Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Issue with Private key with FIPS enabled openssl

1,393 views

Skip to first unread message

Davin Chan

unread,

Mar 11, 2009, 7:50:25 AM3/11/09

I am trying to to get mutt to use a FIPS validated OpenSSL to send/receive encrypted emails. When
I don't set the environment variable OPENSSL_FIPS=1, everything works fine.

When I try the same command to decrypt an email with OPENSSL_FIPS set, it fails with:

env OPENSSL_FIPS=1 openssl smime -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c

unable to load signing key file
11851:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:292:
11851:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:
11851:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428:

And when I try to look at my private key with FIPS enabled, it fails with:

env OPENSSL_FIPS=1 openssl rsa -in <file> -text
Enter pass phrase for <file>:
unable to load Private Key
12050:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled for fips:digest.c:292:
12050:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:
12050:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428:

So it looks like it doesn't like the encryption on my private key. The default encryption on my key should be
triple DES, but I've also tried to change the encryption on my key to aes256, but it still fails with the same
message. How do I get my private key into a format acceptable to FIPS? Or is there something else that I'm
missing?

Davin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

Kyle Hamilton

unread,

Mar 11, 2009, 8:01:30 AM3/11/09

Your key's digest is set to md5. This is disallowed in FIPS mode.

Also, 3DES is not allowed in FIPS mode, either.

-Kyle H

On Tue, Mar 10, 2009 at 3:22 PM, Davin Chan <dsc...@nas.nasa.gov> wrote:
> I am trying to to get mutt to use a FIPS validated OpenSSL to send/receiv=
e encrypted emails. =C2=A0When
> I don't set the environment variable OPENSSL_FIPS=3D1, everything works f=
ine.
>
> When I try the same command to decrypt an email with OPENSSL_FIPS set, it=
fails with:
>
> env OPENSSL_FIPS=3D1 openssl smime -decrypt =C2=A0-passin stdin -inform D=

ER -in %f -inkey %k -recip %c
>
> unable to load signing key file

> 11851:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled=
for fips:digest.c:292:
> 11851:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad de=
crypt:evp_enc.c:330:
> 11851:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428=
:
>
> And when I try to look at my private key with FIPS enabled, it fails with=
:
>
> env OPENSSL_FIPS=3D1 openssl rsa -in <file> -text

> Enter pass phrase for <file>:
> unable to load Private Key

> 12050:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled=
for fips:digest.c:292:
> 12050:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad de=
crypt:evp_enc.c:330:
> 12050:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428=
:
>
> So it looks like it doesn't like the encryption on my private key. =C2=A0=

The default encryption on my key should be

> triple DES, but I've also tried to change the encryption on my key to aes=

256, but it still fails with the same

> message. =C2=A0How do I get my private key into a format acceptable to FI=
PS? =C2=A0Or is there something else that I'm
> missing?
>
> Davin
> ______________________________________________________________________
> OpenSSL Project =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.openssl.=
org
> User Support Mailing List =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0opens...@openssl.org
> Automated List Manager =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 majo...@openssl.org

carl...@keycomm.co.uk

unread,

Mar 11, 2009, 8:43:51 AM3/11/09

--=_b8942f4472128eed7315e5860ec59a67
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }=20
Triple-DES is listed in the OpenSSL 1.2 security policy and is
listed as approved by NIST, so why would it not be available?=20

Carl
On Wed 11/03/09 12:01 PM , Kyle Hamilton aero...@gmail.com sent:

Your key's digest is set to md5. This is disallowed in FIPS mode.
Also, 3DES is not allowed in FIPS mode, either.
-Kyle H

On Tue, Mar 10, 2009 at 3:22 PM, Davin Chan wrote:
> I am trying to to get mutt to use a FIPS validated OpenSSL to

send/receive encrypted emails. When

> I don't set the environment variable OPENSSL_FIPS=3D1, everything

works fine.

>
> When I try the same command to decrypt an email with OPENSSL_FIPS

set, it fails with:
>
> env OPENSSL_FIPS=3D1 openssl smime -decrypt -passin stdin -inform
DER -in %f -inkey %k -recip %c

>
> unable to load signing key file
> 11851:error:06080090:digital envelope

routines:EVP_DigestInit_ex:disabled for fips:digest.c:292:

> 11851:error:06065064:digital envelope

routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:

> 11851:error:0906A065:PEM routines:PEM_do_header:bad

decrypt:pem_lib.c:428:

>
> And when I try to look at my private key with FIPS enabled, it

fails with:
>
> env OPENSSL_FIPS=3D1 openssl rsa -in -text
> Enter pass phrase for :

> unable to load Private Key
> 12050:error:06080090:digital envelope

routines:EVP_DigestInit_ex:disabled for fips:digest.c:292:

> 12050:error:06065064:digital envelope

routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:

> 12050:error:0906A065:PEM routines:PEM_do_header:bad

decrypt:pem_lib.c:428:

>
> So it looks like it doesn't like the encryption on my private key.

The default encryption on my key should be
> triple DES, but I've also tried to change the encryption on my key

to aes256, but it still fails with the same
> message. How do I get my private key into a format acceptable to
FIPS? Or is there something else that I'm
> missing?
>
> Davin
>
______________________________________________________________________
> OpenSSL Project =20
http://www.openssl.org [2]
> User Support Mailing List =20
openss...@openssl.org [3]
> Automated List Manager =20
majo...@openssl.org [4]
>

______________________________________________________________________
OpenSSL Project http://www.openssl.org [5]
User Support Mailing List openss...@openssl.org [6]
Automated List Manager majo...@openssl.org [7]

Links:
------
[1] mailto:dsc...@nas.nasa.gov
[2]
http://webmail.keycomm.co.uk/parse.php?redirect=3Dhttp%3A%2F%2Fwww.openssl.=
org
[3] mailto:openss...@openssl.org
[4] mailto:majo...@openssl.org
[5] http://www.openssl.org
[6] mailto:openss...@openssl.org
[7] mailto:majo...@openssl.org

--=_b8942f4472128eed7315e5860ec59a67
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<HTML>

<STYLE> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }</=
STYLE>

Triple-DES is listed in the OpenSSL 1.2 security policy and is listed as ap=
proved by NIST, so why would it not be available?
Carl

On Wed 11/03/09 12:01 PM , Kyle Hamilton aero...@gmail.com sent:

<BLOCKQUOTE style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5p=
x; BORDER-LEFT: #5167c6 2px solid; MARGIN-RIGHT: 0px">Your key's digest is =
set to md5. This is disallowed in FIPS mode.

Also, 3DES is not allowed in FIPS mode, either.

-Kyle H

On Tue, Mar 10, 2009 at 3:22 PM, Davin Chan <<A href=3D"mailto:dschan@na=
s.nasa.gov">dsc...@nas.nasa.gov</A>> wrote:

> I am trying to to get mutt to use a FIP=
S validated OpenSSL to send/receive encrypted emails.  When

> I don't set the environment variable OP=
ENSSL_FIPS=3D1, everything works fine.

>

> When I try the same command to decrypt =
an email with OPENSSL_FIPS set, it fails with:

>

> env OPENSSL_FIPS=3D1 openssl smime -dec=
rypt  -passin stdin -inform DER -in %f -inkey %k -recip %c

>

> unable to load signing key file<=
br>

> 11851:error:06080090:digital envelope r=
outines:EVP_DigestInit_ex:disabled for fips:digest.c:292:

> 11851:error:06065064:digital envelope r=
outines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:

> 11851:error:0906A065:PEM routines:PEM_d=
o_header:bad decrypt:pem_lib.c:428:

>

> And when I try to look at my private ke=
y with FIPS enabled, it fails with:

>

> env OPENSSL_FIPS=3D1 openssl rsa -in <F=
ILE>-text

> Enter pass phrase for <FILE>:<br=
>

> unable to load Private Key

> 12050:error:06080090:digital envelope r=
outines:EVP_DigestInit_ex:disabled for fips:digest.c:292:

> 12050:error:06065064:digital envelope r=
outines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330:

> 12050:error:0906A065:PEM routines:PEM_d=
o_header:bad decrypt:pem_lib.c:428:

>

> So it looks like it doesn't like the en=
cryption on my private key.  The default encryption on my key should b=
e

> triple DES, but I've also tried to chan=
ge the encryption on my key to aes256, but it still fails with the same</SP=
AN>

> message.  How do I get my private =
key into a format acceptable to FIPS?  Or is there something else that=
I'm

> missing?

>

> Davin

> _______________________________________=
_______________________________

> OpenSSL Project       &n=
bsp;                     =
    <A href=3D"http://webmail.keycomm.co.uk/parse.php?redirect=3D=
http%3A%2F%2Fwww.openssl.org" target=3D_blank>http://www.openssl.org</A>

> User Support Mailing List    =
               <A href=3D"mailto:o=
penssl...@openssl.org">openss...@openssl.org</A>

> Automated List Manager     &n=
bsp;                     =
<A href=3D"mailto:majo...@openssl.org">majo...@openssl.org</A><b=
r>

>

______________________________________________________________________

OpenSSL Project <A href=3D"http://www.openssl.org" target=3D_blank>http://www.openssl.org</A>

User Support Mailing List <A href=3D"mailto:openss...@openssl.org">open=
ssl-...@openssl.org</A>

Automated List Manager <A href=3D"mailto:majo...@openssl.org">majordomo@o=
penssl.org</A>

</BLOCKQUOTE> </HTML>
--=_b8942f4472128eed7315e5860ec59a67--

Kyle Hamilton

unread,

Mar 11, 2009, 3:40:47 PM3/11/09

It was my mistake, I had misunderstood that DES itself was not allowed
and therefore derivatives of it were not allowed either.

-Kyle H

On Wed, Mar 11, 2009 at 5:43 AM, <carl...@keycomm.co.uk> wrote:
>
> Triple-DES is listed in the OpenSSL 1.2 security policy and is listed as
> approved by NIST, so why would it not be available?
>

> Carl
>
>
> On Wed 11/03/09 12:01 PM , Kyle Hamilton aero...@gmail.com sent:
>
> Your key's digest is set to md5. This is disallowed in FIPS mode.
>
> Also, 3DES is not allowed in FIPS mode, either.
>
> -Kyle H
>

> On Tue, Mar 10, 2009 at 3:22 PM, Davin Chan <dsc...@nas.nasa.gov> wrote:
>> I am trying to to get mutt to use a FIPS validated OpenSSL to send/recei=
ve
>> encrypted emails. =C2=A0When

>> I don't set the environment variable OPENSSL_FIPS=3D1, everything works
>> fine.
>>

>> When I try the same command to decrypt an email with OPENSSL_FIPS set, i=
t
>> fails with:
>>
>> env OPENSSL_FIPS=3D1 openssl smime -decrypt =C2=A0-passin stdin -inform =

DER -in
>> %f -inkey %k -recip %c
>>
>> unable to load signing key file

>> 11851:error:06080090:digital envelope routines:EVP_DigestInit_ex:disable=
d

>> for fips:digest.c:292:
>> 11851:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
>> decrypt:evp_enc.c:330:

>> 11851:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:42=
8:
>>
>> And when I try to look at my private key with FIPS enabled, it fails wit=

h:
>>
>> env OPENSSL_FIPS=3D1 openssl rsa -in -text
>> Enter pass phrase for :
>> unable to load Private Key

>> 12050:error:06080090:digital envelope routines:EVP_DigestInit_ex:disable=
d

>> for fips:digest.c:292:
>> 12050:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
>> decrypt:evp_enc.c:330:

>> 12050:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:42=
8:
>>
>> So it looks like it doesn't like the encryption on my private key. =C2=
=A0The

>> default encryption on my key should be
>> triple DES, but I've also tried to change the encryption on my key to
>> aes256, but it still fails with the same

>> message. =C2=A0How do I get my private key into a format acceptable to F=
IPS?
>> =C2=A0Or is there something else that I'm
>> missing?
>>
>> Davin
>> ______________________________________________________________________

>> OpenSSL Project =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 http://www.openssl.=
org
>> User Support Mailing List =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0opens...@openssl.org
>> Automated List Manager =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 majo...@openssl.org
>>

Steve Marquess

unread,

Mar 12, 2009, 4:16:45 AM3/12/09

Kyle Hamilton wrote:
> It was my mistake, I had misunderstood that DES itself was not allowed
> and therefore derivatives of it were not allowed either.
>

While 3DES is currently legal we can expect it to be phased out at some
point just as plain DES has been, so AES is the better choice where you
are free to choose between them.

Unfortunately some legacy software that you may need to interoperate
with does not support AES.

-Steve M.

--
Steve Marquess
Veridical Systems, Inc.
marq...@veridicalsystems.com

0 new messages