From c79b4354074742ca1cbbb25a4f04bbffeb58407d Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Wed, 3 Jul 2024 19:40:07 +0900 Subject: [ruby/openssl] pkcs12: add PKCS12#set_mac Add a binding for PKCS12_set_mac() to set MAC parameters and (re-)calculate MAC for the content. This allows generating PKCS #12 with consistent MAC parameters with different OpenSSL versions. OpenSSL 3.0 changed the default hash function used for HMAC and the KDF from SHA-1 to SHA-256. Fixes: https://github.com/ruby/openssl/issues/772 https://github.com/ruby/openssl/commit/f5ed2a74b6 --- test/openssl/test_pkcs12.rb | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'test') diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb index faf26c9e3e..68a23b28c0 100644 --- a/test/openssl/test_pkcs12.rb +++ b/test/openssl/test_pkcs12.rb @@ -337,6 +337,48 @@ BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA ) assert_equal p12.to_der, p12.dup.to_der end + + def test_set_mac_pkcs12kdf + p12 = OpenSSL::PKCS12.create( + "pass", + "name", + @mykey, + @mycert, + nil, + nil, + nil, + nil, + 1234, # mac_iter + nil, + ) + macdata = macdata(p12) + # Depends on the OpenSSL version: SHA256 in OpenSSL >= 3.0 + assert_include ["SHA1", "SHA256"], macdata[:mac_algo] + assert_equal 1234, macdata[:iter] + + p12.set_mac("pass", "macsalt", 2345, "SHA384") + macdata = macdata(p12) + assert_equal "SHA384", macdata[:mac_algo] + assert_equal "macsalt", macdata[:salt] + assert_equal 2345, macdata[:iter] + assert_equal @mykey.to_der, OpenSSL::PKCS12.new(p12.to_der, "pass").key.to_der + end + + private + + def macdata(p12) + # See RFC 7292 + asn1 = OpenSSL::ASN1.decode(p12.to_der) + macdata = asn1.value[2] + mac = macdata.value[0] + mac_algo = mac.value[0].value[0].value + _mac_params = mac.value[0].value[1] + { + mac_algo: mac_algo, + salt: macdata.value[1].value, + iter: macdata.value[2]&.value, + } + end end end -- cgit v1.2.3