Re: Unable to load PKCS#12 with password and no MAC
On Thursday, 17 February 2022 10:31:40 CET, Florin Spătar wrote: I see. Thanks for the suggested workaround. Are there any plans for PKCS12_parse to support PKCS12 files without MAC or any plans to use a FIPS approved algorithm for PKCS12 MAC? Any of these would help dealing with PKCS12 files in FIPS mode. As Tomas said, the issue is with the PKCS#12 standard. For the MAC calculation to use FIPS approved KDF the PKCS#12 standard would have to be updated. That's something my colleagues and me will probably tackle, but don't know when. Thanks, Florin Spatar On 16.02.2022 17:25, Tomas Mraz wrote: Yes, unfortunately PKCS12_parse currently does not support PKCS12 files without the MAC. Such support could be easily added. As a workaround you can look at how the pkcs12 application is implemented and use these calls instead. -- Regards, Hubert Kario Senior Quality Engineer, RHEL Crypto team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
Re: EVP_PKEY_fromdata_init returns unsupported.
On Mon, Feb 28, 2022 at 2:59 AM Matt Caswell wrote:
>
>
>
> On 25/02/2022 22:07, William Roberts wrote:
> > Hello,
> >
> > In openssl 3.0.1 the following code hits the ctx->keymgt is null check
> > and thus returns -2
> > in pmeth_gn.c:
> > static int fromdata_init(EVP_PKEY_CTX *ctx, int operation)
> > {
> > if (ctx == NULL || ctx->keytype == NULL)
> > goto not_supported;
> >
> > evp_pkey_ctx_free_old_ops(ctx);
> > if (ctx->keymgmt == NULL)
> > goto not_supported;
> >
> > The callpath comes in from EVP_PKEY_fromdata_init:
> >
> > libctx = OSSL_LIB_CTX_new()
> > genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL);
>
>
> My guess is EVP_PKEY_CTX_new_from_name() is finding a default engine
> implementation for RSA. You might like to step through
> EVP_PKEY_CTX_new_from_name in the debugger (actually int_ctx_new in
> crypto/evp/pmeth_lib.c) and see if the "e" variable ever gets associated
> with an engine.
>
Yes variable e does indeed get associated with the "pkcs11 engine"
> If an engine is being found then the EVP_PKEY_CTX will use that engine
> implementation for all subsequent RSA operations. EVP_PKEY_fromdata will
> only work with provider based implementations (we should make that
> explicit in the documentation) - hence it will fail.
>
Is there any way I can build an RSA or EC public key and encrypt with that and
not go to a provider?
> Matt
>
>
>
> > int rc = EVP_PKEY_fromdata_init(genctx);
> >
> > I have no idea why it returns unsupported... any ideas?
> > I also tried replacing EVP_PKEY_CTX_new_from_name with
> > EVP_PKEY_CTX_new_id, same error.
> >
> > Thanks,
> > Bill
> >
Re: EVP_PKEY_fromdata_init returns unsupported.
On 25/02/2022 22:07, William Roberts wrote:
Hello,
In openssl 3.0.1 the following code hits the ctx->keymgt is null check
and thus returns -2
in pmeth_gn.c:
static int fromdata_init(EVP_PKEY_CTX *ctx, int operation)
{
if (ctx == NULL || ctx->keytype == NULL)
goto not_supported;
evp_pkey_ctx_free_old_ops(ctx);
if (ctx->keymgmt == NULL)
goto not_supported;
The callpath comes in from EVP_PKEY_fromdata_init:
libctx = OSSL_LIB_CTX_new()
genctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", NULL);
My guess is EVP_PKEY_CTX_new_from_name() is finding a default engine
implementation for RSA. You might like to step through
EVP_PKEY_CTX_new_from_name in the debugger (actually int_ctx_new in
crypto/evp/pmeth_lib.c) and see if the "e" variable ever gets associated
with an engine.
If an engine is being found then the EVP_PKEY_CTX will use that engine
implementation for all subsequent RSA operations. EVP_PKEY_fromdata will
only work with provider based implementations (we should make that
explicit in the documentation) - hence it will fail.
Matt
int rc = EVP_PKEY_fromdata_init(genctx);
I have no idea why it returns unsupported... any ideas?
I also tried replacing EVP_PKEY_CTX_new_from_name with
EVP_PKEY_CTX_new_id, same error.
Thanks,
Bill
