summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--apps/pkcs12.c6
-rw-r--r--doc/man1/openssl-pkcs12.pod.in6
2 files changed, 9 insertions, 3 deletions
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 241122b76a..00c5a9bc4b 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -655,7 +655,11 @@ int pkcs12_main(int argc, char **argv)
}
if (maciter != -1)
- PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd);
+ if (!PKCS12_set_mac(p12, mpass, -1, NULL, 0, maciter, macmd)) {
+ BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n");
+ BIO_printf(bio_err, "Use -nomac if MAC not required and PKCS12KDF support not available.\n");
+ goto export_end;
+ }
assert(private);
diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in
index 65c10d1adb..b367be2b7f 100644
--- a/doc/man1/openssl-pkcs12.pod.in
+++ b/doc/man1/openssl-pkcs12.pod.in
@@ -333,7 +333,7 @@ then both, the private key and the certificates are encrypted using triple DES.
=item B<-macalg> I<digest>
-Specify the MAC digest algorithm. If not included them SHA1 will be used.
+Specify the MAC digest algorithm. If not included SHA1 will be used.
=item B<-iter> I<count>
@@ -362,7 +362,9 @@ to be needed to use MAC iterations counts but they are now used by default.
=item B<-nomac>
-Don't attempt to provide the MAC integrity.
+Do not attempt to provide the MAC integrity. This can be useful with the FIPS
+provider as the PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
+algorithm and cannot be supported by the FIPS provider.
=back
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-09 10:24:32 +0000