From: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Date: Fri, 25 Apr 2025 22:56:48 +0000 (+0100)
Subject: fips: Skip testing RFC 9579 good files as they use short salt & password
X-Git-Tag: openssl-4.0.0-alpha1~38
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d40bfaca75c2e44eeada073359e2f51f59add1ab;p=thirdparty%2Fopenssl.git

fips: Skip testing RFC 9579 good files as they use short salt & password

The RFC 9579 good files are always tested with the default provider.

The RFC 9579 good files use too short salt, and too short password
that a sticrly compliant FIPS provider with lower bounds enforcement
should no longer able to open.

If checking positive files is desired, these could be regenerated with
longer salt and password, but not too sure if it is worth it.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Wed Mar  4 17:25:53 2026
(Merged from https://github.com/openssl/openssl/pull/27431)
---

diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t
index 329f3a134bc..56a8e3fcb7c 100644
--- a/test/recipes/80-test_pkcs12.t
+++ b/test/recipes/80-test_pkcs12.t
@@ -56,7 +56,7 @@ $ENV{OPENSSL_WIN32_UTF8}=1;
 
 my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0);
 
-plan tests => $no_fips ? 58 : 69;
+plan tests => $no_fips ? 58 : 63;
 
 # Test different PKCS#12 formats
 ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats");
@@ -213,28 +213,6 @@ for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_
       "test pbmac1 pkcs12 file $file");
 }
 
-
-unless ($no_fips) {
-    my $provpath = bldtop_dir("providers");
-    my $provconf = srctop_file("test", "fips-and-base.cnf");
-    my $provname = 'fips';
-    my @prov = ("-provider-path", $provpath,
-                "-provider", $provname);
-    local $ENV{OPENSSL_CONF} = $provconf;
-
-# Test pbmac1 pkcs12 good files, RFC 9579
-    for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12")
-    {
-        my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file);
-        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-password", "pass:1234", "-noenc"])),
-           "test pbmac1 pkcs12 file $file");
-
-        ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-info", "-noout",
-                    "-passin", "pass:1234"], stderr => "${file}_info.txt")),
-           "test_export_pkcs12_${file}_info");
-    }
-}
-
 # Test pbmac1 pkcs12 bad files, RFC 9579 and CVE-2025-11187
 for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12",
               "pbmac1_256_256.no-len.p12", "pbmac1_256_256.bad-len.p12",