Bug 1225596

Summary: [SLES15SP6][SECURITY][FIPS] openssl pkcs12 fails under fips
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP6 Reporter: Timo Jyrinki <tjyrinki>
Component: Security CertificationsAssignee: Certification Bugs <certification-bugs>
Status: NEW --- QA Contact:
Severity: Normal    
Priority: P5 - None CC: felice.maccaro, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.suse.de/tests/14470716/modules/tls_389ds_server/steps/35
Whiteboard: FIPS
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1220333    

Description Timo Jyrinki 2024-05-29 10:49:03 UTC 
On 15-SP6, the result of the last command of the following:

> openssl req -new -x509 -newkey rsa:2048 -keyout myca.key -days 3568 -out myca.pem -nodes -subj "/C=CN/ST=Beijing/L=Beijing/O=QA/OU=security/CN=389ds.ca.example.com" -addext "keyUsage=digitalSignature,keyEncipherment,dataEncipherment,cRLSign,keyCertSign";
> openssl genrsa -out server.key 2048
> openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=QA/OU=security/CN=389ds.example.com"
> openssl x509 -req -days 3560 -CA myca.pem -CAkey myca.key -CAcreateserial -in server.csr -out server.pem
> openssl pkcs12 -export -inkey server.key -in server.pem -out crt.p12 -nodes -name Server-Cert -password pass:""

is:

> Certificate request self-signature ok
> subject=C = CN, ST = Beijing, L = Beijing, O = QA, OU = security, CN = 389ds.example.com
> Warning: output encryption option -nodes ignored with -export
> Error creating PKCS12 MAC; no PKCS12KDF support?
> Use -nomac if MAC not required and PKCS12KDF support not available.
> 40874481DA7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:341:Global default library context, Algorithm (PKCS12KDF : 183), Properties (<null>)
> 40874481DA7F0000:error:1180006B:PKCS12 routines:pkcs12_gen_mac:key gen error:crypto/pkcs12/p12_mutl.c:157:
> 40874481DA7F0000:error:1180006D:PKCS12 routines:PKCS12_set_mac:mac generation error:crypto/pkcs12/p12_mutl.c:230:

while on 15-SP5 it's fine without an error.