pkcs12 command with FIPS is not working in OpenSSL 3.2.0 (even with -nomacver) #23812
-
I have a pfx file generated (in FIPS mode by setting OPENSSL_FIPS=1) with openssl 1.0.2zi. this i am able to parse/import/load the keys and certs using openssl 1.0.2 (in FIPS mode). But the same pfx file i am not able to parse/import/load with Openssl 3.2.0 (with fips provider). This is breaking my backward compatibility unless i use legacy provider please note that
|
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
I would be very suprised if this had worked. |
Beta Was this translation helpful? Give feedback.
-
Let me rephrase my question. |
Beta Was this translation helpful? Give feedback.
-
This all works as designed. The PKCS12 decoder is outside of the FIPS module boundary. There is no FIPS compliance verification performed by the PKCS12 decoder and it never was (even in the 1.0.2 version). To decode PKCS12 files with verification of the integrity with a MAC you need PKCS12KDF algorithm which is not FIPS approved. |
Beta Was this translation helpful? Give feedback.
I would be very suprised if this had worked.
1.0.2 is very old now, and PKCS12 has many non FIPS compliant algorithms.
3.X is much stricter and uses more recent FIPS 140-2 rules.
From the error message you can see that it uses "PKCS12KDF" which is not a FIPS compliant algorithm..
(If the old format is PBES then this just wont work).
You may have to export without FIPS so that you can save the key out in an acceptable format, that will be able to be loaded.