Query on engine support in OpenSSL 1.0.2h
Hi All, We currently use OpenSSL 1.0.2h, we are in the process of upgrading to OpenSSL 1.1.1. To address some legacy functionalities we are planning to write engines for OpenSSL 1.0.2h offload crypto operation to external components. We have few queries regarding the same 1. Can we offload all crypto operations (Digest, Encryption/decryption, RSA, ECDSA, DRBG etc) using Engines in OpenSSL 1.0.2h 2. If not, is it must to upgrade to OpenSSL 1.1.1 to achieve the same? Regards, Jayalakshmi
Re: OpenSSL 3.0.0 APIs for creating an EVP_PKEY from a p256 private key octet string
On Tue, Mar 09, 2021 at 02:44:20AM +, Stephen Farrell wrote: > > Hiya, > > On 08/03/2021 02:37, Benjamin Kaduk wrote: > > Hi Stephen :) > > > > The API you'll want to use is EVP_PKEY_fromdata(); there's > > a stubbed out example of using it to make an EVP_PKEY with > > EC group parameters at > > https://github.com/openssl/openssl/issues/14258#issuecomment-783351031 > > but the translation to also specify OSSL_PKEY_PARAM_PRIV_KEY > > (and possibly OSSL_PKEY_PARAM_PUB_KEY; I forget if you need > > to pass both) should be fairly straightforward. > > Thanks for that! I worked around a few things and still need > to tidy-up but got things working that way without any more > deprecation warnings. > > > > > Let us know if you run into trouble with that route. > > One outstanding issue is that I still need different code > paths for NIST curves vs. 25519 & 448 - is that just me > (quite likely:-) or should these new APIs hide differences > between those different curves? I would have expected that the API should hide the differences other than the group name ... but these APIs are still pretty new to me, too. If you can point me at your code I might have more to say. -Ben
Re: OpenSSL 3.0.0 APIs for creating an EVP_PKEY from a p256 private key octet string
Hiya, On 08/03/2021 02:37, Benjamin Kaduk wrote: Hi Stephen :) The API you'll want to use is EVP_PKEY_fromdata(); there's a stubbed out example of using it to make an EVP_PKEY with EC group parameters at https://github.com/openssl/openssl/issues/14258#issuecomment-783351031 but the translation to also specify OSSL_PKEY_PARAM_PRIV_KEY (and possibly OSSL_PKEY_PARAM_PUB_KEY; I forget if you need to pass both) should be fairly straightforward. Thanks for that! I worked around a few things and still need to tidy-up but got things working that way without any more deprecation warnings. Let us know if you run into trouble with that route. One outstanding issue is that I still need different code paths for NIST curves vs. 25519 & 448 - is that just me (quite likely:-) or should these new APIs hide differences between those different curves? Thanks again, S. -Ben On Mon, Mar 08, 2021 at 02:23:36AM +, Stephen Farrell wrote: Hiya, My question: how does one setup an EVP_PKEY for a NIST curve (e.g. p256) key pair when one has the private key in an octet string using the latest OpenSSL 3.0.0 high level APIs? I'm trying to get rid of deprecation warnings from my code for HPKE [1] when dealing with NIST curves using the new (I guess?) OSSL_PARAM_* approach. I'm failing at the moment;-) So, given an octet string from a set of test vectors (e.g. [2]) what's the proper way to setup an EVP_PKEY for that to allow one to validate the test vectors? Happy to try produce a stand-alone example for this in the next few days if one doesn't exist (I've not found one so far). Thanks, Stephen. [1] https://github.com/sftcd/happykey/blob/7d52d34c516ab58ca1433004ff82b2a6a82eea4c/hpke.c#L1263 [2] https://github.com/cfrg/draft-irtf-cfrg-hpke pub RSA 4096/7B172BEA 2017-12-22 Stephen Farrell (2017) sub RSA 4096/36CB8BB6 2017-12-22 OpenPGP_0x5AB2FAF17B172BEA.asc Description: application/pgp-keys OpenPGP_signature Description: OpenPGP digital signature
Cross-Compiling w/ FIPS Support from Linux to Windows
Hi there:
I'm trying to cross-compile FIPS-capable OpenSSL from Linux to Windows.
I already have a working native Linux build system, and I want to
extend it to support Windows targets without standing up a new host.
My cross-compile process follows the FOM User Guide to the best of my
understanding:
```
export MACHINE="MINGW64"
export SYSTEM="mingw64"
export CROSS_COMPILE="x86_64-w64-mingw32-"
export HOSTCC="gcc"
export FIPS_SIG="${FIPS_HOME}/src/util/msincore"
# build FIPS Object Module
cd ${FIPS_HOME}/src
./config
make
make install
# build OpenSSL
cd ${OPENSSL_HOME}/src
./config fips --prefix=${OPENSSL_FIPS} --with-fipsdir=${OPENSSL_FIPS}
make depend
make
make install
```
`FIPS_HOME`, `OPENSSL_HOME`, and `OPENSSL_FIPS` are the locations of
the FOM source tree, the OpenSSL source tree, and the output directory,
respectively.
The first failure occurs during the FOM `make install` step. The error
is:
```
cp: cannot stat 'fips_standalone_sha1': No such file or directory
```
It turns out that the build steps I've written above produce
`fips_standalone_sha1.exe`, which `make install` can't find. That's a
problem for me, because I know it's against the FIPS certification to
modify anything in the work area, but I can't seem to proceed without
changing that file name.
Just to expose another issue let me violate the certification
temporarily to bypass the problem. When I insert this command before
`make install`:
```
mv ./fips/fips_standalone_sha1.exe ./fips/fips_standalone_sha1
```
the build continues through the FOM and into OpenSSL. In fact, it seems
to get either nearly or completely through `make` before failing at the
incore digest step:
```
no fipstx section at ${FIPS_HOME}/src/util/msincore line 132.
```
This seems to indicate that `msincore` is not getting the kind of
executable it expects, but I'm not sure how to resolve that. I can't
turn up anything interesting on the Web, since most cross-compilation
discussions seem to target Android or iOS. If anyone has any guidance,
I'd appreciate it.
Thank you,
Bradley
signature.asc
Description: This is a digitally signed message part
