openssl/openssl
View on GitHubSupport FIPS-compliant PKCS#12 files and create them by default in FIPS mode
Open
#24,546 opened on Jun 3, 2024
help wantedtriaged: feature
Repository metrics
- Stars
- (30,157 stars)
- PR merge metrics
- (No merged PRs in 30d)
Description
The PKCS12KDF is not FIPS approved, so it's missing from the fips provider. Therefore it's not possible to create a PKCS #12 file that only uses FIPS approved algorithms in currently released versions of OpenSSL.
I've just published RFC 9579 that documents how to use PBMAC1 and therefore the FIPS approved PBKDF2 for the purpose of whole file integrity check.
I'd like to ask for:
- support for RFC 9579 (PBMAC1 in
PKCS #12) - use of it by default when OpenSSL is operating in FIPS mode
Related:
- #19997
- #20072