Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
> Hello there
>
> I am trying to use the OpenSSL-fips version 1.2 for our application (
> Webserver ) in Vxworks. I was able to integrate the library and
> executing FIPS_mode_set is successful. After initializing the
> SSL_library_init, The code tries to read the RSA key from a key.pem
> file.
>
Technically you shouldn't use keys created outside FIPS mode in FIPS mode.
In FIPS mode the "traditional" format is not supported because it used MD5 for
key derivation. The more standard PKCS#8 mode using SHA1 for key derivation is
use instead. You can convert keys using the pkcs8 command outside FIPS mode
but again technically you aren't supposed to...
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
I used the following commands to create the certificate using the
openssl built with FIPS support
openssl genrsa -des3 -out wv-key.pem 1024
openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365
Do I miss any option to make it FIPS supported
John
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
> Thanks Steve,
>
> I used the following commands to create the certificate using the
> openssl built with FIPS support
>
> openssl genrsa -des3 -out wv-key.pem 1024
> openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365
>
> Do I miss any option to make it FIPS supported
>
The openssl utility is not in FIPS mode by default. You need to set the
environment variable OPENSSL_FIPS to 1 when you call it.
You need to defined the environment variable 'OPENSSL_FIPS'. Otherwise,
the 'openssl' executable will never call FIPS_mode_set(1) as required by
the security policy.
DS
I do have the env Variable OPENSSL_FIPS set to 1. And the key generated
is as below
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5
bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb
vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ
.
.
.
.hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG
bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew==
-----END RSA PRIVATE KEY-----
But still it fails at the same method "PEM_do_header"
Any hint?
Thanks
John Paul
-----Original Message-----
From: owner-ope...@openssl.org
[mailto:owner-ope...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 6:02 PM
To: openss...@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.ma...@wipro.com wrote:
> Thanks Steve,
>
> I used the following commands to create the certificate using the
> openssl built with FIPS support
>
> openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key
> wv-key.pem -out wv-cert.pem -days 365
>
> Do I miss any option to make it FIPS supported
>
The openssl utility is not in FIPS mode by default. You need to set the
environment variable OPENSSL_FIPS to 1 when you call it.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
> Thanks again
>
> I do have the env Variable OPENSSL_FIPS set to 1. And the key generated
> is as below
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5
>
> bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb
> vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ
> .
> .
> .
> .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG
> bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew==
> -----END RSA PRIVATE KEY-----
>
> But still it fails at the same method "PEM_do_header"
>
If that happens the version of OpenSSL isn't in FIPS mode. You should get:
-----BEGIN PRIVATE KEY-----
and no Proc-Type, DEK-Info lines if it worked. If you also do:
OPENSSL_FIPS=1 openssl md5 somefile
it should fail with an error if FIPS mode is entered correctly.
I had problem in creating certificate and key in FIPS mode. With your
suggestion now I am able to create FIPS supported certificate
When I create it with a passphrase the key looks as below
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA
..<snip>
toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE
-----END ENCRYPTED PRIVATE KEY-----
Now it fails at "PKCS8_decrypt" in "PEM_read_bio_PrivateKey". I verified
that passphase returned by the cb is as same as the one that I used to
create the certificate. Any hint if I miss something in the key
generation
The command I used to create this key is
./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out
wv-cert.pem
If I create the key with out passphrase then the code hits this snippet
of the code (PEM_read_bio_PrivateKey) and works fine
..
..
p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
if(!p8inf) goto p8err;
ret = EVP_PKCS82PKEY(p8inf);
..
..
Thanks
John Paul
-----Original Message-----
From: owner-ope...@openssl.org
[mailto:owner-ope...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 9:48 PM
To: openss...@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key
-----BEGIN PRIVATE KEY-----
OPENSSL_FIPS=1 openssl md5 somefile
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
Have you included OpenSSL_add_all_algorithms() in your code? If so then see the
FAQ for details of how to print out error messages.