Skip to content

Fix pk12util and add PBKDF2 #139

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dgarske merged 6 commits into from
Aug 22, 2025
Merged

Fix pk12util and add PBKDF2 #139

dgarske merged 6 commits into from
Aug 22, 2025

Conversation

@LinuxJedi
Copy link
Member

@LinuxJedi LinuxJedi commented Aug 21, 2025

This PR:

  • Adds support for CKM_NSS_PKCS12_PBE_SHA*_HMAC_KEY_GEN
  • Adds support for CKM_PKCS5_PBKD2
  • Adds CKA_NSS_DB as an ignored attribute (to suppress errors)
  • Adds support for PBKDF2 pin hashing

The first three are required to make NSS pk12util work. The last one is enabled by default for FIPS, but the options --enable-pbkdf2 and --pbkdf2-iterations have been added to use it in other builds.

PBKDF2 for pin is set to 600,000 rounds by default, which is the OWASP recommendation.

@LinuxJedi
Add NSS PKCS12 PBE HMAC and CKM_PKCS5_PBKD2
e854ebc
@LinuxJedi
Add pk12util test
20a98eb
@LinuxJedi
Add PBKDF2 option for password hashing
46a0ff2 
FIPS doesn't have scrypt. This implements PBKDF2 instead. Enabled by
default at 600,000 rounds for FIPS.

600,000 being the current OWASP recommendation for SHA256 HMAC.
@LinuxJedi LinuxJedi force-pushed the fix-tests branch 3 times, most recently from aea1ad9 to d89b762 Compare August 21, 2025 15:15
@LinuxJedi LinuxJedi mentioned this pull request Aug 22, 2025
Merged
dgarske
dgarske requested changes Aug 22, 2025
View reviewed changes
@LinuxJedi LinuxJedi requested a review from dgarske August 22, 2025 15:19
dgarske
dgarske requested changes Aug 22, 2025
View reviewed changes
@LinuxJedi
Fix mixed declarations / code
828b55c 
Also fix line lengths
@LinuxJedi LinuxJedi requested a review from dgarske August 22, 2025 15:49
dgarske
dgarske requested changes Aug 22, 2025
View reviewed changes
@LinuxJedi LinuxJedi requested a review from dgarske August 22, 2025 17:22
@LinuxJedi LinuxJedi removed their assignment Aug 22, 2025
@dgarske dgarske merged commit 9fe950c into wolfSSL:master Aug 22, 2025
70 of 72 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgarske dgarske dgarske approved these changes

Assignees

@wolfSSL-Bot wolfSSL-Bot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LinuxJedi @dgarske @wolfSSL-Bot