Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Dr Paul Dale
ward that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs wi

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
If that is a hypothetical context, what context is the official design goal of the OpenSSL Foundation for their validation effort? On 2021-01-28 11:26, Tomas Mraz wrote: This is a purely hypothetical context. Besides, as I said below - the PKCS12KDF should not be used with modern PKCS12 files.

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
This is a purely hypothetical context. Besides, as I said below - the PKCS12KDF should not be used with modern PKCS12 files. Because it can be used only with obsolete encryption algorithms anyway - the best one being 3DES for the encryption and SHA1 for the KDF. Tomas On Thu, 2021-01-28 at 11:08

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
rd that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
low > > > > > PKCS12KDF in the default provider as well as the crypto > > > > > methods > > > > > in > > > > > the fips provider? I have tried "provider=default,fips=yes" > > > > > but > > > > >

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in the FIPS provider. Paul

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Matt Caswell
karound for >>> reading in PKCS12 files in order to maintain backwards >>> compatibility.  Is there a recommended method going forward that >>> would allow reading and writing to a key store while only using the >>> fips provider? >>> >>> Thanks, >&

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
round > > > for > > > reading in PKCS12 files in order to maintain backwards > > > compatibility. Is there a recommended method going forward that > > > would allow reading and writing to a key store while only using > > > the > > > fips prov

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
anks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated

RE: PKCS12 APIs with fips 3.0

2021-01-27 Thread Zeke Evans
That works. Thanks! -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 6:01 PM You could set the default property query to "?fips=yes". This will prefer FIPS algorithms over any others but will not prevent other algorithms from being

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Dr Paul Dale
ward that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 A

RE: PKCS12 APIs with fips 3.0

2021-01-26 Thread Zeke Evans
nuary 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in the FIPS provider. Pauli On 26/1/21 10:48 pm, Tomas Mraz wrote: > On Tue, 2021-01-26 at 11:45 +00

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Dr Paul Dale
I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in the FIPS provider. Pauli On 26/1/21 10:48 pm, Tomas Mraz wrote: On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote: On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: On

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Tomas Mraz
On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote: > > On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: > > On 2021-01-25 17:53, Zeke Evans wrote: > > > Hi, > > > > > > > > > > > > Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, > > > PKCS12_verify_mac) do not work in

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Matt Caswell
On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: > On 2021-01-25 17:53, Zeke Evans wrote: >> >> Hi, >> >>   >> >> Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, >> PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips >> provider.  It looks like that is because

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Jakob Bohm via openssl-users
On 2021-01-25 17:53, Zeke Evans wrote: Hi, Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips provider.  It looks like that is because they try to load PKCS12KDF which is not implemented in the fips provider.  These

PKCS12 APIs with fips 3.0

2021-01-25 Thread Zeke Evans
Hi, Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips provider. It looks like that is because they try to load PKCS12KDF which is not implemented in the fips provider. These were all working in 1.0.2 with the fips 2.0