Fix test_pkcs12.rb in FIPS.

junaruga · junaruga · commit 4c7ffa66a20c · 2026-01-21T19:10:28.000Z
* Use the `AES-256-CBC` using `PBKDF2` which is FIPS-approved, instead of the
  `PBE-SHA1-3DES` using `PKCS12KDF` which is not FIPS-approved. As the
  `AES-256-CBC` is also used as `openssl pkcs12`'s default algorithm, the case
   is typical. See also the man page openssl-pkcs12(1).
* `OpenSSL::PKCS12.create` calling the `PKCS12_create` uses a MAC key using
  `PKCS12KDF` which is not FIPS-approved.
* The test data `OpenSSL::PKCS12.new` calling `PKCS12_parse` verifies the MAC
  using `PKCS12KDF` which is not FIPS-approved.
diff --git a/Rakefile b/Rakefile
@@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do |t|
   t.test_files = FileList['test/**/test_*.rb'] - FileList[
     'test/openssl/test_hmac.rb',
     'test/openssl/test_kdf.rb',
-    'test/openssl/test_pkcs12.rb',
     'test/openssl/test_ts.rb',
   ]
   t.warning = true
diff --git a/test/openssl/test_pkcs12.rb b/test/openssl/test_pkcs12.rb
@@ -5,8 +5,13 @@
 
 module OpenSSL
   class TestPKCS12 < OpenSSL::TestCase
-    DEFAULT_PBE_PKEYS = "PBE-SHA1-3DES"
-    DEFAULT_PBE_CERTS = "PBE-SHA1-3DES"
+    # Use the AES-256-CBC using PBKDF2 which is FIPS-approved, instead of the
+    # PBE-SHA1-3DES using PKCS12KDF which is not FIPS-approved as much as
+    # possible. As the AES-256-CBC is also used as `openssl pkcs12`'s default
+    # algorithm, the case is typical. See also the man page openssl-pkcs12(1).
+    # OpenSSL::PKCS12.create raises UNKNOWN_ALGORITHM in AWS-LC with AES-256-CBC.
+    DEFAULT_PBE_PKEYS = aws_lc? ? "PBE-SHA1-3DES" : "AES-256-CBC"
+    DEFAULT_PBE_CERTS = aws_lc? ? "PBE-SHA1-3DES" : "AES-256-CBC"
 
     def setup
       super
@@ -34,6 +39,11 @@ def setup
     end
 
     def test_create_single_key_single_cert
+      # OpenSSL::PKCS12.create calling the PKCS12_create() has the argument
+      # mac_iter which uses a MAC key using PKCS12KDF which is not
+      # FIPS-approved.
+      omit_on_fips
+
       pkcs12 = OpenSSL::PKCS12.create(
         "omg",
         "hello",
@@ -55,8 +65,14 @@ def test_create_single_key_single_cert
     end
 
     def test_create_no_pass
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
+      # LibreSSL doesn't accept the nil as no pass.
+      pass = libressl? ? "" : nil
+
       pkcs12 = OpenSSL::PKCS12.create(
-        nil,
+        pass,
         "hello",
         @mykey,
         @mycert,
@@ -73,6 +89,9 @@ def test_create_no_pass
     end
 
     def test_create_with_chain
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
       chain = [@inter_cacert, @cacert]
 
       pkcs12 = OpenSSL::PKCS12.create(
@@ -88,6 +107,9 @@ def test_create_with_chain
     end
 
     def test_create_with_chain_decode
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
       chain = [@cacert, @inter_cacert]
 
       passwd = "omg"
@@ -124,6 +146,9 @@ def test_create_with_bad_nid
     end
 
     def test_create_with_itr
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
       OpenSSL::PKCS12.create(
         "omg",
         "hello",
@@ -150,6 +175,9 @@ def test_create_with_itr
     end
 
     def test_create_with_mac_itr
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
       OpenSSL::PKCS12.create(
         "omg",
         "hello",
@@ -178,6 +206,9 @@ def test_create_with_mac_itr
     end
 
     def test_create_with_keytype
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
       omit "AWS-LC does not support KEY_SIG and KEY_EX" if aws_lc?
 
       OpenSSL::PKCS12.create(
@@ -210,45 +241,47 @@ def test_create_with_keytype
     end
 
     def test_new_with_no_keys
-      # generated with:
-      #   openssl pkcs12 -certpbe PBE-SHA1-3DES -in <@mycert> -nokeys -export
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
+      # Generated with the following steps:
+      #   Print the value of the @mycert such as by `puts @mycert.to_s` and
+      #   save the value as the file `mycert.pem`.
+      #   Run the following commands:
+      #   openssl pkcs12 -certpbe AES-256-CBC -in <(cat mycert.pem) \
+      #     -nokeys -export -passout pass:abc123 -out /tmp/p12.out
+      #   base64 /tmp/p12.out
       str = <<~EOF.unpack1("m")
-MIIGJAIBAzCCBeoGCSqGSIb3DQEHAaCCBdsEggXXMIIF0zCCBc8GCSqGSIb3
-DQEHBqCCBcAwggW8AgEAMIIFtQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQMw
-DgQIjv5c3OHvnBgCAggAgIIFiMJa8Z/w7errRvCQPXh9dGQz3eJaFq3S2gXD
-rh6oiwsgIRJZvYAWgU6ll9NV7N5SgvS2DDNVuc3tsP8TPWjp+bIxzS9qmGUV
-kYWuURWLMKhpF12ZRDab8jcIwBgKoSGiDJk8xHjx6L613/XcRM6ln3VeQK+C
-hlW5kXniNAUAgTft25Fn61Xa8xnhmsz/fk1ycGnyGjKCnr7Mgy7KV0C1vs23
-18n8+b1ktDWLZPYgpmXuMFVh0o+HJTV3O86mkIhJonMcnOMgKZ+i8KeXaocN
-JQlAPBG4+HOip7FbQT/h6reXv8/J+hgjLfqAb5aV3m03rUX9mXx66nR1tQU0
-Jq+XPfDh5+V4akIczLlMyyo/xZjI1/qupcMjr+giOGnGd8BA3cuXW+ueLQiA
-PpTp+DQLVHRfz9XTZbyqOReNEtEXvO9gOlKSEY5lp65ItXVEs2Oqyf9PfU9y
-DUltN6fCMilwPyyrsIBKXCu2ZLM5h65KVCXAYEX9lNqj9zrQ7vTqvCNN8RhS
-ScYouTX2Eqa4Z+gTZWLHa8RCQFoyP6hd+97/Tg2Gv2UTH0myQxIVcnpdi1wy
-cqb+er7tyKbcO96uSlUjpj/JvjlodtjJcX+oinEqGb/caj4UepbBwiG3vv70
-63bS3jTsOLNjDRsR9if3LxIhLa6DW8zOJiGC+EvMD1o4dzHcGVpQ/pZWCHZC
-+YiNJpQOBApiZluE+UZ0m3XrtHFQYk7xblTrh+FJF91wBsok0rZXLAKd8m4p
-OJsc7quCq3cuHRRTzJQ4nSe01uqbwGDAYwLvi6VWy3svU5qa05eDRmgzEFTG
-e84Gp/1LQCtpQFr4txkjFchO2whWS80KoQKqmLPyGm1D9Lv53Q4ZsKMgNihs
-rEepuaOZMKHl4yMAYFoOXZCAYzfbhN6b2phcFAHjMUHUw9e3F0QuDk9D0tsr
-riYTrkocqlOKfK4QTomx27O0ON2J6f1rtEojGgfl9RNykN7iKGzjS3914QjW
-W6gGiZejxHsDPEAa4gUp0WiSUSXtD5WJgoyAzLydR2dKWsQ4WlaUXi01CuGy
-+xvncSn2nO3bbot8VD5H6XU1CjREVtnIfbeRYO/uofyLUP3olK5RqN6ne6Xo
-eXnJ/bjYphA8NGuuuvuW1SCITmINkZDLC9cGlER9+K65RR/DR3TigkexXMeN
-aJ70ivZYAl0OuhZt3TGIlAzS64TIoyORe3z7Ta1Pp9PZQarYJpF9BBIZIFor
-757PHHuQKRuugiRkp8B7v4eq1BQ+VeAxCKpyZ7XrgEtbY/AWDiaKcGPKPjc3
-AqQraVeQm7kMBT163wFmZArCphzkDOI3bz2oEO8YArMgLq2Vto9jAZlqKyWr
-pi2bSJxuoP1aoD58CHcWMrf8/j1LVdQhKgHQXSik2ID0H2Wc/XnglhzlVFuJ
-JsNIW/EGJlZh/5WDez9U0bXqnBlu3uasPEOezdoKlcCmQlmTO5+uLHYLEtNA
-EH9MtnGZebi9XS5meTuS6z5LILt8O9IHZxmT3JRPHYj287FEzotlLdcJ4Ee5
-enW41UHjLrfv4OaITO1hVuoLRGdzjESx/fHMWmxroZ1nVClxECOdT42zvIYJ
-J3xBZ0gppzQ5fjoYiKjJpxTflRxUuxshk3ih6VUoKtqj/W18tBQ3g5SOlkgT
-yCW8r74yZlfYmNrPyDMUQYpLUPWj2n71GF0KyPfTU5yOatRgvheh262w5BG3
-omFY7mb3tCv8/U2jdMIoukRKacpZiagofz3SxojOJq52cHnCri+gTHBMX0cO
-j58ygfntHWRzst0pV7Ze2X3fdCAJ4DokH6bNJNthcgmolFJ/y3V1tJjgsdtQ
-7Pjn/vE6xUV0HXE2x4yoVYNirbAMIvkN/X+atxrN0dA4AchN+zGp8TAxMCEw
-CQYFKw4DAhoFAAQUQ+6XXkyhf6uYgtbibILN2IjKnOAECLiqoY45MPCrAgII
-AA==
+MIIGhwIBAzCCBjUGCSqGSIb3DQEHAaCCBiYEggYiMIIGHjCCBhoGCSqGSIb3DQEHBqCCBgswggYH
+AgEAMIIGAAYJKoZIhvcNAQcBMF8GCSqGSIb3DQEFDTBSMDEGCSqGSIb3DQEFDDAkBBBmfu7YGPAk
+YVG9zCy8SQefAgIIADAMBggqhkiG9w0CCQUAMB0GCWCGSAFlAwQBKgQQtpZzo1fdoiTkeDBMwZUt
+3YCCBZBYulEiz0dB/iLhIMGm7Pc0UV0dUdazwZHt9jgzjhejc6aZMfzyoRqTj7/Hl2D3ocslBywa
+00HUcGA37E9d2RpNdKKiHEdlQR4VAYJl/cnuL85EDJxnMp/+W5TtTRDae08sjETCoMakH95TV3zo
+Q5/xP42yORG6fg0YQ9Jb2c6UQ6zGP3nWtUlLkoHmkyHmDUI9M1TTldX/2R0d5A0Vd8GWSfTVhhMJ
+bPuoa28aoWFKJo2etOa1crnX2yPBTh5C2AQEFi/HuO0zE+GGoRjpkM7c0O+Ravq25nmprDjGNajE
+6zlRPkALszDIopuHnBiH9YxaMqPXdWwCn6LV4qGp/rBGQjJFqbQVDvlzosUdC00x8NdDiiZczMvB
+VHOaHk7CpgFZhJvg3Dk6Of+S8BijXv3XKCWTY5O5LIwOHzeK3SWuLhBlD3WEjWBoeZZkdrGVs+0J
+r696PlW6DUb1Wbw5NeYwwoV66w2KVsb7B0E3KWgVlWwlkur1ylReU2+u/bOD+or1+T/vS7Rku3zH
+wVlBJpvp51k73AhoRaPHSjegqNVkMObUob1+GZ6ak07Sy+dH1EC1BR2iLiq9ON+jBm40c5f62dRm
+Kri6gpv0/LHcVbv0a68JUzEpPMmVEaspX8dVG6+3+mhO+JvpuLdtQ0zZV/6sKfqd+yRc4p8ChMav
+yhO6L4El52FIHv5iEpoHN2e+dBySL1fSnmkh+Z7TaMHR+arq3Y/GpRKrbuTkmspcuUALwiN6XpEL
+dIiye3oUGL+VL5teNOBLHUlFPp73KR3ZBQQvCg8ybG90sjb7rxz6RvsPwYIrqdeOSnJrbnvOFmvU
+j8pQ5T1RJqtaMg/D2Z+DcBD5lyeX2DeKQ/Pwk1uaHGJwsIKXaPzTmxcfdhOeBOaZg3THuu7kEqI9
+RklL1XznXBjmVAI09y+02O6/Bg42TsyiCo+XSkN6aIbC1Gnmvm6e9MXlzw1RY3FKAWW8ZP0qjjup
+08tFlt+s87ndpkMYBuJ/rN55fA/1nQgSDwgv3qDBxFgIoRsH6NEaF8Jycb/3DMVVaMe8mIDq+CFp
+OfjbXAaq5j+3rzdcpcFvTZpn5uB0tLu+J/NhXYgWz+lhP0ghlktKBLiZ4SugCsXu+QJOK7Q3mv+H
+5kDul6oLu8qk69IEBH2+bn7abwG6363pBBaweHMZQyaO8Xjhct3spWJluz5LoGKl8XUDma/9Wye1
+UmKeA6W8YTyc5RLjLTEGM0T7aeaDGEqAMJ22lD1iNtA0E1Psw1xWeq83IWdk53v7RC9jLGBCHA/w
++O9jC1mbFyz0c/9N0aWFDd1a2Gk0WmuRCFT6a0AwhASUlp8qsJISJncxI0r+ZEs6OusiMkkSfzlS
+SdSBOxVmIPFMJ2Vst4ku/PgZgCddaMz8MmDPowiB3P5IXnW7/j+LqHl8b/wirGyen82Ui9v99xBL
+qZaL4lZwUNwIJRDptuSys4QPRtHzq0b3qegQpCCUwVzWO4S9lZ1RNciQN+VA8XUo3X9oErY68QQW
+v9t0ljYKJhX17Vasnd99uCHaR6pjJB1nNgJj3+dGPoSfHL5sT8xQ31pxfZcLH+/Aesx/TGMrRCsF
+PPWbc+7FroeGruSm0k2LPE53ExI11IFOgyHDUfoAHMqTXJiyxCgR0TqwsNkg5fZzOTsnTuSYjP/4
+Avu9K5XAjZOhv6dddZQug/QIJ32DIMCynVN3WwQkiiam/3XV686Z8H1AB3dyB3JYOoSF6PuALYdr
+uRffsH7IVksxWjK6WG8Q2vVEdHNZjIMoZIQjx5RJXKRTAh29uHLaO2nmJt8VGlo0CnUJ0ZInLXmv
+81+9DIawctjedLGIYETYd9j3LYe3bxIA0qfecnP8IPpomRL6YOJCgJ5cw2sM/ZLSTxpicbjgChee
+cfBR6TBJMDEwDQYJYIZIAWUDBAIBBQAEIGNRVdh6EXs63L/bK7mkiBsqSAIrzVOFqdAxlKeisVLF
+BBCW+YZolO3mRPS/gzK4QiwbAgIIAA==
       EOF
       p12 = OpenSSL::PKCS12.new(str, "abc123")
 
@@ -259,66 +292,61 @@ def test_new_with_no_keys
     end
 
     def test_new_with_no_certs
-      # generated with:
-      #   openssl pkcs12 -inkey fixtures/openssl/pkey/rsa-1.pem -nocerts -export
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
+      # Generated with the folowing steps:
+      #   openssl pkcs12 -inkey test/openssl/fixtures/pkey/rsa-1.pem \
+      #     -nocerts -export -passout pass:abc123 -out /tmp/p12.out
+      #   base64 /tmp/p12.out
       str = <<~EOF.unpack1("m")
-MIIJ7wIBAzCCCbUGCSqGSIb3DQEHAaCCCaYEggmiMIIJnjCCCZoGCSqGSIb3
-DQEHAaCCCYsEggmHMIIJgzCCCX8GCyqGSIb3DQEMCgECoIIJbjCCCWowHAYK
-KoZIhvcNAQwBAzAOBAjX5nN8jyRKwQICCAAEgglIBIRLHfiY1mNHpl3FdX6+
-72L+ZOVXnlZ1MY9HSeg0RMkCJcm0mJ2UD7INUOGXvwpK9fr6WJUZM1IqTihQ
-1dM0crRC2m23aP7KtAlXh2DYD3otseDtwoN/NE19RsiJzeIiy5TSW1d47weU
-+D4Ig/9FYVFPTDgMzdCxXujhvO/MTbZIjqtcS+IOyF+91KkXrHkfkGjZC7KS
-WRmYw9BBuIPQEewdTI35sAJcxT8rK7JIiL/9mewbSE+Z28Wq1WXwmjL3oZm9
-lw6+f515b197GYEGomr6LQqJJamSYpwQbTGHonku6Tf3ylB4NLFqOnRCKE4K
-zRSSYIqJBlKHmQ4pDm5awoupHYxMZLZKZvXNYyYN3kV8r1iiNVlY7KBR4CsX
-rqUkXehRmcPnuqEMW8aOpuYe/HWf8PYI93oiDZjcEZMwW2IZFFrgBbqUeNCM
-CQTkjAYxi5FyoaoTnHrj/aRtdLOg1xIJe4KKcmOXAVMmVM9QEPNfUwiXJrE7
-n42gl4NyzcZpxqwWBT++9TnQGZ/lEpwR6dzkZwICNQLdQ+elsdT7mumywP+1
-WaFqg9kpurimaiBu515vJNp9Iqv1Nmke6R8Lk6WVRKPg4Akw0fkuy6HS+LyN
-ofdCfVUkPGN6zkjAxGZP9ZBwvXUbLRC5W3N5qZuAy5WcsS75z+oVeX9ePV63
-cue23sClu8JSJcw3HFgPaAE4sfkQ4MoihPY5kezgT7F7Lw/j86S0ebrDNp4N
-Y685ec81NRHJ80CAM55f3kGCOEhoifD4VZrvr1TdHZY9Gm3b1RYaJCit2huF
-nlOfzeimdcv/tkjb6UsbpXx3JKkF2NFFip0yEBERRCdWRYMUpBRcl3ad6XHy
-w0pVTgIjTxGlbbtOCi3siqMOK0GNt6UgjoEFc1xqjsgLwU0Ta2quRu7RFPGM
-GoEwoC6VH23p9Hr4uTFOL0uHfkKWKunNN+7YPi6LT6IKmTQwrp+fTO61N6Xh
-KlqTpwESKsIJB2iMnc8wBkjXJtmG/e2n5oTqfhICIrxYmEb7zKDyK3eqeTj3
-FhQh2t7cUIiqcT52AckUqniPmlE6hf82yBjhaQUPfi/ExTBtTDSmFfRPUzq+
-Rlla4OHllPRzUXJExyansgCxZbPqlw46AtygSWRGcWoYAKUKwwoYjerqIV5g
-JoZICV9BOU9TXco1dHXZQTs/nnTwoRmYiL/Ly5XpvUAnQOhYeCPjBeFnPSBR
-R/hRNqrDH2MOV57v5KQIH2+mvy26tRG+tVGHmLMaOJeQkjLdxx+az8RfXIrH
-7hpAsoBb+g9jUDY1mUVavPk1T45GMpQH8u3kkzRvChfOst6533GyIZhE7FhN
-KanC6ACabVFDUs6P9pK9RPQMp1qJfpA0XJFx5TCbVbPkvnkZd8K5Tl/tzNM1
-n32eRao4MKr9KDwoDL93S1yJgYTlYjy1XW/ewdedtX+B4koAoz/wSXDYO+GQ
-Zu6ZSpKSEHTRPhchsJ4oICvpriVaJkn0/Z7H3YjNMB9U5RR9+GiIg1wY1Oa1
-S3WfuwrrI6eqfbQwj6PDNu3IKy6srEgvJwaofQALNBPSYWbauM2brc8qsD+t
-n8jC/aD1aMcy00+9t3H/RVCjEOb3yKfUpAldIkEA2NTTnZpoDQDXeNYU2F/W
-yhmFjJy8A0O4QOk2xnZK9kcxSRs0v8vI8HivvgWENoVPscsDC4742SSIe6SL
-f/T08reIX11f0K70rMtLhtFMQdHdYOTNl6JzhkHPLr/f9MEZsBEQx52depnF
-ARb3gXGbCt7BAi0OeCEBSbLr2yWuW4r55N0wRZSOBtgqgjsiHP7CDQSkbL6p
-FPlQS1do9gBSHiNYvsmN1LN5bG+mhcVb0UjZub4mL0EqGadjDfDdRJmWqlX0
-r5dyMcOWQVy4O2cPqYFlcP9lk8buc5otcyVI2isrAFdlvBK29oK6jc52Aq5Q
-0b2ESDlgX8WRgiOPPxK8dySKEeuIwngCtJyNTecP9Ug06TDsu0znZGCXJ+3P
-8JOpykgA8EQdOZOYHbo76ZfB2SkklI5KeRA5IBjGs9G3TZ4PHLy2DIwsbWzS
-H1g01o1x264nx1cJ+eEgUN/KIiGFIib42RS8Af4D5e+Vj54Rt3axq+ag3kI+
-53p8uotyu+SpvvXUP7Kv4xpQ/L6k41VM0rfrd9+DrlDVvSfxP2uh6I1TKF7A
-CT5n8zguMbng4PGjxvyPBM5k62t6hN5fuw6Af0aZFexh+IjB/5wFQ6onSz23
-fBzMW4St7RgSs8fDg3lrM+5rwXiey1jxY1ddaxOoUsWRMvvdd7rZxRZQoN5v
-AcI5iMkK/vvpQgC/sfzhtXtrJ2XOPZ+GVgi7VcuDLKSkdFMcPbGzO8SdxUnS
-SLV5XTKqKND+Lrfx7DAoKi5wbDFHu5496/MHK5qP4tBe6sJ5bZc+KDJIH46e
-wTV1oWtB5tV4q46hOb5WRcn/Wjz3HSKaGZgx5QbK1MfKTzD5CTUn+ArMockX
-2wJhPnFK85U4rgv8iBuh9bRjyw+YaKf7Z3loXRiE1eRG6RzuPF0ZecFiDumk
-AC/VUXynJhzePBLqzrQj0exanACdullN+pSfHiRWBxR2VFUkjoFP5X45GK3z
-OstSH6FOkMVU4afqEmjsIwozDFIyin5EyWTtdhJe3szdJSGY23Tut+9hUatx
-9FDFLESOd8z3tyQSNiLk/Hib+e/lbjxqbXBG/p/oyvP3N999PLUPtpKqtYkV
-H0+18sNh9CVfojiJl44fzxe8yCnuefBjut2PxEN0EFRBPv9P2wWlmOxkPKUq
-NrCJP0rDj5aONLrNZPrR8bZNdIShkZ/rKkoTuA0WMZ+xUlDRxAupdMkWAlrz
-8IcwNcdDjPnkGObpN5Ctm3vK7UGSBmPeNqkXOYf3QTJ9gStJEd0F6+DzTN5C
-KGt1IyuGwZqL2Yk51FDIIkr9ykEnBMaA39LS7GFHEDNGlW+fKC7AzA0zfoOr
-fXZlHMBuqHtXqk3zrsHRqGGoocigg4ctrhD1UREYKj+eIj1TBiRdf7c6+COf
-NIOmej8pX3FmZ4ui+dDA8r2ctgsWHrb4A6iiH+v1DRA61GtoaA/tNRggewXW
-VXCZCGWyyTuyHGOqq5ozrv5MlzZLWD/KV/uDsAWmy20RAed1C4AzcXlpX25O
-M4SNl47g5VRNJRtMqokc8j6TjZrzMDEwITAJBgUrDgMCGgUABBRrkIRuS5qg
-BC8fv38mue8LZVcbHQQIUNrWKEnskCoCAggA
+MIIKUgIBAzCCCgAGCSqGSIb3DQEHAaCCCfEEggntMIIJ6TCCCeUGCSqGSIb3DQEHAaCCCdYEggnS
+MIIJzjCCCcoGCyqGSIb3DQEMCgECoIIJuTCCCbUwXwYJKoZIhvcNAQUNMFIwMQYJKoZIhvcNAQUM
+MCQEEI01CXHjkMt/msnpv5I8CuECAggAMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBC88lPx
+nXduPOMxkNGSAMzhBIIJUHXa+UzIw1TfeBBPu630vtrAYnGgwUiUrxbMt1hDKHq3mmuadAjghQSG
+zzq61lU1KOYtsA7mYRwUGS3lXdTGTP4rbrIsDUjSkwo+6DX8d4IG2uhwhSK3Te2bMsygFBVaJF+k
+X71DAyI6FF9rVo6npTdcDkW/aobuPysyE1vhGbitri+yAnMizutS/C3D1SfwK6BA3c2PfVgL63dO
+8T3nbbIezJLuwxvuIg719MYXwFgvfqm/OHSpM+tfhnoWXwNhp78XH6t0tmHPtX1knKSmZyqZS5ZH
+u3qJJaQv3it2G/v0gFahKBEL5SFBmFKdEXoLNBmeK34qm6OxMfh7FzJeicZjJBC696Nunm69iwSi
+VQdYVeC9/qM0nc3GKdtPrWbcTE6mv1SQZYuRncfTpBpSMp18UdMa3mfpY3jab1Vm2H5NjeBHssJu
+LHiyLYXumAss3CWU90MAET+PVzJp3gvB51GM/ULlunVB6pOgAuLOtXJRPvaQvty5K/S5AqkNRd07
+yZZjxYXuhJIm0fPVe0kqVqJ8Skfp/v5a2rYcnCNYbrNG2/UH8cov9IXDlMcPQzVQRHPmiMstLDte
+pjL711b0X3E0nJ9fXCJmaB/m9dmKBF2J/xjLj6A6dkzL4usv/QUpuoFWW2ATLm9YMOslSZvWCvPl
+4DDwkzQRwhRQoxqOusWhttQBexLX6N0k/NOWukb5RxpTaEpc4fFK/AFa/t74+dufP0nciKGd12iG
+WruMo25aMnnrqQM0vXRmoIwhG/puIgTLeXJOlC0BZrszVTrqlRHdUtrxsiumF1rNXUekZSNNvCDM
+hZsRGulwQMNxbKvt0mZc04NuNcnBTHzCxDllKrI2SvWd+4fhzzqiIpGYcMdW5h7zw2+FQIyzmulB
+xhB+SYH4Vm3g6+lws3yYNCLBxedtypTjppOergSQOrK1ZrB5YaVgw11uqkeSl8e0phbQPAp4NF+l
+2HZNmybhj5ryX5niIyo9Wv7qtctqvxq6zuZ/AVIDpcEWLwUEL2H5bi+Uu2zBa/EGTCA0Kklgzsm4
+L450xo1fbskLju1/PMt2Ssdlwt7cmkhK4OLzWnVYlqUCzWNyZBkUpuAdSfPq2pd+VwzpIAjTV8x/
+PJ0Qm9T5ncOBokxIQDZW60mMiWTLN5i39onkcouO6OTsZApWG54duCXd7oAS29Wssuzf0uEYkdzU
+w4YCY0wdjWwelMQOutJ9l+sNZcxWxcNEd389a33S6nhRJPNp61aW53zQFvFEpWCW4fRrqyxbSIFB
+mqZwb/Ge3g2uqk/04euAh+mYMpjSB6T7Bza2J7pIwNnIoGwkJGWh0EeuiTCIQ8So+ThM1nEUy+ww
++k08XZm5rWwA76mpSiOliD8y1x7vxd09PWETis3pERhFfT4G5yxhTVTogwWm5QJ9Y9QCL51mV9MW
+gfkbySL8nxC32nw7aYOSX2/m4HmqwEoVLrZxO2d1lGAN6qt+Ytw5ZS4j8rEvcKKg1NnyU9M+mrsB
+6ESSSoEhKPMb5YUTr1RNi9RZ6uhd8pZniRttrX9S64KE/UU6ZEBcWB4gEUK/A1a6AOQgc6N5z2mI
+qP2Guvt9dzXX45HTfVaZz1IwuSMJnPhvKgzdGsUX3v/A2Q+MyTuU16fxNDI8hBap/+OlgSfrTSmt
+hmnTgnLIPcvv093CRFhhKY3wP1M6YlQst1ge1mLa4ZcA06golsvj/rQkbK4ZR2JCX2v1oWaUCGmF
+3GfYsFjJn8/QxMf8nIQVKfHwmnXoy9yeghKSW0mbJ5o0iC82XJiewp+UeIOwScza2+SMnrV91w1F
+/DpDbceBkl2m+/piMk27TQQhiWK8aEUpTdMdsjDAWDV8Qt/GNnrfQGrPWxuzmBo6NgdDUsJpPBEa
+NuN+jEgIc9HbZL9seOcBRvy2Zk+ESznEVJFPj3ItLHCEsUrLU2WV4xEOc9zxbgTBUbmliQ4OMvJu
+PvSzUhc7//N1OCrUSwqpvAecpLKOLkvE/k2+rshWasttx1by9+0YqrmmOV32+OdFTdaFyPh5jLXz
+cdx+GRSiFMA2MpX44OMcJNGKMhAPTo7L0Xlhm9ZZzMpzt13gFualzTlc/wa1TBXdBO3wh5IHfFiI
+I2my+By3n0WlJ7sxlIeBsUThdNWGuuu1vo9kUJ7TsiFrCikjoQg+eT/2q0nY/bwq916uEVfXJM5V
+1FfEz64r7/yFqlti85jYPpfEdGASXOobIQ6q8XaHucDhDifBnWMLvFiFk9FOngOCQtb7MKu09Z6q
+X+XIY2JQcIunB1mVNgkrKm4lPUpfkgfwVjyRXZJL25DXuSsfCpFmzYHrbm4971So58I9JOlrSfIf
+wBC4ys9kJKmz3W4+9/8rJI9zDI0MShxvhF6LRVStRjm3Vi09y/C2XOZ+ygHHhaIfYlHJ8knq7NoD
+fz/SOW8b2bvZnuC60MqkxrTwuobdk73HgjT8BKe+79zcBGNcnoTy0rmFmhOBBzfsbr5yOEWvxsux
+83yJt6qOxf4KwKPP1RPRX5s/5npZWqGa6FtNBcznWYSFy4FvoY8ok0lL9xJXG2ugGeac+wSc1tRL
+4rL6JlzcsBVTE8SV5D6ezGFtZKjBfmkSR4dXq6HcqiCqWhJQ1gdOKFsZknYvmWZodVjRRLJUl91f
+9NsQ4bnEcfgow7/S30E4mUkgJDCG/SFLFrkkuR5DQZ3L3QV8AxLsLzYfb7MWYNYT3J+ya+zkGfdL
+cfY/V7ejIFVz5BImmEvUR50x7kJcvcOp3iyU9TmDqF3DMsqGtU3dSRrbUUV3NxPkq58l2KeC9xlQ
+p0emfEScWmiYJmZep8PeMMd0O9GkN0y7QrmzSarcsHnyuTy3pU/haLfgB2KTFK5rOw+4gJhFxZvL
+ldpx/oWz1MmYRuM4923tESXMAe+QbCGClWlT2xXwjr1RBJF6FCh6iyDaU5t5twsa2pmMe7+z7UIJ
+R/IUS6tBcF2UYRv+ebVDh7yE2srIMU/1GTyDVOnHsiJZ8QpxPD3vy0qN237cx09SyoXTCL8RSjfE
+hFdl6Z8zT1LrKpqZ6BGfsg+mMX0kLV3VXGBA8NkEt5p0E4AADI2YufFSltdO3kCnwLjv+P+tBY7/
+MKeIA0w3+mGnhnG9pEZakdnZdC4yp2D4REI8R2687ayT4ps+yFE35c5OwxnALvkyduFhuC1Cz2ye
+4JS20ZePMEkwMTANBglghkgBZQMEAgEFAAQgvP8g52ab9MouQYsJaj8rqfc7qZI+l5wgTRI7rgd7
+NVgEEG5jLuv43kXMoGSKg7M2SY4CAggA
       EOF
       p12 = OpenSSL::PKCS12.new(str, "abc123")
 
@@ -328,6 +356,9 @@ def test_new_with_no_certs
     end
 
     def test_dup
+      # PKCS12KDF used for a MAC key is not FIPS-approved.
+      omit_on_fips
+
       p12 = OpenSSL::PKCS12.create(
         "pass",
         "name",
@@ -341,6 +372,10 @@ def test_dup
     end
 
     def test_set_mac_pkcs12kdf
+      # OpenSSL::PKCS12.create's argument mac_iter uses MAC key using PKCS12KDF
+      # which is not FIPS-approved.
+      omit_on_fips
+
       p12 = OpenSSL::PKCS12.create(
         "pass",
         "name",

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,6 @@ Rake::TestTask.new(:test_fips_internal) do \|t\|`
`28`	`28`	`t.test_files = FileList['test/*/test_.rb'] - FileList[`
`29`	`29`	`'test/openssl/test_hmac.rb',`
`30`	`30`	`'test/openssl/test_kdf.rb',`
`31`		`- 'test/openssl/test_pkcs12.rb',`
`32`	`31`	`'test/openssl/test_ts.rb',`
`33`	`32`	`]`
`34`	`33`	`t.warning = true`