Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Dr Paul Dale
ward that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs wi

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
If that is a hypothetical context, what context is the official design goal of the OpenSSL Foundation for their validation effort? On 2021-01-28 11:26, Tomas Mraz wrote: This is a purely hypothetical context. Besides, as I said below - the PKCS12KDF should not be used with modern PKCS12 files.

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
This is a purely hypothetical context. Besides, as I said below - the PKCS12KDF should not be used with modern PKCS12 files. Because it can be used only with obsolete encryption algorithms anyway - the best one being 3DES for the encryption and SHA1 for the KDF. Tomas On Thu, 2021-01-28 at 11:08

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
rd that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
low > > > > > PKCS12KDF in the default provider as well as the crypto > > > > > methods > > > > > in > > > > > the fips provider? I have tried "provider=default,fips=yes" > > > > > but > > > > >

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
Message----- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in the FIPS provider. Paul

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Matt Caswell
karound for >>> reading in PKCS12 files in order to maintain backwards >>> compatibility.  Is there a recommended method going forward that >>> would allow reading and writing to a key store while only using the >>> fips provider? >>> >>> Thanks, >&

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Tomas Mraz
round > > > for > > > reading in PKCS12 files in order to maintain backwards > > > compatibility. Is there a recommended method going forward that > > > would allow reading and writing to a key store while only using > > > the > > > fips prov

Re: PKCS12 APIs with fips 3.0

2021-01-28 Thread Jakob Bohm via openssl-users
anks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated

RE: PKCS12 APIs with fips 3.0

2021-01-27 Thread Zeke Evans
That works. Thanks! -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 6:01 PM You could set the default property query to "?fips=yes". This will prefer FIPS algorithms over any others but will not prevent other algorithms from being

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Dr Paul Dale
ward that would allow reading and writing to a key store while only using the fips provider? Thanks, Zeke Evans Micro Focus -Original Message- From: openssl-users On Behalf Of Dr Paul Dale Sent: Tuesday, January 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 A

RE: PKCS12 APIs with fips 3.0

2021-01-26 Thread Zeke Evans
nuary 26, 2021 5:22 PM To: openssl-users@openssl.org Subject: Re: PKCS12 APIs with fips 3.0 I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in the FIPS provider. Pauli On 26/1/21 10:48 pm, Tomas Mraz wrote: > On Tue, 2021-01-26 at 11:45 +00

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Dr Paul Dale
I'm not even sure that NIST can validate the PKCS#12 KDF. If it can't be validated, it doesn't belong in the FIPS provider. Pauli On 26/1/21 10:48 pm, Tomas Mraz wrote: On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote: On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: On

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Tomas Mraz
On Tue, 2021-01-26 at 11:45 +, Matt Caswell wrote: > > On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: > > On 2021-01-25 17:53, Zeke Evans wrote: > > > Hi, > > > > > > > > > > > > Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, > > > PKCS12_verify_mac) do not work in

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Matt Caswell
On 26/01/2021 11:05, Jakob Bohm via openssl-users wrote: > On 2021-01-25 17:53, Zeke Evans wrote: >> >> Hi, >> >>   >> >> Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, >> PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips >> provider.  It looks like that is because

Re: PKCS12 APIs with fips 3.0

2021-01-26 Thread Jakob Bohm via openssl-users
On 2021-01-25 17:53, Zeke Evans wrote: Hi, Many of the PKCS12 APIs (ie: PKCS12_create, PKCS12_parse, PKCS12_verify_mac) do not work in OpenSSL 3.0 when using the fips provider.  It looks like that is because they try to load PKCS12KDF which is not implemented in the fips provider.  These