RE: FIPS doesn't verify certificate with 1024-bit keys

Mon, 18 Jun 2012 11:06:56 -0700 

Here's the certificate which is failing:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=www.casofti.com, ST=BC, 
C=CA/emailAddress=dniko...@casofti.com, O=Teradici CA
        Validity
            Not Before: Mar 20 23:12:14 2012 GMT
            Not After : Mar 20 23:12:14 2013 GMT
        Subject: CN=www.terasofti.com, ST=BC, C=CA, O=tera_test_1024
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a8:35:18:8f:a2:4f:79:99:70:57:37:bf:f7:f6:
                    ee:d8:6f:3b:fe:1b:c1:da:be:55:a0:f9:c4:d4:39:
                    a4:99:dd:b3:9f:d4:bd:0a:3a:50:7d:ad:f2:b6:29:
                    22:b3:3f:1e:c1:45:da:49:8b:43:fd:62:9a:94:c9:
                    bd:f5:54:96:c8:a1:d1:f8:0d:b7:a6:7d:54:00:72:
                    10:59:13:7c:b1:4f:93:d7:75:76:23:ea:14:8b:f8:
                    f5:59:c8:6a:f4:b7:f6:cd:0f:8e:f9:f5:65:d4:91:
                    af:48:87:3f:fa:da:c0:94:0a:57:5d:7e:fe:32:f8:
                    70:e4:c8:9f:3d:44:c2:ef:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: md5WithRSAEncryption


Is it failing because of the (unapproved) md5 signature algorithm? ... N


---
Nou Dadoun
ndad...@teradici.com
604-628-1215 


-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: June 18, 2012 10:45 AM
To: openssl-users@openssl.org
Subject: Re: FIPS doesn't verify certificate with 1024-bit keys

On Mon, Jun 18, 2012, Nou Dadoun wrote:

> 
> Why is it failing with the fips library and passing with the non-fips library 
> - does it have anything to do with the 1024 bit key? (i.e. 2048 and 4096-key 
> certs both work, and the ca cert has a 2048-bit key)
> 

Do you get an additional error from ERR_print_errors_fp(stderr)? Is the key
size 1024 bits exactly or 1023? What digest algorithm is used? Is it FIPS
approved SHA1 or SHA2 or an unapproved algorithm like MD5?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to