Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
PKCS12 keystore creation failing in fips mode
234 views
Skip to first unread message
Anamitra Dutta Majumdar (anmajumd)
May 29, 2013, 7:49:56 PM5/29/13
to
We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1
and it fails with the following error
9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export
-in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore
Enter Export Password:
Verifying - Enter Export Password:
4151633544:error:060A60A3:digital envelope
routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142:
4151633544:error:06074078:digital envelope
routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205:
4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
cipherinit error:p12_decr.c:83:
4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt
error:p12_decr.c:175:
4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt
error:p12_add.c:202:
The same command works in FIPS mode.
So I have the following questions
1. Is there a way to work around issue and still be able to create pkcs12
format keystore in FIPS mode.
2. This command worked in earlier version of openssl like 0.9.8l in FIPS
mode. What has changed in 1.0.1
That it has stopped working in FIPS mode.
Any pointers will be appreciated.
Thanks,
Anamitra
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
and it fails with the following error
9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export
-in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore
Enter Export Password:
Verifying - Enter Export Password:
4151633544:error:060A60A3:digital envelope
routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142:
4151633544:error:06074078:digital envelope
routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205:
4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor
cipherinit error:p12_decr.c:83:
4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt
error:p12_decr.c:175:
4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt
error:p12_add.c:202:
The same command works in FIPS mode.
So I have the following questions
1. Is there a way to work around issue and still be able to create pkcs12
format keystore in FIPS mode.
2. This command worked in earlier version of openssl like 0.9.8l in FIPS
mode. What has changed in 1.0.1
That it has stopped working in FIPS mode.
Any pointers will be appreciated.
Thanks,
Anamitra
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr. Stephen Henson
May 29, 2013, 9:15:12 PM5/29/13
to
mode.
Workaround: use the -descert option.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
Anamitra Dutta Majumdar (anmajumd)
May 30, 2013, 1:45:27 PM5/30/13
to
Hello Steve ,
Thanks for your response.
Is there a corresponding API where we can impose this descert option?
-Anamitra
Thanks for your response.
Is there a corresponding API where we can impose this descert option?
-Anamitra
Dr. Stephen Henson
May 30, 2013, 4:31:17 PM5/30/13
to
On Thu, May 30, 2013, Anamitra Dutta Majumdar (anmajumd) wrote:
> Hello Steve ,
>
> Thanks for your response.
>
> Is there a corresponding API where we can impose this descert option?
>
If you are using PKCS12_create() just set the certificate PBE algorithm to
> Hello Steve ,
>
> Thanks for your response.
>
> Is there a corresponding API where we can impose this descert option?
>
NID_pbe_WithSHA1And3_Key_TripleDES_CBC
Anamitra Dutta Majumdar (anmajumd)
Jun 12, 2013, 3:01:41 PM6/12/13
to
We are using OpenSSL version 0.9.8l
And what we find is that the DSA private key formats are different in FIPS
and non-FIPS mode
In FIPS mode it starts with
-----BEGIN PRIVATE KEY-----
Whereas in non-FIPS mode it starts with
-----BEGIN DSA PRIVATE KEY-----
I understand that this is expected since the "traditional" format relies
on MD5 which is prohibited in FIPS mode
However for our application to work with the SSH keys we would need it in
the traditional format in FIPS mode
Is there a way to override this default behavior and still be able to
generate the keys in the traditional format.
Any pointers would be greatly appreciated.
Thanks,
Anamitra
Anamitra Dutta Majumdar (anmajumd)
Jun 12, 2013, 7:09:05 PM6/12/13
to
Also I found that this works fine with openssl 1.0.1
Where keys are generated in FIPS mode with the following line.
Can someone let me know why this change in behavior between 0.9.8l and
1.0.1?
-----BEGIN DSA PRIVATE KEY-----
Thanks,
Anamitra
On 6/12/13 12:01 PM, "Anamitra Dutta Majumdar (anmajumd)"
Where keys are generated in FIPS mode with the following line.
Can someone let me know why this change in behavior between 0.9.8l and
1.0.1?
-----BEGIN DSA PRIVATE KEY-----
Thanks,
Anamitra
On 6/12/13 12:01 PM, "Anamitra Dutta Majumdar (anmajumd)"
0 new messages