From: slontis Date: Fri, 6 Mar 2026 04:25:27 +0000 (+1100) Subject: PKCS12: Document that the range for key length when using PBMAC1 is (1..64). X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a65de3d6bc393f59c5d14583f99185fb403ba4bd;p=thirdparty%2Fopenssl.git PKCS12: Document that the range for key length when using PBMAC1 is (1..64). Fixes #30246 Reviewed-by: Dmitry Belyavskiy Reviewed-by: Paul Dale Reviewed-by: Tomas Mraz MergeDate: Thu Mar 12 10:47:32 2026 (Merged from https://github.com/openssl/openssl/pull/30279) --- diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index acaf1134eea..c98f890bc18 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -151,7 +151,8 @@ static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq, if (pbkdf2_param->keylength != NULL) keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) { - ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR, "Invalid Key length"); + ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR, + "Invalid Key length (%d is not in the range 1..64)", keylen); goto err; } diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in index 1f153bd3264..ab49c95291d 100644 --- a/doc/man1/openssl-pkcs12.pod.in +++ b/doc/man1/openssl-pkcs12.pod.in @@ -406,6 +406,10 @@ Although there are a large number of options most of them are very rarely used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used for PKCS#12 file creation B<-export> and B<-name> are also used. +When loading using B<-in>, An error will occur if the PKCS12 macdata contains +PBMAC1 and the related PBKDF2 parameters are missing, or if the associated +key length is not in the range 1 to 64. + If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present then all certificates will be output in the order they appear in the input PKCS#12 files. There is no guarantee that the first certificate present is diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod index 752db3bd4a3..edcbeb5612c 100644 --- a/doc/man3/PKCS12_gen_mac.pod +++ b/doc/man3/PKCS12_gen_mac.pod @@ -37,6 +37,8 @@ The default key generation mechanism used is PKCS12KDF. PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied password. +If the PKCS12 macdata contains PBMAC1 an error will occur if the related PBKDF2 +parameters are missing, or if the associated key length is not in the range 1 to 64. PKCS12_setup_mac() sets the MAC part of the PKCS#12 structure with the supplied parameters.