Fixes #30246
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Mar 12 10:47:32 2026
(Merged from https://github.com/openssl/openssl/pull/30279)
(cherry picked from commit
a65de3d6bc393f59c5d14583f99185fb403ba4bd)
if (pbkdf2_param->keylength != NULL)
keylen = ASN1_INTEGER_get(pbkdf2_param->keylength);
if (keylen <= 0 || keylen > EVP_MAX_MD_SIZE) {
- ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR, "Invalid Key length");
+ ERR_raise_data(ERR_LIB_PKCS12, PKCS12_R_PARSE_ERROR,
+ "Invalid Key length (%d is not in the range 1..64)", keylen);
goto err;
}
used. For PKCS#12 file parsing only B<-in> and B<-out> need to be used
for PKCS#12 file creation B<-export> and B<-name> are also used.
+When loading using B<-in>, An error will occur if the PKCS12 macdata contains
+PBMAC1 and the related PBKDF2 parameters are missing, or if the associated
+key length is not in the range 1 to 64.
+
If none of the B<-clcerts>, B<-cacerts> or B<-nocerts> options are present
then all certificates will be output in the order they appear in the input
PKCS#12 files. There is no guarantee that the first certificate present is
PKCS12_verify_mac() verifies the PKCS#12 object's HMAC using the supplied
password.
+If the PKCS12 macdata contains PBMAC1 an error will occur if the related PBKDF2
+parameters are missing, or if the associated key length is not in the range 1 to 64.
PKCS12_setup_mac() sets the MAC part of the PKCS#12 structure with the supplied
parameters.
projects / thirdparty / openssl.git / commitdiff
