apps/pkcs12: Properly detect MAC setup failure

The MAC requires PKCS12KDF support which is not present in FIPS provider as it is not an approved KDF algorithm. Suggest using -nomac if MAC is not required. Fixes #14057 Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14445)
author: Tomas Mraz <tomas@openssl.org> 2021-03-05 17:22:35 +0100
committer: Pauli <ppzgs1@gmail.com> 2021-03-09 11:12:07 +1000
commit: 913f9d5e52f0541c2fb9c3b60d3fc785f35eacae (patch)
tree: a7470477ed6b180dec28bccd59811381360a1eda /doc/man1
parent: 31e2e6e0b1f0f9ab88b9625f841e268766b598d0 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 65c10d1adb..b367be2b7f 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -333,7 +333,7 @@ then both, the private key and the certificates are encrypted using triple DES.
 
 =item B<-macalg> I<digest>
 
-Specify the MAC digest algorithm. If not included them SHA1 will be used.
+Specify the MAC digest algorithm. If not included SHA1 will be used.
 
 =item B<-iter> I<count>
 
@@ -362,7 +362,9 @@ to be needed to use MAC iterations counts but they are now used by default.
 
 =item B<-nomac>
 
-Don't attempt to provide the MAC integrity.
+Do not attempt to provide the MAC integrity. This can be useful with the FIPS
+provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
+algorithm and cannot be supported by the FIPS provider.
 
 =back
author	Tomas Mraz <tomas@openssl.org>	2021-03-05 17:22:35 +0100
committer	Pauli <ppzgs1@gmail.com>	2021-03-09 11:12:07 +1000
commit	913f9d5e52f0541c2fb9c3b60d3fc785f35eacae (patch)
tree	a7470477ed6b180dec28bccd59811381360a1eda /doc/man1
parent	31e2e6e0b1f0f9ab88b9625f841e268766b598d0 (diff)