From 24b8de6a1833b32ce3a3a92e81cf54ee787f854a Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Mon, 19 Jan 2026 13:23:24 +0000 Subject: [PATCH] Fix test_pkcs12.rb in FIPS. * Use the `AES-256-CBC` using `PBKDF2` which is FIPS-approved, instead of the `PBE-SHA1-3DES` using `PKCS12KDF` which is not FIPS-approved. See also the man page openssl-pkcs12(1). * `OpenSSL::PKCS12.create` calling the `PKCS12_create` has the argument `mac_iter` which uses a MAC key using `PKCS12KDF` which is not FIPS-approved. In the FIPS case, set the `mac_iter = -1` to omit the MAC key. See also the man page PKCS12_create(3). * As the test data `OpenSSL::PKCS12.new` calling `PKCS12_parse` verifies the MAC using `PKCS12KDF` which is not FIPS-approved, I created the test data without MAC by the `openssl pkcs12 -nomac`. --- Rakefile | 1 - test/openssl/test_pkcs12.rb | 177 ++++++++++++++++++++++++++++++++---- 2 files changed, 161 insertions(+), 17 deletions(-) diff --git a/Rakefile b/Rakefile index f73cc21b7..06a7c1917 100644 --- a/Rakefile +++ b/Rakefile @@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do |t| t.test_files = FileList['test/**/test_*.rb'] - FileList[ 'test/openssl/test_hmac.rb', 'test/openssl/test_kdf.rb', - 'test/openssl/test_pkcs12.rb', 'test/openssl/test_ts.rb', ] t.warning = true diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb index 1b5328774..31d559c41 100644 --- a/test/openssl/test_pkcs12.rb +++ b/test/openssl/test_pkcs12.rb @@ -5,8 +5,8 @@ module OpenSSL class TestPKCS12 < OpenSSL::TestCase - DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES" - DEFAULT_PBE_CERTS = "PBE-SHA1-3DES" + DEFAULT_PBE_PKEYS = "AES-256-CBC" + DEFAULT_PBE_CERTS = "AES-256-CBC" def setup super @@ -34,6 +34,12 @@ def setup end def test_create_single_key_single_cert + # OpenSSL::PKCS12.create calling the PKCS12_create() has the argument + # mac_iter which uses a MAC key using PKCS12KDF which is not + # FIPS-approved. In the FIPS case, set the `mac_iter = -1` to omit the MAC + # key. See also the man page PKCS12_create(3). + mac_iter = OpenSSL.fips_mode ? -1 : nil + pkcs12 = OpenSSL::PKCS12.create( "omg", "hello", @@ -42,11 +48,19 @@ def test_create_single_key_single_cert nil, DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, + nil, + mac_iter, ) assert_equal @mycert, pkcs12.certificate assert_equal @mykey.to_der, pkcs12.key.to_der assert_nil pkcs12.ca_certs + # As OpenSSL::PKCS12.new calling PKCS12_parse() doesn't support MAC-less + # PKCS12 on OpenSSL 3.1 or earlier versions, we cannot set the + # mac_iter = -1 on the versions in FIPS. + # https://github.com/openssl/openssl/commit/cfd24cde81aa5f63dba41ddcde0fa3c5d64e1db0 + omit_on_fips unless openssl?(3, 2, 0) && OpenSSL.fips_mode + der = pkcs12.to_der decoded = OpenSSL::PKCS12.new(der, "omg") assert_equal @mykey.to_der, decoded.key.to_der @@ -55,6 +69,8 @@ def test_create_single_key_single_cert end def test_create_no_pass + mac_iter = OpenSSL.fips_mode ? -1 : nil + pkcs12 = OpenSSL::PKCS12.create( nil, "hello", @@ -63,6 +79,8 @@ def test_create_no_pass nil, DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, + nil, + mac_iter, ) assert_equal @mycert, pkcs12.certificate assert_equal @mykey.to_der, pkcs12.key.to_der @@ -74,6 +92,7 @@ def test_create_no_pass def test_create_with_chain chain = [@inter_cacert, @cacert] + mac_iter = OpenSSL.fips_mode ? -1 : nil pkcs12 = OpenSSL::PKCS12.create( "omg", @@ -83,14 +102,16 @@ def test_create_with_chain chain, DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, + nil, + mac_iter, ) assert_equal chain, pkcs12.ca_certs end def test_create_with_chain_decode - chain = [@cacert, @inter_cacert] - passwd = "omg" + chain = [@cacert, @inter_cacert] + mac_iter = OpenSSL.fips_mode ? -1 : nil pkcs12 = OpenSSL::PKCS12.create( passwd, @@ -100,8 +121,12 @@ def test_create_with_chain_decode chain, DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, + nil, + mac_iter, ) + omit_on_fips unless openssl?(3, 2, 0) && OpenSSL.fips_mode + decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd) assert_equal chain.size, decoded.ca_certs.size assert_include decoded.ca_certs, @cacert @@ -124,6 +149,8 @@ def test_create_with_bad_nid end def test_create_with_itr + mac_iter = OpenSSL.fips_mode ? -1 : nil + OpenSSL::PKCS12.create( "omg", "hello", @@ -132,7 +159,8 @@ def test_create_with_itr [], DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, - 2048 + 2048, + mac_iter, ) assert_raise(TypeError) do @@ -150,6 +178,8 @@ def test_create_with_itr end def test_create_with_mac_itr + mac_iter = OpenSSL.fips_mode ? -1 : 2048 + OpenSSL::PKCS12.create( "omg", "hello", @@ -159,7 +189,7 @@ def test_create_with_mac_itr DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, nil, - 2048 + mac_iter, ) assert_raise(TypeError) do @@ -180,6 +210,8 @@ def test_create_with_mac_itr def test_create_with_keytype omit "AWS-LC does not support KEY_SIG and KEY_EX" if aws_lc? + mac_iter = OpenSSL.fips_mode ? -1 : nil + OpenSSL::PKCS12.create( "omg", "hello", @@ -189,7 +221,7 @@ def test_create_with_keytype DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, nil, - nil, + mac_iter, OpenSSL::PKCS12::KEY_SIG ) @@ -203,16 +235,60 @@ def test_create_with_keytype DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, nil, - nil, + mac_iter, 2048 ) end end def test_new_with_no_keys - # generated with: - # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export - str = <<~EOF.unpack1("m") + # As OpenSSL::PKCS12.new calling PKCS12_parse() doesn't support MAC-less + # PKCS12 on OpenSSL 3.1 or earlier versions. + omit_on_fips unless openssl?(3, 2, 0) && OpenSSL.fips_mode + + # PKCS12_parse supports MAC-less PKCS12 on OpenSSL 3.2.0 or later + # versions. + # https://github.com/openssl/openssl/commit/cfd24cde81aa5f63dba41ddcde0fa3c5d64e1db0 + str = if openssl?(3, 2, 0) + # Generated with the following steps: + # Print the value of the @mycert such as by `puts @mycert.to_s` and + # save the value as the file `mycert.pem`. + # Run the following commands: + # openssl pkcs12 -certpbe AES-256-CBC -in <(cat mycert.pem) \ + # -nokeys -export -passout pass:abc123 -nomac -out /tmp/p12.out + # base64 /tmp/p12.out + <<~EOF.unpack1("m") +MIIFtwIBAzCCBbAGCSqGSIb3DQEHAaCCBaEEggWdMIIFmTCCBZUGCSqGSIb3DQEHAaCCBYYEggWC +MIIFfjCCBXoGCyqGSIb3DQEMCgEDoIIFaTCCBWUGCiqGSIb3DQEJFgGgggVVBIIFUTCCBU0wggM1 +oAMCAQICAQMwDQYJKoZIhvcNAQELBQAwSjETMBEGCgmSJomT8ixkARkWA29yZzEZMBcGCgmSJomT +8ixkARkWCXJ1YnktbGFuZzEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMB4XDTI2MDExNjE1MjM0 +M1oXDTI2MDExNjE3MjM0M1owVzETMBEGCgmSJomT8ixkARkWA29yZzEZMBcGCgmSJomT8ixkARkW +CXJ1YnktbGFuZzElMCMGA1UEAwwcUnVieSBQS0NTMTIgVGVzdCBDZXJ0aWZpY2F0ZTCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAM5/mAnDoewSEc62+0xLoUCw+eOfvxcf8wmDt5fsv/KI +FMTE4CxuR63F5V9yT+/eonvdPxhyH/P5cHM1YT9Y5P5HmI5MKE2A7eO+0eykXCT8hqh0a6i6ewJ2 +cbc9ySzW6E4Dt2wGM5b7bEilP0d6HoQWxh8xFgj9lBGI/ypMtM6XI5IWVI4hK6/QET6vPnThqgX/ +ghNjSymAtW7vIWXvQHXb7zdkr3zDeroSbRBmTtZPLUnMHwMrzydT6P+s9PKczAIHwVAhPecGgFXm +CViDpZzQeHhInr85V3TwfbxLfDjsLVn0F1fMcjLKCngFtObONdxNHk2MdWrpRV3VsBtplhAUbTcy +hdYgbnZYNWt8dc04VotaWI1ub0Tr6FmTAm5fW2EPy8Tglag6FJfOvjTxBnrhEjM5uTbzkANntE8u +cKYZ7fTNfVnHPJ3gYW+oghqmM8Vjb1GF2VlL9fvzKzxysibr+zEor8LXLX6fEmnFBsZHek/rulep +7R396rTf+aQJp4up81E4IwuuTEtCxIYv0U88Gn5CH4n3iR+/y6hbY67q7LsLmvqfZZAAnJPyeU6c +2gHy66BULnqT/KoHqtXKQ+SIoueiCfhT0p5L3rB7kVJmSJIbUVVbFajGjT7/1M3NNmzmkV1j+Grl +GPdZgysfxQ5jkWvWAg0MTJCpHtOUlkPdAgMBAAGjMTAvMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4E +FgQUUH4eOytXrB3BkxjTQJ3zuodTdhIwDQYJKoZIhvcNAQELBQADggIBALpPM+lVUmvAEQ/pho0W +/caBx32XhHNHR8XyoDYbKTaUyFKBNlB6PVXys3zpFK/PD/BEJXlvHmytSeqgaTFIku8RFzPYtL63 +HlHyVRBQSEo/jftPd6ETMy3StCALZfbRIaQAn5WpUBAGkD+XaMdk190rajV9RM+R2DXiyxIg9lSe +mq97UkhUJivGpwik6u5l5/3QtsqiDR3P8xIFejkzONj1Q2cRx12SlRN3S6+vuCxbHPw+X/olk67M +t2f8zb2vKk6hmxwiTGw1/ac98w31MhuqUG0ZQCL2xMuKxwm3dNLMwiavt7PQ6o27NEAmyAq5wUgv +4+fhnuId6bkeP2vwXWHNFEELTPgl2NNBrbpGzOg1OVMROa/AFSt8XKNZkdnHXhKZFICbntUlUx3m +MVkKCtXPy2e182VdJ1NLiLgPHBGNNd7rVpM1HzGeoE/24vfG7ZcN2i2Pij7Hv7Lq5H0dRcXsOvb9 +wkP9GQE9874Ub3l6de+V1tbw13kWCTCSNg6gt/yhBr11Dp0BGAyHkzVGbURzFO2VybQ/8vA5lGMf +dxqNRQAPJd6KNya+UOFpYF6HUWtQjwJntoNxN3M3cC5Qf0KUTepLrIxSf5RxTqTDm7EBfUPvqFu4 +xAClO3mYQDekE7DC9NaF8UFlaiocR8LtKQvE5o4UwKUM5tcxBpsPhUPd + EOF + else + # Generated with: + # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export + <<~EOF.unpack1("m") MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3 DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD @@ -249,7 +325,8 @@ def test_new_with_no_keys 7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII AA== - EOF + EOF + end p12 = OpenSSL::PKCS12.new(str, "abc123") assert_equal nil, p12.key @@ -259,9 +336,68 @@ def test_new_with_no_keys end def test_new_with_no_certs - # generated with: - # openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export - str = <<~EOF.unpack1("m") + # As OpenSSL::PKCS12.new calling PKCS12_parse() doesn't support MAC-less + # PKCS12 on OpenSSL 3.1 or earlier versions. + omit_on_fips unless openssl?(3, 2, 0) && OpenSSL.fips_mode + + str = if openssl?(3, 2, 0) + # Generated with the folowing steps: + # openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \ + # -nocerts -export -passout pass:abc123 -nomac -out /tmp/p12.out + # base64 /tmp/p12.out + <<~EOF.unpack1("m") +MIIKBwIBAzCCCgAGCSqGSIb3DQEHAaCCCfEEggntMIIJ6TCCCeUGCSqGSIb3DQEHAaCCCdYEggnS +MIIJzjCCCcoGCyqGSIb3DQEMCgECoIIJuTCCCbUwXwYJKoZIhvcNAQUNMFIwMQYJKoZIhvcNAQUM +MCQEEDTb3k1wLuCc//wYdCvloNoCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDlM1ny +pEKS9JFfHAS7cHUfBIIJULn63tJp5XfMBZn7tDVHaL1YwGiiZis17DS0z9jTxEpwoTZRyJ0WL28e +rNeD0r2f5l+m99HPdkh/qoUWG5mVR0/B7wlZHZjJWoJRWlluy3kxLc66pcPPTxqRRZneznR3Npwo +mE62a+Nl/2PViFiBG8Udm1N3Auhc2vMPdQ7oEEW/AaXYntA2UngNyrp07rViqEZFvV+lsy3mFVmp +tIRhBA4DT15BHNlCHP+88BBsehHdCysJc0cKGfZh58Y0FTuGSeOoCP1aZa2hIblMiSrbCFd+xJe+ +Tm9H0ru2TT3PRzf9CPTxGOo7GNYBRkF4TKVf5DZ8CTGRXkKSrCLRRAEB/8Hgym6F1olNA9Lpk/8y +46LDWTpefyTP7n92OymHmjyA4eVOBL78SplssbENyBDIipAi4i36Z4VUnIB3HlM1OC3bHWjtjJkB +TiPIXXFcMFf0cxOte1ggLr3nO52m0ls0koNR94FGYGcmkBR6R9iUZa7hoMzD9xuxPfnMG6OSEArW +LEXCSIm6C5DUec/X2o1ofp0ADViRlcP4H4Hl3UwgjeuHjeLKlcyHzl7tMWuM/aZ5vntIuhXQSqyV +4krtQWhHfHWVlg7XT21CgJnBbJTzDodXHJKTi5BtWNxiJdCNDemyZpn9tfOFZNjk0ucFkSspQ9At +PKs1GdX7xtjQOZ7Q808lBzoKXaHJcq0xPYjA0j7F8SzUxwzV3ePpbOwsh7hdFDNQuyadI10W+kCj +I6T/PRD3zvkF7b37XFXQ/U8Xmjqe7PyWwvePiQxukKe/jgeof55/LISKaIRRMD9FQ3WRI8MTtn+V +f9UeHpeIYkuZ0I2TbISiafWn5lYQ8Mha2TS0U2f4yKr6m4AQ50iJhhaqwQtbXo+wSvVTNOqr4Ffq +L5HbAH5/ngYcZSoKAhbU7x5BB5halfiZM4ZCIJKK4sd5bvr0LF/Y8Da+t9mjuWV4aHM9ER26cS6E +lGC1WIwauUMgy4Qg3g6QbGlPQ/l/ILbZOd9pUeW+GJFfkx9UtQuPY/DT4AnHvTXvngyukWSnMoem +OpC8Ftv/Rs4IRbfUdeivB2ijl84sM/zC2IZjRI1iqnLEC93M32vYccE8VjOr/6NXfONo7Ekf4VwX +JkQxAJrXJDSqJTo69VnJHhwCW7g4vAsZctSarjgvlm/wvhOU6cuhJCck4AqbZ831PKYvP7o6QTqs +YpwL3PLGGAh1uIdET6K+cw80i2C8o+TNfmJIxjsnylLnV71j/D0NgajJGtsg9R4G3rtbBgs8gAqb +J9msY87rCjnMdXNVAn1jVcWDPznQwNjmysyPysqyJnAqHH2AQJIMz4lbP+uVGud2NptUZNMMdEDF +Kcn7G2S28l0G3kUeW2WOwGl7wvER44Hsolo7HTDpYCOBzDdrhUa1TCqCgxVYS1YFoHN5fn8XaDmw +pokTUwtDS3DwUOuFsWXTNCe6I/RDWbE39q5YU02KJMfaIbJKRR6/+oGfyFuUgo3OjpfNCv/hCYz/ +qIkvL8sI52bAtgFlq/RJaq5hziPtJevKXIqoX5tibKtSfR/IOOY/NH0vzRcM52eEuQZ8zQBUVlCY +aKZh+dXyo0oksBQVyE8PGYxRy4B5aiGwA8R0coxGIXziESbtkQKOX2FL0fCZ6UUD8tyTxKgnytn7 +OljDatkr28QpREBqkg1/OIkPToZ6RwumIGoFczoRHMMdrniA3SqYd/T4OJ9HIJ6yjXJ3LRQOPoR9 +6/dAeFo6T25W8EXCj1GLlNudYcjOfQfN6bkDpyN+xN8uF3pUFrfsFEuMia2oJItlpzpEDlPuXP92 +uBvVU9NXqiTvUqiJOkjK4uC2MqDEa46XgCqiHlAhHLpJwdFMu7LdKnshOzoROHkFSkzEw75wd5cS +RXPzl4CHxtV/OVklJlSYmQwiD+S+JkvTmCyA8bxoq47P8V0K+U/hVurPscgy4KJ2S4hd83EPTkHQ +v6e2W6kpsxe7RiJKQlvR7aj4Fk2at7KBMx8Dac4r9W/zFp+FNn4B1vN5GpYRaDobeovj5vO2c3sB +N8wHX7zzvxLJxVe8v/Ucb2/gIEMxU+uSz4Cag6LaIkTmm2et9pnfvFI2DLeeHKgYqOembWgBqPiO +xhwMXHawFM+ET7q4NhHmVeQTau2k8VAFSFn+leiTUQ4GUOpSbNe1OhIuSFwphcrq8z1+gZkDZQ7a +hD3WyTro73JqFox3pukGH+fprP5fn2oCLQKfgb0xbfwsz+PvWtU4bA914KhbOqW8/v88LBD0uAlH +u67npyCkzsAczbT9EqLv2wl+k0SoX/H5kEPAGmCmMArb9wY9X1/ZlBOREJzo0TdUZqqTQTwPPRAY +0+vPtFY+A6f2G5VlVEmXrNeYEHahfxkuTsrQWL7PXHKg45HMUVgRC1/9YFASn/y+IrGK1CDXs4vm +oFJ6vkExHggKTwv55t1kMyNPgnn2eTfgJhAeTQ1bK9F0+9Ymp/PVJXA/wnYDqe8jv1ri5MUipPnD +n/bF8OoTdxFNQsiBWd0f3Gye9FCqoD/B+nD1clSoni1I2G22YN39je9RQpsljFQFg4qGRI/SCHxK +uwZRjPnjChRiWse+mgdKqbVSkjhBg8QVgOMbTUFTRnUoOmnjsbo85iKZSsbDG7RLLqTC6qz/n4A/ +LBUXV9TrJP25nfu9UjMZZ7foPmVk3n/zVhIWJn54KtkrECb5L1E706zaO2MBl8RAcSQGToHnvEIv +k4bkln9gYnS0EEwKrXl4FrecK4++qnb1aHSz4r+Rw+ITCLi0RfzncLD+EaUaXl6iJl+LWYl3nzmC +fBoqoN+hMeLDiIVwj7INFNM92r99W9+lj/VHGhYjGZkye0uAc9oT/+TFvADArMwF73IH3OzXKZG7 ++DRW9EE8xNpXlje9Gt4W6/D31hht/5n7xKssqI42VT5UHHMNgzpakPh6uVF2I26CYlBwNzPRiBRZ +1/eqHfOzPS4qd291eB/AjGd6MD1BJJ/B32vnKkQwiM+yXMAN71EF/nK6VB+H8gkkCcJ8Cx/VKrKW +StJBohdz6QCuy39OIZF/wKR1LzN38UP/LnU9wx+NlmXFqFx1SQmCZuiQ9ZzRLVAbrjlY/l/yzEJg +cNFqaBp0VbS7q2o3dexyMmH4vEr0CJrZyrCWQkTmkjUDtiOSiie8DpfUfNDrQr/OVhY1LXDBwH0B +S4O1EYFB + EOF + else + # Generated with: + # openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \ + # -nocerts -export + <<~EOF.unpack1("m") MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3 DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+ @@ -319,7 +455,8 @@ def test_new_with_no_certs VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA - EOF + EOF + end p12 = OpenSSL::PKCS12.new(str, "abc123") assert_equal Fixtures.pkey("rsa-1").to_der, p12.key.to_der @@ -328,6 +465,8 @@ def test_new_with_no_certs end def test_dup + mac_iter = OpenSSL.fips_mode ? -1 : nil + p12 = OpenSSL::PKCS12.create( "pass", "name", @@ -336,11 +475,17 @@ def test_dup nil, DEFAULT_PBE_PKEYS, DEFAULT_PBE_CERTS, + nil, + mac_iter, ) assert_equal p12.to_der, p12.dup.to_der end def test_set_mac_pkcs12kdf + # OpenSSL::PKCS12.create's argument mac_iter uses MAC key using PKCS12KDF + # which is not FIPS-approved. + omit_on_fips + p12 = OpenSSL::PKCS12.create( "pass", "name",