Unable to load PKCS#12 with password and no MAC

Hubert Kario hkario at redhat.com
Mon Feb 28 17:28:09 UTC 2022


On Thursday, 17 February 2022 10:31:40 CET, Florin Spătar wrote:
> I see. Thanks for the suggested workaround.
>
> Are there any plans for PKCS12_parse to support PKCS12 files 
> without MAC or any plans to use a FIPS approved algorithm for 
> PKCS12 MAC? Any of these would help dealing with PKCS12 files in 
> FIPS mode.

As Tomas said, the issue is with the PKCS#12 standard.
For the MAC calculation to use FIPS approved KDF the PKCS#12 standard would
have to be updated.

That's something my colleagues and me will probably tackle, but don't know 
when.

> Thanks,
>
> Florin Spatar
>
> On 16.02.2022 17:25, Tomas Mraz wrote:
>> Yes, unfortunately PKCS12_parse currently does not support PKCS12 files
>> without the MAC. Such support could be easily added. As a workaround
>> you can look at how the pkcs12 application is implemented and use these
>> calls instead.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic



More information about the openssl-users mailing list