diff --git a/Rakefile b/Rakefile index f73cc21b7..06a7c1917 100644 --- a/Rakefile +++ b/Rakefile @@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do |t| t.test_files = FileList['test/**/test_*.rb'] - FileList[ 'test/openssl/test_hmac.rb', 'test/openssl/test_kdf.rb', - 'test/openssl/test_pkcs12.rb', 'test/openssl/test_ts.rb', ] t.warning = true diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb index 1b5328774..9f9a06cdc 100644 --- a/test/openssl/test_pkcs12.rb +++ b/test/openssl/test_pkcs12.rb @@ -5,8 +5,13 @@ module OpenSSL class TestPKCS12 < OpenSSL::TestCase - DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES" - DEFAULT_PBE_CERTS = "PBE-SHA1-3DES" + # Use the AES-256-CBC using PBKDF2 which is FIPS-approved, instead of the + # PBE-SHA1-3DES using PKCS12KDF which is not FIPS-approved as much as + # possible. As the AES-256-CBC is also used as `openssl pkcs12`'s default + # algorithm, the case is typical. See also the man page openssl-pkcs12(1). + # OpenSSL::PKCS12.create raises UNKNOWN_ALGORITHM in AWS-LC with AES-256-CBC. + DEFAULT_PBE_PKEYS = aws_lc? ? "PBE-SHA1-3DES" : "AES-256-CBC" + DEFAULT_PBE_CERTS = aws_lc? ? "PBE-SHA1-3DES" : "AES-256-CBC" def setup super @@ -34,6 +39,11 @@ def setup end def test_create_single_key_single_cert + # OpenSSL::PKCS12.create calling the PKCS12_create() has the argument + # mac_iter which uses a MAC key using PKCS12KDF which is not + # FIPS-approved. + omit_on_fips + pkcs12 = OpenSSL::PKCS12.create( "omg", "hello", @@ -55,8 +65,14 @@ def test_create_single_key_single_cert end def test_create_no_pass + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + + # LibreSSL doesn't accept the nil as no pass. + pass = libressl? ? "" : nil + pkcs12 = OpenSSL::PKCS12.create( - nil, + pass, "hello", @mykey, @mycert, @@ -73,6 +89,9 @@ def test_create_no_pass end def test_create_with_chain + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + chain = [@inter_cacert, @cacert] pkcs12 = OpenSSL::PKCS12.create( @@ -88,6 +107,9 @@ def test_create_with_chain end def test_create_with_chain_decode + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + chain = [@cacert, @inter_cacert] passwd = "omg" @@ -124,6 +146,9 @@ def test_create_with_bad_nid end def test_create_with_itr + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + OpenSSL::PKCS12.create( "omg", "hello", @@ -150,6 +175,9 @@ def test_create_with_itr end def test_create_with_mac_itr + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + OpenSSL::PKCS12.create( "omg", "hello", @@ -178,6 +206,9 @@ def test_create_with_mac_itr end def test_create_with_keytype + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + omit "AWS-LC does not support KEY_SIG and KEY_EX" if aws_lc? OpenSSL::PKCS12.create( @@ -210,45 +241,47 @@ def test_create_with_keytype end def test_new_with_no_keys - # generated with: - # openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + + # Generated with the following steps: + # Print the value of the @mycert such as by `puts @mycert.to_s` and + # save the value as the file `mycert.pem`. + # Run the following commands: + # openssl pkcs12 -certpbe AES-256-CBC -in <(cat mycert.pem) \ + # -nokeys -export -passout pass:abc123 -out /tmp/p12.out + # base64 /tmp/p12.out str = <<~EOF.unpack1("m") -MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3 -DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw -DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD -rh6oiwsgIRJZvYAWgU6ll9NV7N5SgvS2DDNVuc3tsP8TPWjp+bIxzS9qmGUV -kYWuURWLMKhpF12ZRDab8jcIwBgKoSGiDJk8xHjx6L613/XcRM6ln3VeQK+C -hlW5kXniNAUAgTft25Fn61Xa8xnhmsz/fk1ycGnyGjKCnr7Mgy7KV0C1vs23 -18n8+b1ktDWLZPYgpmXuMFVh0o+HJTV3O86mkIhJonMcnOMgKZ+i8KeXaocN -JQlAPBG4+HOip7FbQT/h6reXv8/J+hgjLfqAb5aV3m03rUX9mXx66nR1tQU0 -Jq+XPfDh5+V4akIczLlMyyo/xZjI1/qupcMjr+giOGnGd8BA3cuXW+ueLQiA -PpTp+DQLVHRfz9XTZbyqOReNEtEXvO9gOlKSEY5lp65ItXVEs2Oqyf9PfU9y -DUltN6fCMilwPyyrsIBKXCu2ZLM5h65KVCXAYEX9lNqj9zrQ7vTqvCNN8RhS -ScYouTX2Eqa4Z+gTZWLHa8RCQFoyP6hd+97/Tg2Gv2UTH0myQxIVcnpdi1wy -cqb+er7tyKbcO96uSlUjpj/JvjlodtjJcX+oinEqGb/caj4UepbBwiG3vv70 -63bS3jTsOLNjDRsR9if3LxIhLa6DW8zOJiGC+EvMD1o4dzHcGVpQ/pZWCHZC -+YiNJpQOBApiZluE+UZ0m3XrtHFQYk7xblTrh+FJF91wBsok0rZXLAKd8m4p -OJsc7quCq3cuHRRTzJQ4nSe01uqbwGDAYwLvi6VWy3svU5qa05eDRmgzEFTG -e84Gp/1LQCtpQFr4txkjFchO2whWS80KoQKqmLPyGm1D9Lv53Q4ZsKMgNihs -rEepuaOZMKHl4yMAYFoOXZCAYzfbhN6b2phcFAHjMUHUw9e3F0QuDk9D0tsr -riYTrkocqlOKfK4QTomx27O0ON2J6f1rtEojGgfl9RNykN7iKGzjS3914QjW -W6gGiZejxHsDPEAa4gUp0WiSUSXtD5WJgoyAzLydR2dKWsQ4WlaUXi01CuGy -+xvncSn2nO3bbot8VD5H6XU1CjREVtnIfbeRYO/uofyLUP3olK5RqN6ne6Xo -eXnJ/bjYphA8NGuuuvuW1SCITmINkZDLC9cGlER9+K65RR/DR3TigkexXMeN -aJ70ivZYAl0OuhZt3TGIlAzS64TIoyORe3z7Ta1Pp9PZQarYJpF9BBIZIFor -757PHHuQKRuugiRkp8B7v4eq1BQ+VeAxCKpyZ7XrgEtbY/AWDiaKcGPKPjc3 -AqQraVeQm7kMBT163wFmZArCphzkDOI3bz2oEO8YArMgLq2Vto9jAZlqKyWr -pi2bSJxuoP1aoD58CHcWMrf8/j1LVdQhKgHQXSik2ID0H2Wc/XnglhzlVFuJ -JsNIW/EGJlZh/5WDez9U0bXqnBlu3uasPEOezdoKlcCmQlmTO5+uLHYLEtNA -EH9MtnGZebi9XS5meTuS6z5LILt8O9IHZxmT3JRPHYj287FEzotlLdcJ4Ee5 -enW41UHjLrfv4OaITO1hVuoLRGdzjESx/fHMWmxroZ1nVClxECOdT42zvIYJ -J3xBZ0gppzQ5fjoYiKjJpxTflRxUuxshk3ih6VUoKtqj/W18tBQ3g5SOlkgT -yCW8r74yZlfYmNrPyDMUQYpLUPWj2n71GF0KyPfTU5yOatRgvheh262w5BG3 -omFY7mb3tCv8/U2jdMIoukRKacpZiagofz3SxojOJq52cHnCri+gTHBMX0cO -j58ygfntHWRzst0pV7Ze2X3fdCAJ4DokH6bNJNthcgmolFJ/y3V1tJjgsdtQ -7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw -CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII -AA== +MIIGhwIBAzCCBjUGCSqGSIb3DQEHAaCCBiYEggYiMIIGHjCCBhoGCSqGSIb3DQEHBqCCBgswggYH +AgEAMIIGAAYJKoZIhvcNAQcBMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBBmfu7YGPAk +YVG9zCy8SQefAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQtpZzo1fdoiTkeDBMwZUt +3YCCBZBYulEiz0dB/iLhIMGm7Pc0UV0dUdazwZHt9jgzjhejc6aZMfzyoRqTj7/Hl2D3ocslBywa +00HUcGA37E9d2RpNdKKiHEdlQR4VAYJl/cnuL85EDJxnMp/+W5TtTRDae08sjETCoMakH95TV3zo +Q5/xP42yORG6fg0YQ9Jb2c6UQ6zGP3nWtUlLkoHmkyHmDUI9M1TTldX/2R0d5A0Vd8GWSfTVhhMJ +bPuoa28aoWFKJo2etOa1crnX2yPBTh5C2AQEFi/HuO0zE+GGoRjpkM7c0O+Ravq25nmprDjGNajE +6zlRPkALszDIopuHnBiH9YxaMqPXdWwCn6LV4qGp/rBGQjJFqbQVDvlzosUdC00x8NdDiiZczMvB +VHOaHk7CpgFZhJvg3Dk6Of+S8BijXv3XKCWTY5O5LIwOHzeK3SWuLhBlD3WEjWBoeZZkdrGVs+0J +r696PlW6DUb1Wbw5NeYwwoV66w2KVsb7B0E3KWgVlWwlkur1ylReU2+u/bOD+or1+T/vS7Rku3zH +wVlBJpvp51k73AhoRaPHSjegqNVkMObUob1+GZ6ak07Sy+dH1EC1BR2iLiq9ON+jBm40c5f62dRm +Kri6gpv0/LHcVbv0a68JUzEpPMmVEaspX8dVG6+3+mhO+JvpuLdtQ0zZV/6sKfqd+yRc4p8ChMav +yhO6L4El52FIHv5iEpoHN2e+dBySL1fSnmkh+Z7TaMHR+arq3Y/GpRKrbuTkmspcuUALwiN6XpEL +dIiye3oUGL+VL5teNOBLHUlFPp73KR3ZBQQvCg8ybG90sjb7rxz6RvsPwYIrqdeOSnJrbnvOFmvU +j8pQ5T1RJqtaMg/D2Z+DcBD5lyeX2DeKQ/Pwk1uaHGJwsIKXaPzTmxcfdhOeBOaZg3THuu7kEqI9 +RklL1XznXBjmVAI09y+02O6/Bg42TsyiCo+XSkN6aIbC1Gnmvm6e9MXlzw1RY3FKAWW8ZP0qjjup +08tFlt+s87ndpkMYBuJ/rN55fA/1nQgSDwgv3qDBxFgIoRsH6NEaF8Jycb/3DMVVaMe8mIDq+CFp +OfjbXAaq5j+3rzdcpcFvTZpn5uB0tLu+J/NhXYgWz+lhP0ghlktKBLiZ4SugCsXu+QJOK7Q3mv+H +5kDul6oLu8qk69IEBH2+bn7abwG6363pBBaweHMZQyaO8Xjhct3spWJluz5LoGKl8XUDma/9Wye1 +UmKeA6W8YTyc5RLjLTEGM0T7aeaDGEqAMJ22lD1iNtA0E1Psw1xWeq83IWdk53v7RC9jLGBCHA/w ++O9jC1mbFyz0c/9N0aWFDd1a2Gk0WmuRCFT6a0AwhASUlp8qsJISJncxI0r+ZEs6OusiMkkSfzlS +SdSBOxVmIPFMJ2Vst4ku/PgZgCddaMz8MmDPowiB3P5IXnW7/j+LqHl8b/wirGyen82Ui9v99xBL +qZaL4lZwUNwIJRDptuSys4QPRtHzq0b3qegQpCCUwVzWO4S9lZ1RNciQN+VA8XUo3X9oErY68QQW +v9t0ljYKJhX17Vasnd99uCHaR6pjJB1nNgJj3+dGPoSfHL5sT8xQ31pxfZcLH+/Aesx/TGMrRCsF +PPWbc+7FroeGruSm0k2LPE53ExI11IFOgyHDUfoAHMqTXJiyxCgR0TqwsNkg5fZzOTsnTuSYjP/4 +Avu9K5XAjZOhv6dddZQug/QIJ32DIMCynVN3WwQkiiam/3XV686Z8H1AB3dyB3JYOoSF6PuALYdr +uRffsH7IVksxWjK6WG8Q2vVEdHNZjIMoZIQjx5RJXKRTAh29uHLaO2nmJt8VGlo0CnUJ0ZInLXmv +81+9DIawctjedLGIYETYd9j3LYe3bxIA0qfecnP8IPpomRL6YOJCgJ5cw2sM/ZLSTxpicbjgChee +cfBR6TBJMDEwDQYJYIZIAWUDBAIBBQAEIGNRVdh6EXs63L/bK7mkiBsqSAIrzVOFqdAxlKeisVLF +BBCW+YZolO3mRPS/gzK4QiwbAgIIAA== EOF p12 = OpenSSL::PKCS12.new(str, "abc123") @@ -259,66 +292,61 @@ def test_new_with_no_keys end def test_new_with_no_certs - # generated with: - # openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + + # Generated with the folowing steps: + # openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \ + # -nocerts -export -passout pass:abc123 -out /tmp/p12.out + # base64 /tmp/p12.out str = <<~EOF.unpack1("m") -MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3 -DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK -KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+ -72L+ZOVXnlZ1MY9HSeg0RMkCJcm0mJ2UD7INUOGXvwpK9fr6WJUZM1IqTihQ -1dM0crRC2m23aP7KtAlXh2DYD3otseDtwoN/NE19RsiJzeIiy5TSW1d47weU -+D4Ig/9FYVFPTDgMzdCxXujhvO/MTbZIjqtcS+IOyF+91KkXrHkfkGjZC7KS -WRmYw9BBuIPQEewdTI35sAJcxT8rK7JIiL/9mewbSE+Z28Wq1WXwmjL3oZm9 -lw6+f515b197GYEGomr6LQqJJamSYpwQbTGHonku6Tf3ylB4NLFqOnRCKE4K -zRSSYIqJBlKHmQ4pDm5awoupHYxMZLZKZvXNYyYN3kV8r1iiNVlY7KBR4CsX -rqUkXehRmcPnuqEMW8aOpuYe/HWf8PYI93oiDZjcEZMwW2IZFFrgBbqUeNCM -CQTkjAYxi5FyoaoTnHrj/aRtdLOg1xIJe4KKcmOXAVMmVM9QEPNfUwiXJrE7 -n42gl4NyzcZpxqwWBT++9TnQGZ/lEpwR6dzkZwICNQLdQ+elsdT7mumywP+1 -WaFqg9kpurimaiBu515vJNp9Iqv1Nmke6R8Lk6WVRKPg4Akw0fkuy6HS+LyN -ofdCfVUkPGN6zkjAxGZP9ZBwvXUbLRC5W3N5qZuAy5WcsS75z+oVeX9ePV63 -cue23sClu8JSJcw3HFgPaAE4sfkQ4MoihPY5kezgT7F7Lw/j86S0ebrDNp4N -Y685ec81NRHJ80CAM55f3kGCOEhoifD4VZrvr1TdHZY9Gm3b1RYaJCit2huF -nlOfzeimdcv/tkjb6UsbpXx3JKkF2NFFip0yEBERRCdWRYMUpBRcl3ad6XHy -w0pVTgIjTxGlbbtOCi3siqMOK0GNt6UgjoEFc1xqjsgLwU0Ta2quRu7RFPGM -GoEwoC6VH23p9Hr4uTFOL0uHfkKWKunNN+7YPi6LT6IKmTQwrp+fTO61N6Xh -KlqTpwESKsIJB2iMnc8wBkjXJtmG/e2n5oTqfhICIrxYmEb7zKDyK3eqeTj3 -FhQh2t7cUIiqcT52AckUqniPmlE6hf82yBjhaQUPfi/ExTBtTDSmFfRPUzq+ -Rlla4OHllPRzUXJExyansgCxZbPqlw46AtygSWRGcWoYAKUKwwoYjerqIV5g -JoZICV9BOU9TXco1dHXZQTs/nnTwoRmYiL/Ly5XpvUAnQOhYeCPjBeFnPSBR -R/hRNqrDH2MOV57v5KQIH2+mvy26tRG+tVGHmLMaOJeQkjLdxx+az8RfXIrH -7hpAsoBb+g9jUDY1mUVavPk1T45GMpQH8u3kkzRvChfOst6533GyIZhE7FhN -KanC6ACabVFDUs6P9pK9RPQMp1qJfpA0XJFx5TCbVbPkvnkZd8K5Tl/tzNM1 -n32eRao4MKr9KDwoDL93S1yJgYTlYjy1XW/ewdedtX+B4koAoz/wSXDYO+GQ -Zu6ZSpKSEHTRPhchsJ4oICvpriVaJkn0/Z7H3YjNMB9U5RR9+GiIg1wY1Oa1 -S3WfuwrrI6eqfbQwj6PDNu3IKy6srEgvJwaofQALNBPSYWbauM2brc8qsD+t -n8jC/aD1aMcy00+9t3H/RVCjEOb3yKfUpAldIkEA2NTTnZpoDQDXeNYU2F/W -yhmFjJy8A0O4QOk2xnZK9kcxSRs0v8vI8HivvgWENoVPscsDC4742SSIe6SL -f/T08reIX11f0K70rMtLhtFMQdHdYOTNl6JzhkHPLr/f9MEZsBEQx52depnF -ARb3gXGbCt7BAi0OeCEBSbLr2yWuW4r55N0wRZSOBtgqgjsiHP7CDQSkbL6p -FPlQS1do9gBSHiNYvsmN1LN5bG+mhcVb0UjZub4mL0EqGadjDfDdRJmWqlX0 -r5dyMcOWQVy4O2cPqYFlcP9lk8buc5otcyVI2isrAFdlvBK29oK6jc52Aq5Q -0b2ESDlgX8WRgiOPPxK8dySKEeuIwngCtJyNTecP9Ug06TDsu0znZGCXJ+3P -8JOpykgA8EQdOZOYHbo76ZfB2SkklI5KeRA5IBjGs9G3TZ4PHLy2DIwsbWzS -H1g01o1x264nx1cJ+eEgUN/KIiGFIib42RS8Af4D5e+Vj54Rt3axq+ag3kI+ -53p8uotyu+SpvvXUP7Kv4xpQ/L6k41VM0rfrd9+DrlDVvSfxP2uh6I1TKF7A -CT5n8zguMbng4PGjxvyPBM5k62t6hN5fuw6Af0aZFexh+IjB/5wFQ6onSz23 -fBzMW4St7RgSs8fDg3lrM+5rwXiey1jxY1ddaxOoUsWRMvvdd7rZxRZQoN5v -AcI5iMkK/vvpQgC/sfzhtXtrJ2XOPZ+GVgi7VcuDLKSkdFMcPbGzO8SdxUnS -SLV5XTKqKND+Lrfx7DAoKi5wbDFHu5496/MHK5qP4tBe6sJ5bZc+KDJIH46e -wTV1oWtB5tV4q46hOb5WRcn/Wjz3HSKaGZgx5QbK1MfKTzD5CTUn+ArMockX -2wJhPnFK85U4rgv8iBuh9bRjyw+YaKf7Z3loXRiE1eRG6RzuPF0ZecFiDumk -AC/VUXynJhzePBLqzrQj0exanACdullN+pSfHiRWBxR2VFUkjoFP5X45GK3z -OstSH6FOkMVU4afqEmjsIwozDFIyin5EyWTtdhJe3szdJSGY23Tut+9hUatx -9FDFLESOd8z3tyQSNiLk/Hib+e/lbjxqbXBG/p/oyvP3N999PLUPtpKqtYkV -H0+18sNh9CVfojiJl44fzxe8yCnuefBjut2PxEN0EFRBPv9P2wWlmOxkPKUq -NrCJP0rDj5aONLrNZPrR8bZNdIShkZ/rKkoTuA0WMZ+xUlDRxAupdMkWAlrz -8IcwNcdDjPnkGObpN5Ctm3vK7UGSBmPeNqkXOYf3QTJ9gStJEd0F6+DzTN5C -KGt1IyuGwZqL2Yk51FDIIkr9ykEnBMaA39LS7GFHEDNGlW+fKC7AzA0zfoOr -fXZlHMBuqHtXqk3zrsHRqGGoocigg4ctrhD1UREYKj+eIj1TBiRdf7c6+COf -NIOmej8pX3FmZ4ui+dDA8r2ctgsWHrb4A6iiH+v1DRA61GtoaA/tNRggewXW -VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O -M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg -BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA +MIIKUgIBAzCCCgAGCSqGSIb3DQEHAaCCCfEEggntMIIJ6TCCCeUGCSqGSIb3DQEHAaCCCdYEggnS +MIIJzjCCCcoGCyqGSIb3DQEMCgECoIIJuTCCCbUwXwYJKoZIhvcNAQUNMFIwMQYJKoZIhvcNAQUM +MCQEEI01CXHjkMt/msnpv5I8CuECAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBC88lPx +nXduPOMxkNGSAMzhBIIJUHXa+UzIw1TfeBBPu630vtrAYnGgwUiUrxbMt1hDKHq3mmuadAjghQSG +zzq61lU1KOYtsA7mYRwUGS3lXdTGTP4rbrIsDUjSkwo+6DX8d4IG2uhwhSK3Te2bMsygFBVaJF+k +X71DAyI6FF9rVo6npTdcDkW/aobuPysyE1vhGbitri+yAnMizutS/C3D1SfwK6BA3c2PfVgL63dO +8T3nbbIezJLuwxvuIg719MYXwFgvfqm/OHSpM+tfhnoWXwNhp78XH6t0tmHPtX1knKSmZyqZS5ZH +u3qJJaQv3it2G/v0gFahKBEL5SFBmFKdEXoLNBmeK34qm6OxMfh7FzJeicZjJBC696Nunm69iwSi +VQdYVeC9/qM0nc3GKdtPrWbcTE6mv1SQZYuRncfTpBpSMp18UdMa3mfpY3jab1Vm2H5NjeBHssJu +LHiyLYXumAss3CWU90MAET+PVzJp3gvB51GM/ULlunVB6pOgAuLOtXJRPvaQvty5K/S5AqkNRd07 +yZZjxYXuhJIm0fPVe0kqVqJ8Skfp/v5a2rYcnCNYbrNG2/UH8cov9IXDlMcPQzVQRHPmiMstLDte +pjL711b0X3E0nJ9fXCJmaB/m9dmKBF2J/xjLj6A6dkzL4usv/QUpuoFWW2ATLm9YMOslSZvWCvPl +4DDwkzQRwhRQoxqOusWhttQBexLX6N0k/NOWukb5RxpTaEpc4fFK/AFa/t74+dufP0nciKGd12iG +WruMo25aMnnrqQM0vXRmoIwhG/puIgTLeXJOlC0BZrszVTrqlRHdUtrxsiumF1rNXUekZSNNvCDM +hZsRGulwQMNxbKvt0mZc04NuNcnBTHzCxDllKrI2SvWd+4fhzzqiIpGYcMdW5h7zw2+FQIyzmulB +xhB+SYH4Vm3g6+lws3yYNCLBxedtypTjppOergSQOrK1ZrB5YaVgw11uqkeSl8e0phbQPAp4NF+l +2HZNmybhj5ryX5niIyo9Wv7qtctqvxq6zuZ/AVIDpcEWLwUEL2H5bi+Uu2zBa/EGTCA0Kklgzsm4 +L450xo1fbskLju1/PMt2Ssdlwt7cmkhK4OLzWnVYlqUCzWNyZBkUpuAdSfPq2pd+VwzpIAjTV8x/ +PJ0Qm9T5ncOBokxIQDZW60mMiWTLN5i39onkcouO6OTsZApWG54duCXd7oAS29Wssuzf0uEYkdzU +w4YCY0wdjWwelMQOutJ9l+sNZcxWxcNEd389a33S6nhRJPNp61aW53zQFvFEpWCW4fRrqyxbSIFB +mqZwb/Ge3g2uqk/04euAh+mYMpjSB6T7Bza2J7pIwNnIoGwkJGWh0EeuiTCIQ8So+ThM1nEUy+ww ++k08XZm5rWwA76mpSiOliD8y1x7vxd09PWETis3pERhFfT4G5yxhTVTogwWm5QJ9Y9QCL51mV9MW +gfkbySL8nxC32nw7aYOSX2/m4HmqwEoVLrZxO2d1lGAN6qt+Ytw5ZS4j8rEvcKKg1NnyU9M+mrsB +6ESSSoEhKPMb5YUTr1RNi9RZ6uhd8pZniRttrX9S64KE/UU6ZEBcWB4gEUK/A1a6AOQgc6N5z2mI +qP2Guvt9dzXX45HTfVaZz1IwuSMJnPhvKgzdGsUX3v/A2Q+MyTuU16fxNDI8hBap/+OlgSfrTSmt +hmnTgnLIPcvv093CRFhhKY3wP1M6YlQst1ge1mLa4ZcA06golsvj/rQkbK4ZR2JCX2v1oWaUCGmF +3GfYsFjJn8/QxMf8nIQVKfHwmnXoy9yeghKSW0mbJ5o0iC82XJiewp+UeIOwScza2+SMnrV91w1F +/DpDbceBkl2m+/piMk27TQQhiWK8aEUpTdMdsjDAWDV8Qt/GNnrfQGrPWxuzmBo6NgdDUsJpPBEa +NuN+jEgIc9HbZL9seOcBRvy2Zk+ESznEVJFPj3ItLHCEsUrLU2WV4xEOc9zxbgTBUbmliQ4OMvJu +PvSzUhc7//N1OCrUSwqpvAecpLKOLkvE/k2+rshWasttx1by9+0YqrmmOV32+OdFTdaFyPh5jLXz +cdx+GRSiFMA2MpX44OMcJNGKMhAPTo7L0Xlhm9ZZzMpzt13gFualzTlc/wa1TBXdBO3wh5IHfFiI +I2my+By3n0WlJ7sxlIeBsUThdNWGuuu1vo9kUJ7TsiFrCikjoQg+eT/2q0nY/bwq916uEVfXJM5V +1FfEz64r7/yFqlti85jYPpfEdGASXOobIQ6q8XaHucDhDifBnWMLvFiFk9FOngOCQtb7MKu09Z6q +X+XIY2JQcIunB1mVNgkrKm4lPUpfkgfwVjyRXZJL25DXuSsfCpFmzYHrbm4971So58I9JOlrSfIf +wBC4ys9kJKmz3W4+9/8rJI9zDI0MShxvhF6LRVStRjm3Vi09y/C2XOZ+ygHHhaIfYlHJ8knq7NoD +fz/SOW8b2bvZnuC60MqkxrTwuobdk73HgjT8BKe+79zcBGNcnoTy0rmFmhOBBzfsbr5yOEWvxsux +83yJt6qOxf4KwKPP1RPRX5s/5npZWqGa6FtNBcznWYSFy4FvoY8ok0lL9xJXG2ugGeac+wSc1tRL +4rL6JlzcsBVTE8SV5D6ezGFtZKjBfmkSR4dXq6HcqiCqWhJQ1gdOKFsZknYvmWZodVjRRLJUl91f +9NsQ4bnEcfgow7/S30E4mUkgJDCG/SFLFrkkuR5DQZ3L3QV8AxLsLzYfb7MWYNYT3J+ya+zkGfdL +cfY/V7ejIFVz5BImmEvUR50x7kJcvcOp3iyU9TmDqF3DMsqGtU3dSRrbUUV3NxPkq58l2KeC9xlQ +p0emfEScWmiYJmZep8PeMMd0O9GkN0y7QrmzSarcsHnyuTy3pU/haLfgB2KTFK5rOw+4gJhFxZvL +ldpx/oWz1MmYRuM4923tESXMAe+QbCGClWlT2xXwjr1RBJF6FCh6iyDaU5t5twsa2pmMe7+z7UIJ +R/IUS6tBcF2UYRv+ebVDh7yE2srIMU/1GTyDVOnHsiJZ8QpxPD3vy0qN237cx09SyoXTCL8RSjfE +hFdl6Z8zT1LrKpqZ6BGfsg+mMX0kLV3VXGBA8NkEt5p0E4AADI2YufFSltdO3kCnwLjv+P+tBY7/ +MKeIA0w3+mGnhnG9pEZakdnZdC4yp2D4REI8R2687ayT4ps+yFE35c5OwxnALvkyduFhuC1Cz2ye +4JS20ZePMEkwMTANBglghkgBZQMEAgEFAAQgvP8g52ab9MouQYsJaj8rqfc7qZI+l5wgTRI7rgd7 +NVgEEG5jLuv43kXMoGSKg7M2SY4CAggA EOF p12 = OpenSSL::PKCS12.new(str, "abc123") @@ -328,6 +356,9 @@ def test_new_with_no_certs end def test_dup + # PKCS12KDF used for a MAC key is not FIPS-approved. + omit_on_fips + p12 = OpenSSL::PKCS12.create( "pass", "name", @@ -341,6 +372,10 @@ def test_dup end def test_set_mac_pkcs12kdf + # OpenSSL::PKCS12.create's argument mac_iter uses MAC key using PKCS12KDF + # which is not FIPS-approved. + omit_on_fips + p12 = OpenSSL::PKCS12.create( "pass", "name",