Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

FIPS mode - fails to read the RSA key

289 views
Skip to first unread message

john.ma...@wipro.com

unread,
Oct 6, 2010, 6:43:40 AM10/6/10
to
Hello there
 
I am trying to use the OpenSSL-fips version 1.2 for our application ( Webserver ) in Vxworks. I was able to integrate the library and executing FIPS_mode_set is successful. After initializing the SSL_library_init, The code tries to read the RSA key from a key.pem file.
 
I notice that it uses the methods PEM_read_bio_RSAPrivateKey-> PEM_read_bio_PrivateKey -> PEM_bytes_read_bio ->PEM_do_header
 
and the PEM_do_header fails always once I enable the FIPS_mode if not it succesfully decrypts the RSA Key
 
I googled around and found a link where they faced a similar problem in OpenSSH. In which he changed the digest parameter  from EVP_md5() to EVP_sha1() in method EVP_BytesToKey
 
I tried the same but still it fails to decrypt the information from the key
 
I would really appreciate if someone can throw some hint what I might be doing wrong
 
Thanks
John

Please do not print this email unless it is absolutely necessary.

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Dr. Stephen Henson

unread,
Oct 6, 2010, 7:06:12 AM10/6/10
to
On Wed, Oct 06, 2010, john.ma...@wipro.com wrote:

> Hello there
>
> I am trying to use the OpenSSL-fips version 1.2 for our application (
> Webserver ) in Vxworks. I was able to integrate the library and
> executing FIPS_mode_set is successful. After initializing the
> SSL_library_init, The code tries to read the RSA key from a key.pem
> file.
>

Technically you shouldn't use keys created outside FIPS mode in FIPS mode.

In FIPS mode the "traditional" format is not supported because it used MD5 for
key derivation. The more standard PKCS#8 mode using SHA1 for key derivation is
use instead. You can convert keys using the pkcs8 command outside FIPS mode
but again technically you aren't supposed to...

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

john.ma...@wipro.com

unread,
Oct 6, 2010, 8:01:07 AM10/6/10
to
Thanks Steve,

I used the following commands to create the certificate using the
openssl built with FIPS support

openssl genrsa -des3 -out wv-key.pem 1024
openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365

Do I miss any option to make it FIPS supported

John

Please do not print this email unless it is absolutely necessary.

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Dr. Stephen Henson

unread,
Oct 6, 2010, 8:31:33 AM10/6/10
to
On Wed, Oct 06, 2010, john.ma...@wipro.com wrote:

> Thanks Steve,
>
> I used the following commands to create the certificate using the
> openssl built with FIPS support
>
> openssl genrsa -des3 -out wv-key.pem 1024
> openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365
>
> Do I miss any option to make it FIPS supported
>

The openssl utility is not in FIPS mode by default. You need to set the
environment variable OPENSSL_FIPS to 1 when you call it.

David Schwartz

unread,
Oct 6, 2010, 8:32:02 AM10/6/10
to
On 10/6/2010 5:01 AM, john.ma...@wipro.com wrote:
> Thanks Steve,
>
> I used the following commands to create the certificate using the
> openssl built with FIPS support
>
> openssl genrsa -des3 -out wv-key.pem 1024
> openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365
>
> Do I miss any option to make it FIPS supported
>
> John

You need to defined the environment variable 'OPENSSL_FIPS'. Otherwise,
the 'openssl' executable will never call FIPS_mode_set(1) as required by
the security policy.

DS

john.ma...@wipro.com

unread,
Oct 6, 2010, 9:01:59 AM10/6/10
to
Thanks again

I do have the env Variable OPENSSL_FIPS set to 1. And the key generated
is as below

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5

bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb
vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ
.
.
.
.hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG
bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew==
-----END RSA PRIVATE KEY-----

But still it fails at the same method "PEM_do_header"

Any hint?

Thanks
John Paul

-----Original Message-----
From: owner-ope...@openssl.org
[mailto:owner-ope...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 6:02 PM
To: openss...@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key

On Wed, Oct 06, 2010, john.ma...@wipro.com wrote:

> Thanks Steve,
>
> I used the following commands to create the certificate using the
> openssl built with FIPS support
>
> openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key
> wv-key.pem -out wv-cert.pem -days 365
>
> Do I miss any option to make it FIPS supported
>

The openssl utility is not in FIPS mode by default. You need to set the


environment variable OPENSSL_FIPS to 1 when you call it.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Please do not print this email unless it is absolutely necessary.

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Dr. Stephen Henson

unread,
Oct 6, 2010, 12:17:44 PM10/6/10
to
On Wed, Oct 06, 2010, john.ma...@wipro.com wrote:

> Thanks again
>
> I do have the env Variable OPENSSL_FIPS set to 1. And the key generated
> is as below
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5
>
> bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb
> vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ
> .
> .
> .
> .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG
> bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew==
> -----END RSA PRIVATE KEY-----
>
> But still it fails at the same method "PEM_do_header"
>

If that happens the version of OpenSSL isn't in FIPS mode. You should get:

-----BEGIN PRIVATE KEY-----

and no Proc-Type, DEK-Info lines if it worked. If you also do:

OPENSSL_FIPS=1 openssl md5 somefile

it should fail with an error if FIPS mode is entered correctly.

john.ma...@wipro.com

unread,
Oct 8, 2010, 5:58:52 AM10/8/10
to
Thank you Steve,

I had problem in creating certificate and key in FIPS mode. With your
suggestion now I am able to create FIPS supported certificate

When I create it with a passphrase the key looks as below

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA
..<snip>
toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE
-----END ENCRYPTED PRIVATE KEY-----

Now it fails at "PKCS8_decrypt" in "PEM_read_bio_PrivateKey". I verified
that passphase returned by the cb is as same as the one that I used to
create the certificate. Any hint if I miss something in the key
generation

The command I used to create this key is

./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out
wv-cert.pem

If I create the key with out passphrase then the code hits this snippet
of the code (PEM_read_bio_PrivateKey) and works fine
..
..
p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
if(!p8inf) goto p8err;
ret = EVP_PKCS82PKEY(p8inf);
..
..

Thanks
John Paul

-----Original Message-----
From: owner-ope...@openssl.org
[mailto:owner-ope...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 9:48 PM
To: openss...@openssl.org
Subject: Re: FIPS mode - fails to read the RSA key

-----BEGIN PRIVATE KEY-----

OPENSSL_FIPS=1 openssl md5 somefile

Please do not print this email unless it is absolutely necessary.

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments.

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.

www.wipro.com

Dr. Stephen Henson

unread,
Oct 8, 2010, 6:39:05 AM10/8/10
to

Have you included OpenSSL_add_all_algorithms() in your code? If so then see the
FAQ for details of how to print out error messages.

0 new messages