Fix test_pkcs12.rb in FIPS.

Rakefile

@@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do |t|
   t.test_files = FileList['test/**/test_*.rb'] - FileList[
     'test/openssl/test_hmac.rb',
     'test/openssl/test_kdf.rb',
-    'test/openssl/test_pkcs12.rb',
     'test/openssl/test_ts.rb',
   ]
   t.warning = true

test/openssl/test_pkcs12.rb

@@ -5,8 +5,8 @@
 
 module OpenSSL
   class TestPKCS12 < OpenSSL::TestCase
-    DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
-    DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"
+    DEFAULT_PBE_PKEYS = "AES-256-CBC"
+    DEFAULT_PBE_CERTS = "AES-256-CBC"
 
     def setup
       super
@@ -34,7 +34,13 @@
     end
 
     def test_create_single_key_single_cert
+      # OpenSSL::PKCS12.create calling the PKCS12_create() has the argument
+      # mac_iter which uses a MAC key using PKCS12KDF which is not
+      # FIPS-approved. In the FIPS case, set the `mac_iter = -1` to omit the MAC
+      # key. See also the man page PKCS12_create(3).
+      mac_iter = OpenSSL.fips_mode ? -1 : nil
+
       pkcs12 = OpenSSL::PKCS12.create(
         "omg",
         "hello",
         @mykey,
@@ -42,11 +48,19 @@
         nil,
         DEFAULT_PBE_PKEYS,
         DEFAULT_PBE_CERTS,
+        nil,
+        mac_iter,
       )
       assert_equal @mycert, pkcs12.certificate
       assert_equal @mykey.to_der, pkcs12.key.to_der
       assert_nil pkcs12.ca_certs
 
+      # As OpenSSL::PKCS12.new calling PKCS12_parse() doesn't support MAC-less
+      # PKCS12 on OpenSSL 3.1 or earlier versions, we cannot set the
+      # mac_iter = -1 on the versions in FIPS.
+      # https://github.com/openssl/openssl/commit/cfd24cde81aa5f63dba41ddcde0fa3c5d64e1db0
+      omit_on_fips unless openssl?(3, 2, 0) && OpenSSL.fips_mode
+
       der = pkcs12.to_der
       decoded = OpenSSL::PKCS12.new(der, "omg")
       assert_equal @mykey.to_der, decoded.key.to_der
@@ -55,7 +69,9 @@
     end
 
     def test_create_no_pass
+      mac_iter = OpenSSL.fips_mode ? -1 : nil
+
       pkcs12 = OpenSSL::PKCS12.create(
         nil,
         "hello",
         @mykey,
@@ -63,6 +79,8 @@
         nil,
         DEFAULT_PBE_PKEYS,
         DEFAULT_PBE_CERTS,
+        nil,
+        mac_iter,
       )
       assert_equal @mycert, pkcs12.certificate
       assert_equal @mykey.to_der, pkcs12.key.to_der
@@ -74,8 +92,9 @@
 
     def test_create_with_chain
       chain = [@inter_cacert, @cacert]
+      mac_iter = OpenSSL.fips_mode ? -1 : nil
 
       pkcs12 = OpenSSL::PKCS12.create(
         "omg",
         "hello",
         @mykey,
@@ -83,16 +102,18 @@
         chain,
         DEFAULT_PBE_PKEYS,
         DEFAULT_PBE_CERTS,
+        nil,
+        mac_iter,
       )
       assert_equal chain, pkcs12.ca_certs
     end
 
     def test_create_with_chain_decode
-      chain = [@cacert, @inter_cacert]
-
       passwd = "omg"
+      chain = [@cacert, @inter_cacert]
+      mac_iter = OpenSSL.fips_mode ? -1 : nil
 
       pkcs12 = OpenSSL::PKCS12.create(
         passwd,
         "hello",
         @mykey,
@@ -100,8 +121,12 @@
         chain,
         DEFAULT_PBE_PKEYS,
         DEFAULT_PBE_CERTS,
+        nil,
+        mac_iter,
       )
 
+      omit_on_fips unless openssl?(3, 2, 0) && OpenSSL.fips_mode
+
       decoded = OpenSSL::PKCS12.new(pkcs12.to_der, passwd)
       assert_equal chain.size, decoded.ca_certs.size
       assert_include decoded.ca_certs, @cacert
@@ -124,7 +149,9 @@
     end
 
     def test_create_with_itr
+      mac_iter = OpenSSL.fips_mode ? -1 : nil
+
       OpenSSL::PKCS12.create(
         "omg",
         "hello",
         @mykey,
@@ -132,7 +159,8 @@
         [],
         DEFAULT_PBE_PKEYS,
         DEFAULT_PBE_CERTS,
-        2048
+        2048,
+        mac_iter,
       )
 
       assert_raise(TypeError) do
@@ -150,7 +178,9 @@
     end
 
     def test_create_with_mac_itr
+      mac_iter = OpenSSL.fips_mode ? -1 : 2048
+
       OpenSSL::PKCS12.create(
         "omg",
         "hello",
         @mykey,
@@ -159,7 +189,7 @@
         DEFAULT_PBE_PKEYS,
         DEFAULT_PBE_CERTS,
         nil,
-        2048
+        mac_iter,
       )
 
       assert_raise(TypeError) do
@@ -180,6 +210,8 @@
     def test_create_with_keytype
       omit "AWS-LC does not support KEY_SIG and KEY_EX" if aws_lc?
 
+      mac_iter = OpenSSL.fips_mode ? -1 : nil
+
       OpenSSL::PKCS12.create(
         "omg",
         "hello",
@@ -189,7 +221,7 @@
         DEFAULT_PBE_PKEYS,
         DEFAULT_PBE_CERTS,
         nil,
-        nil,
+        mac_iter,
         OpenSSL::PKCS12::KEY_SIG
       )
 
@@ -203,16 +235,60 @@
           DEFAULT_PBE_PKEYS,
           DEFAULT_PBE_CERTS,
           nil,
-          nil,
+          mac_iter,
           2048
         )
       end
     end
 
     def test_new_with_no_keys
-      # generated with:
-      #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
-      str = <<~EOF.unpack1("m")
+      # As OpenSSL::PKCS12.new calling PKCS12_parse() doesn't support MAC-less
+      # PKCS12 on OpenSSL 3.1 or earlier versions.
+      omit_on_fips unless openssl?(3, 2, 0) && OpenSSL.fips_mode
+
+      # PKCS12_parse supports MAC-less PKCS12 on OpenSSL 3.2.0 or later
+      # versions.
+      # https://github.com/openssl/openssl/commit/cfd24cde81aa5f63dba41ddcde0fa3c5d64e1db0
+      str = if openssl?(3, 2, 0)
+        # Generated with the following steps:
+        #   Print the value of the @mycert such as by `puts @mycert.to_s` and
+        #   save the value as the file `mycert.pem`.
+        #   Run the following commands:
+        #   openssl pkcs12 -certpbe AES-256-CBC -in <(cat mycert.pem) \
+        #     -nokeys -export -passout pass:abc123 -nomac -out /tmp/p12.out
+        #   base64 /tmp/p12.out
+        <<~EOF.unpack1("m")
+MIIFtwIBAzCCBbAGCSqGSIb3DQEHAaCCBaEEggWdMIIFmTCCBZUGCSqGSIb3DQEHAaCCBYYEggWC
+MIIFfjCCBXoGCyqGSIb3DQEMCgEDoIIFaTCCBWUGCiqGSIb3DQEJFgGgggVVBIIFUTCCBU0wggM1
+oAMCAQICAQMwDQYJKoZIhvcNAQELBQAwSjETMBEGCgmSJomT8ixkARkWA29yZzEZMBcGCgmSJomT
+8ixkARkWCXJ1YnktbGFuZzEYMBYGA1UEAwwPSW50ZXJtZWRpYXRlIENBMB4XDTI2MDExNjE1MjM0
+M1oXDTI2MDExNjE3MjM0M1owVzETMBEGCgmSJomT8ixkARkWA29yZzEZMBcGCgmSJomT8ixkARkW
+CXJ1YnktbGFuZzElMCMGA1UEAwwcUnVieSBQS0NTMTIgVGVzdCBDZXJ0aWZpY2F0ZTCCAiIwDQYJ
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAM5/mAnDoewSEc62+0xLoUCw+eOfvxcf8wmDt5fsv/KI
+FMTE4CxuR63F5V9yT+/eonvdPxhyH/P5cHM1YT9Y5P5HmI5MKE2A7eO+0eykXCT8hqh0a6i6ewJ2
+cbc9ySzW6E4Dt2wGM5b7bEilP0d6HoQWxh8xFgj9lBGI/ypMtM6XI5IWVI4hK6/QET6vPnThqgX/
+ghNjSymAtW7vIWXvQHXb7zdkr3zDeroSbRBmTtZPLUnMHwMrzydT6P+s9PKczAIHwVAhPecGgFXm
+CViDpZzQeHhInr85V3TwfbxLfDjsLVn0F1fMcjLKCngFtObONdxNHk2MdWrpRV3VsBtplhAUbTcy
+hdYgbnZYNWt8dc04VotaWI1ub0Tr6FmTAm5fW2EPy8Tglag6FJfOvjTxBnrhEjM5uTbzkANntE8u
+cKYZ7fTNfVnHPJ3gYW+oghqmM8Vjb1GF2VlL9fvzKzxysibr+zEor8LXLX6fEmnFBsZHek/rulep
+7R396rTf+aQJp4up81E4IwuuTEtCxIYv0U88Gn5CH4n3iR+/y6hbY67q7LsLmvqfZZAAnJPyeU6c
+2gHy66BULnqT/KoHqtXKQ+SIoueiCfhT0p5L3rB7kVJmSJIbUVVbFajGjT7/1M3NNmzmkV1j+Grl
+GPdZgysfxQ5jkWvWAg0MTJCpHtOUlkPdAgMBAAGjMTAvMA4GA1UdDwEB/wQEAwIHgDAdBgNVHQ4E
+FgQUUH4eOytXrB3BkxjTQJ3zuodTdhIwDQYJKoZIhvcNAQELBQADggIBALpPM+lVUmvAEQ/pho0W
+/caBx32XhHNHR8XyoDYbKTaUyFKBNlB6PVXys3zpFK/PD/BEJXlvHmytSeqgaTFIku8RFzPYtL63
+HlHyVRBQSEo/jftPd6ETMy3StCALZfbRIaQAn5WpUBAGkD+XaMdk190rajV9RM+R2DXiyxIg9lSe
+mq97UkhUJivGpwik6u5l5/3QtsqiDR3P8xIFejkzONj1Q2cRx12SlRN3S6+vuCxbHPw+X/olk67M
+t2f8zb2vKk6hmxwiTGw1/ac98w31MhuqUG0ZQCL2xMuKxwm3dNLMwiavt7PQ6o27NEAmyAq5wUgv
+4+fhnuId6bkeP2vwXWHNFEELTPgl2NNBrbpGzOg1OVMROa/AFSt8XKNZkdnHXhKZFICbntUlUx3m
+MVkKCtXPy2e182VdJ1NLiLgPHBGNNd7rVpM1HzGeoE/24vfG7ZcN2i2Pij7Hv7Lq5H0dRcXsOvb9
+wkP9GQE9874Ub3l6de+V1tbw13kWCTCSNg6gt/yhBr11Dp0BGAyHkzVGbURzFO2VybQ/8vA5lGMf
+dxqNRQAPJd6KNya+UOFpYF6HUWtQjwJntoNxN3M3cC5Qf0KUTepLrIxSf5RxTqTDm7EBfUPvqFu4
+xAClO3mYQDekE7DC9NaF8UFlaiocR8LtKQvE5o4UwKUM5tcxBpsPhUPd
+        EOF
+      else
+        # Generated with:
+        #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
+        <<~EOF.unpack1("m")
 MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3
 DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
 DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD
@@ -249,7 +325,8 @@
 7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw
 CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII
 AA==
-      EOF
+        EOF
+      end
       p12 = OpenSSL::PKCS12.new(str, "abc123")
 
       assert_equal nil, p12.key
@@ -259,9 +336,68 @@
     end
 
     def test_new_with_no_certs
-      # generated with:
-      #   openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export
-      str = <<~EOF.unpack1("m")
+      # As OpenSSL::PKCS12.new calling PKCS12_parse() doesn't support MAC-less
+      # PKCS12 on OpenSSL 3.1 or earlier versions.
+      omit_on_fips unless openssl?(3, 2, 0) && OpenSSL.fips_mode
+
+      str = if openssl?(3, 2, 0)
+        # Generated with the folowing steps:
+        #   openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \
+        #     -nocerts -export -passout pass:abc123 -nomac -out /tmp/p12.out
+        #   base64 /tmp/p12.out
+        <<~EOF.unpack1("m")
+MIIKBwIBAzCCCgAGCSqGSIb3DQEHAaCCCfEEggntMIIJ6TCCCeUGCSqGSIb3DQEHAaCCCdYEggnS
+MIIJzjCCCcoGCyqGSIb3DQEMCgECoIIJuTCCCbUwXwYJKoZIhvcNAQUNMFIwMQYJKoZIhvcNAQUM
+MCQEEDTb3k1wLuCc//wYdCvloNoCAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBDlM1ny
+pEKS9JFfHAS7cHUfBIIJULn63tJp5XfMBZn7tDVHaL1YwGiiZis17DS0z9jTxEpwoTZRyJ0WL28e
+rNeD0r2f5l+m99HPdkh/qoUWG5mVR0/B7wlZHZjJWoJRWlluy3kxLc66pcPPTxqRRZneznR3Npwo
+mE62a+Nl/2PViFiBG8Udm1N3Auhc2vMPdQ7oEEW/AaXYntA2UngNyrp07rViqEZFvV+lsy3mFVmp
+tIRhBA4DT15BHNlCHP+88BBsehHdCysJc0cKGfZh58Y0FTuGSeOoCP1aZa2hIblMiSrbCFd+xJe+
+Tm9H0ru2TT3PRzf9CPTxGOo7GNYBRkF4TKVf5DZ8CTGRXkKSrCLRRAEB/8Hgym6F1olNA9Lpk/8y
+46LDWTpefyTP7n92OymHmjyA4eVOBL78SplssbENyBDIipAi4i36Z4VUnIB3HlM1OC3bHWjtjJkB
+TiPIXXFcMFf0cxOte1ggLr3nO52m0ls0koNR94FGYGcmkBR6R9iUZa7hoMzD9xuxPfnMG6OSEArW
+LEXCSIm6C5DUec/X2o1ofp0ADViRlcP4H4Hl3UwgjeuHjeLKlcyHzl7tMWuM/aZ5vntIuhXQSqyV
+4krtQWhHfHWVlg7XT21CgJnBbJTzDodXHJKTi5BtWNxiJdCNDemyZpn9tfOFZNjk0ucFkSspQ9At
+PKs1GdX7xtjQOZ7Q808lBzoKXaHJcq0xPYjA0j7F8SzUxwzV3ePpbOwsh7hdFDNQuyadI10W+kCj
+I6T/PRD3zvkF7b37XFXQ/U8Xmjqe7PyWwvePiQxukKe/jgeof55/LISKaIRRMD9FQ3WRI8MTtn+V
+f9UeHpeIYkuZ0I2TbISiafWn5lYQ8Mha2TS0U2f4yKr6m4AQ50iJhhaqwQtbXo+wSvVTNOqr4Ffq
+L5HbAH5/ngYcZSoKAhbU7x5BB5halfiZM4ZCIJKK4sd5bvr0LF/Y8Da+t9mjuWV4aHM9ER26cS6E
+lGC1WIwauUMgy4Qg3g6QbGlPQ/l/ILbZOd9pUeW+GJFfkx9UtQuPY/DT4AnHvTXvngyukWSnMoem
+OpC8Ftv/Rs4IRbfUdeivB2ijl84sM/zC2IZjRI1iqnLEC93M32vYccE8VjOr/6NXfONo7Ekf4VwX
+JkQxAJrXJDSqJTo69VnJHhwCW7g4vAsZctSarjgvlm/wvhOU6cuhJCck4AqbZ831PKYvP7o6QTqs
+YpwL3PLGGAh1uIdET6K+cw80i2C8o+TNfmJIxjsnylLnV71j/D0NgajJGtsg9R4G3rtbBgs8gAqb
+J9msY87rCjnMdXNVAn1jVcWDPznQwNjmysyPysqyJnAqHH2AQJIMz4lbP+uVGud2NptUZNMMdEDF
+Kcn7G2S28l0G3kUeW2WOwGl7wvER44Hsolo7HTDpYCOBzDdrhUa1TCqCgxVYS1YFoHN5fn8XaDmw
+pokTUwtDS3DwUOuFsWXTNCe6I/RDWbE39q5YU02KJMfaIbJKRR6/+oGfyFuUgo3OjpfNCv/hCYz/
+qIkvL8sI52bAtgFlq/RJaq5hziPtJevKXIqoX5tibKtSfR/IOOY/NH0vzRcM52eEuQZ8zQBUVlCY
+aKZh+dXyo0oksBQVyE8PGYxRy4B5aiGwA8R0coxGIXziESbtkQKOX2FL0fCZ6UUD8tyTxKgnytn7
+OljDatkr28QpREBqkg1/OIkPToZ6RwumIGoFczoRHMMdrniA3SqYd/T4OJ9HIJ6yjXJ3LRQOPoR9
+6/dAeFo6T25W8EXCj1GLlNudYcjOfQfN6bkDpyN+xN8uF3pUFrfsFEuMia2oJItlpzpEDlPuXP92
+uBvVU9NXqiTvUqiJOkjK4uC2MqDEa46XgCqiHlAhHLpJwdFMu7LdKnshOzoROHkFSkzEw75wd5cS
+RXPzl4CHxtV/OVklJlSYmQwiD+S+JkvTmCyA8bxoq47P8V0K+U/hVurPscgy4KJ2S4hd83EPTkHQ
+v6e2W6kpsxe7RiJKQlvR7aj4Fk2at7KBMx8Dac4r9W/zFp+FNn4B1vN5GpYRaDobeovj5vO2c3sB
+N8wHX7zzvxLJxVe8v/Ucb2/gIEMxU+uSz4Cag6LaIkTmm2et9pnfvFI2DLeeHKgYqOembWgBqPiO
+xhwMXHawFM+ET7q4NhHmVeQTau2k8VAFSFn+leiTUQ4GUOpSbNe1OhIuSFwphcrq8z1+gZkDZQ7a
+hD3WyTro73JqFox3pukGH+fprP5fn2oCLQKfgb0xbfwsz+PvWtU4bA914KhbOqW8/v88LBD0uAlH
+u67npyCkzsAczbT9EqLv2wl+k0SoX/H5kEPAGmCmMArb9wY9X1/ZlBOREJzo0TdUZqqTQTwPPRAY
+0+vPtFY+A6f2G5VlVEmXrNeYEHahfxkuTsrQWL7PXHKg45HMUVgRC1/9YFASn/y+IrGK1CDXs4vm
+oFJ6vkExHggKTwv55t1kMyNPgnn2eTfgJhAeTQ1bK9F0+9Ymp/PVJXA/wnYDqe8jv1ri5MUipPnD
+n/bF8OoTdxFNQsiBWd0f3Gye9FCqoD/B+nD1clSoni1I2G22YN39je9RQpsljFQFg4qGRI/SCHxK
+uwZRjPnjChRiWse+mgdKqbVSkjhBg8QVgOMbTUFTRnUoOmnjsbo85iKZSsbDG7RLLqTC6qz/n4A/
+LBUXV9TrJP25nfu9UjMZZ7foPmVk3n/zVhIWJn54KtkrECb5L1E706zaO2MBl8RAcSQGToHnvEIv
+k4bkln9gYnS0EEwKrXl4FrecK4++qnb1aHSz4r+Rw+ITCLi0RfzncLD+EaUaXl6iJl+LWYl3nzmC
+fBoqoN+hMeLDiIVwj7INFNM92r99W9+lj/VHGhYjGZkye0uAc9oT/+TFvADArMwF73IH3OzXKZG7
++DRW9EE8xNpXlje9Gt4W6/D31hht/5n7xKssqI42VT5UHHMNgzpakPh6uVF2I26CYlBwNzPRiBRZ
+1/eqHfOzPS4qd291eB/AjGd6MD1BJJ/B32vnKkQwiM+yXMAN71EF/nK6VB+H8gkkCcJ8Cx/VKrKW
+StJBohdz6QCuy39OIZF/wKR1LzN38UP/LnU9wx+NlmXFqFx1SQmCZuiQ9ZzRLVAbrjlY/l/yzEJg
+cNFqaBp0VbS7q2o3dexyMmH4vEr0CJrZyrCWQkTmkjUDtiOSiie8DpfUfNDrQr/OVhY1LXDBwH0B
+S4O1EYFB
+        EOF
+      else
+        # Generated with:
+        #   openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \
+        #     -nocerts -export
+        <<~EOF.unpack1("m")
 MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3
 DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK
 KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+
@@ -319,7 +455,8 @@
 VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O
 M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg
 BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA
-      EOF
+        EOF
+      end
       p12 = OpenSSL::PKCS12.new(str, "abc123")
 
       assert_equal Fixtures.pkey("rsa-1").to_der, p12.key.to_der
@@ -328,7 +465,9 @@
     end
 
     def test_dup
+      mac_iter = OpenSSL.fips_mode ? -1 : nil
+
       p12 = OpenSSL::PKCS12.create(
         "pass",
         "name",
         @mykey,
@@ -336,11 +475,17 @@
         nil,
         DEFAULT_PBE_PKEYS,
         DEFAULT_PBE_CERTS,
+        nil,
+        mac_iter,
       )
       assert_equal p12.to_der, p12.dup.to_der
     end
 
     def test_set_mac_pkcs12kdf
+      # OpenSSL::PKCS12.create's argument mac_iter uses MAC key using PKCS12KDF
+      # which is not FIPS-approved.
+      omit_on_fips
+
       p12 = OpenSSL::PKCS12.create(
         "pass",
         "name",