope

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Matt Caswell
On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: > On 2021-01-25 17:53, Zeke Evans wrote: >> >> Hi, >> >>   >> >> Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, >> PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips >> provider.  It looks like that is because the

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Jakob Bohm via openssl-users
On 2021-01-25 17:53, Zeke Evans wrote: Hi, Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips provider.  It looks like that is because they try to load PKCS12KDF which is not implemented in the fips provider.  These wer

PKCS12 APIs with fips 3.0

2021-01-25 Thread Zeke Evans
Hi, Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips provider. It looks like that is because they try to load PKCS12KDF which is not implemented in the fips provider. These were all working in 1.0.2 with the fips 2.0 m