## Invalid key length
According to the src code check on pbkdf2.c:223:
``` if (ctx->lower_bound_checks != 0
&& p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) {
ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
return 0;
}
```
And from pbkdf2.c:53:
`#define KDF_PBKDF2_MIN_PASSWORD_LEN (8)`
One needs to use password string >= 8 to export p12.
## MAC support issue
With valid key length:
One still gets error:
```
Error creating PKCS12 MAC; no PKCS12KDF support?
Use -nomac if MAC not required and PKCS12KDF support not available.
80DB99D2C77F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global
default library context, Algorithm (PKCS12KDF : 0), Properties (<null>)
80DB99D2C77F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen
error:../crypto/pkcs12/p12_mutl.c:152:
80DB99D2C77F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation
error:../crypto/pkcs12/p12_mutl.c:225:
```
Which might related to PR mention above, investigating...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2107991
Title:
fips-updates openssl is broken for PKCS#12/p12 certs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/2107991/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
