diff options
author | Tomas Mraz <tomas@openssl.org> | 2021-03-05 17:22:35 +0100 |
---|---|---|
committer | Pauli <ppzgs1@gmail.com> | 2021-03-09 11:12:07 +1000 |
commit | 913f9d5e52f0541c2fb9c3b60d3fc785f35eacae (patch) | |
tree | a7470477ed6b180dec28bccd59811381360a1eda | |
parent | 31e2e6e0b1f0f9ab88b9625f841e268766b598d0 (diff) | |
download | openssl-913f9d5e52f0541c2fb9c3b60d3fc785f35eacae.tar.gz |
apps/pkcs12: Properly detect MAC setup failure
The MAC requires PKCS12KDF support which is not present
in FIPS provider as it is not an approved KDF algorithm.
Suggest using -nomac if MAC is not required.
Fixes #14057
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14445)
-rw-r--r-- | apps/pkcs12.c | 6 | ||||
-rw-r--r-- | doc/man1/openssl-pkcs12.pod.in | 6 |
2 files changed, 9 insertions, 3 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 241122b76a..00c5a9bc4b 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -655,7 +655,11 @@ int pkcs12_main(int argc, char **argv) } if (maciter != -1) - PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd); + if (!PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd)) { + BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n"); + BIO_printf(bio_err, "Use -nomac if MAC not required and PKCS12KDF support not available.\n"); + goto export_end; + } assert(private); diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 65c10d1adb..b367be2b7f 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -333,7 +333,7 @@ then both, the private key and the certificates are encrypted using triple DES. =item B<-macalg> I<digest> -Specify the MAC digest algorithm. If not included them SHA1 will be used. +Specify the MAC digest algorithm. If not included SHA1 will be used. =item B<-iter> I<count> @@ -362,7 +362,9 @@ to be needed to use MAC iterations counts but they are now used by default. =item B<-nomac> -Don't attempt to provide the MAC integrity. +Do not attempt to provide the MAC integrity. This can be useful with the FIPS +provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS +algorithm and cannot be supported by the FIPS provider. =back |