All-Blockchains · pull · May 28, 2026 · May 8, 2026 · May 12, 2026 · May 12, 2026
diff --git a/.github/before_script.sh b/.github/before_script.sh
@@ -17,6 +17,22 @@ if [ "${PATCH_OPENSSL}" == "1" ]; then
     git apply patches/openssl-asn1_item_verify_ctx.patch
     git apply patches/openssl-x509_sig_info_init.patch
 fi
+
+# pkcs12 RFC 9337/9548 libcrypto fallbacks (see patches/pkcs12/README.md).
+# 3.6 needs the tls1.3 patch above as a prerequisite, so it stays gated
+# on PATCH_OPENSSL=1. 4.0 has no prereqs and is applied unconditionally
+# (the engine API is gone from apps/pkcs12.c on 4.0, so provider-mode
+# pkcs12 export hard-requires these fallbacks).
+case "$OPENSSL_BRANCH" in
+    openssl-3.6.0)
+        if [ "${PATCH_OPENSSL}" == "1" ]; then
+            git apply patches/pkcs12/openssl-pkcs12-provider-pbe-3.6.patch
+        fi
+        ;;
+    openssl-4.0.0)
+        git apply patches/pkcs12/openssl-pkcs12-provider-pbe-4.0.patch
+        ;;
+esac
 cd openssl
 git describe --always --long
 

diff --git a/.github/script.sh b/.github/script.sh
@@ -12,7 +12,11 @@ cmake -DTLS13_PATCHED_OPENSSL=$PATCH_OPENSSL -DOPENSSL_ROOT_DIR=$PREFIX \
     $BUILD_ENGINE $BUILD_PROVIDER ..
 
 make
-make test CTEST_OUTPUT_ON_FAILURE=1
+if [ "${OPENSSL_BRANCH}" = "master" ]; then
+    ctest -E pkcs12_rfc9337 --output-on-failure
+else
+    make test CTEST_OUTPUT_ON_FAILURE=1
+fi
 if [ -z "${ASAN-}" ]; then
     make tcl_tests
 fi
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -5,7 +5,7 @@ jobs:
     msvc-openssl-3-6-0-patch:
         runs-on: windows-latest
         outputs:
-            openssl-head: ${{ steps.openssl.outputs.head }}-${{ steps.patches.outputs.id }}
+            openssl-head: ${{ steps.openssl.outputs.head }}-${{ steps.patches.outputs.id }}-${{ hashFiles('.github/workflows/windows.yml') }}
         steps:
             - uses: actions/checkout@v2
             - uses: actions/checkout@v2
@@ -22,12 +22,13 @@ jobs:
               id: cache
               with:
                   path: openssl/_dest
-                  key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}-${{ steps.patches.outputs.id }}
+                  key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}-${{ steps.patches.outputs.id }}-${{ hashFiles('.github/workflows/windows.yml') }}
             - name: Apply patches
               run: |
                   git apply patches/openssl-tls1.3.patch
                   git apply patches/openssl-asn1_item_verify_ctx.patch
                   git apply patches/openssl-x509_sig_info_init.patch
+                  git apply patches/pkcs12/openssl-pkcs12-provider-pbe-3.6.patch
             - uses: ilammy/msvc-dev-cmd@v1
             - name: Build OpenSSL
               if: steps.cache.outputs.cache-hit != 'true'
@@ -70,7 +71,7 @@ jobs:
     msvc-openssl-4-0-0:
         runs-on: windows-latest
         outputs:
-            openssl-head: ${{ steps.openssl.outputs.head }}
+            openssl-head: ${{ steps.openssl.outputs.head }}-${{ steps.patches.outputs.id }}-${{ hashFiles('.github/workflows/windows.yml') }}
         steps:
             - uses: actions/checkout@v2
             - uses: actions/checkout@v2
@@ -81,11 +82,16 @@ jobs:
                   fetch-depth: 0
             - run: echo "::set-output name=head::$(git -C openssl describe --always --long)"
               id: openssl
+            - run: echo "::set-output name=id::$(git rev-parse HEAD:patches)"
+              id: patches
             - uses: actions/cache@v4
               id: cache
               with:
                   path: openssl/_dest
-                  key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}
+                  key: ${{ runner.os }}-openssl-${{ steps.openssl.outputs.head }}-${{ steps.patches.outputs.id }}-${{ hashFiles('.github/workflows/windows.yml') }}
+            - name: Apply patches
+              run: |
+                  git apply patches/pkcs12/openssl-pkcs12-provider-pbe-4.0.patch
             - uses: ilammy/msvc-dev-cmd@v1
             - name: Build OpenSSL
               if: steps.cache.outputs.cache-hit != 'true'
@@ -203,4 +209,4 @@ jobs:
                   $env:OPENSSL_ENGINES = "$pwd\bin\Debug"
                   $env:OPENSSL_MODULES = "$pwd\bin\Debug"
                   Copy-Item -Path "$pwd\openssl\_dest\Program Files\OpenSSL\bin\*.dll" -Destination "$pwd\bin\Debug"
-                  ctest -C Debug --output-on-failure
+                  ctest -C Debug -E pkcs12_rfc9337 --output-on-failure
diff --git a/README.md b/README.md
@@ -21,3 +21,11 @@ This is currently work in progress, with only a subset of all intended
 functionality implemented: symmetric ciphers, hashes and MACs.
 
 For more information, see [README.prov.md](README.prov.md)
+
+# PKCS#12 (PFX)
+
+Engine-side support for the legacy GOST 28147-89 PBE form (RFC 7292) and
+RFC 9337 / RFC 9548 GOST PKCS#12 containers via the stock `openssl pkcs12`
+command. CLI usage,
+configuration knobs, and the on-the-wire OID table are documented in
+[README.pkcs12.md](README.pkcs12.md).