openssl/openssl

Support FIPS-compliant PKCS#12 files and create them by default in FIPS mode

Open

#24,546 opened on Jun 3, 2024

View on GitHub
 (16 comments) (0 reactions) (0 assignees)C (11,262 forks)batch import
help wantedtriaged: feature

Repository metrics

Stars
 (30,157 stars)
PR merge metrics
 (No merged PRs in 30d)

Description

The PKCS12KDF is not FIPS approved, so it's missing from the fips provider. Therefore it's not possible to create a PKCS #12 file that only uses FIPS approved algorithms in currently released versions of OpenSSL.

I've just published RFC 9579 that documents how to use PBMAC1 and therefore the FIPS approved PBKDF2 for the purpose of whole file integrity check.

I'd like to ask for:

  • support for RFC 9579 (PBMAC1 in PKCS #12)
  • use of it by default when OpenSSL is operating in FIPS mode

Related:

  • #19997
  • #20072

Contributor guide