On Tuesday, July 06, 2004 Dr. Stephen Henson wrote:
>> So you're saying just have PEM_write_bio_PrivateKey drop through to
>> PEM_write_bio_PKCS8PrivateKey in FIPS mode? That could work. I suppose I
>> could do the same substitution at the application level as well, in lieu of
>> hacking OpenSSL.
>
>Yes, you'd also need some related calls which modify
>PEM_wriet_bio_RSAPrivateKey() and related calls. Nothing too difficult though.
This looks suspiciously easy -- seems to me that it can all be done in
pem.h by just redefining the legacy names.
The pod/man documentation says that "The {RSA|DSA}PrivateKey functions
... handles ... same formats as the PrivateKey functions but an error
occurs if the private key is not {RSA|DSA}" but I sure can't see where
that error is ever generated. Can you think of any reason RSAPrivateKey
can't just be defined as
#ifndef OPENSSL_FIPS
#define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \
PEM_ASN1_write((int (*)())i2d_RSAPrivateKey,PEM_STRING_RSA,fp,\
(char *)x,enc,kstr,klen,cb,u)
#else
#define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \
PEM_write_PKCS8PrivateKey(fp,x,enc,kstr,klen,cb,u)
#endif
in pem.h, and ditto for PEM_write_DSAPrivateKey and PEM_write_PrivateKey?
Thanks,
-Steve M.
Steve Marquess
DMLSS Technical Manager
JMLFDC, 623 Porter Street, Ft. Detrick, MD 21702
DSN 343-3933, COM 301-619-3933, FAX 301-619-7831
[EMAIL PROTECTED]
