Hi OpenSSL Developers,
Thank you for your advise. I tried to use the latest source via ftp://ftp.openssl.org/snapshot/openssl-0.9.8-fips-test-SNAP-20080312.tar.gz and followed the instructions to build fips openssl. Below is what I get: [EMAIL PROTECTED] pwd /home/boqian/fips/openssl-0.9.8-fips-test-SNAP-20080312/apps [EMAIL PROTECTED] ldd openssl libssl.so.0.9.8 => /home/boqian/fips/openssl-0.9.8-fips-test-SNAP-20080312/libssl.so.0.9.8 libcrypto.so.0.9.8 => /home/boqian/fips/openssl-0.9.8-fips-test-SNAP-20080312/libcrypto.so.0.9.8 libdl.so.1 => /usr/lib/hpux32/libdl.so.1 libc.so.1 => /usr/lib/hpux32/libc.so.1 libcrypto.so.0.9.8 => /home/boqian/fips/openssl-0.9.8-fips-test-SNAP-20080312/libcrypto.so.0.9.8 libdl.so.1 => /usr/lib/hpux32/libdl.so.1 [EMAIL PROTECTED] ./openssl version OpenSSL 0.9.8h-fips-dev xx XXX xxxx [EMAIL PROTECTED] ./openssl ecparam -out eckey_secp112r1.pem -name secp112r1 -genkey [EMAIL PROTECTED] ./openssl ec -in eckey_secp112r1.pem -des3 -out key_out_secp112r1.pem -passout pass:pass read EC key unable to load Key 3859:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1294: 3859:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:830: 3859:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=n, Type=RSA 3859:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99: 3859:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:125: [EMAIL PROTECTED] cat eckey_secp112r1.pem -----BEGIN EC PARAMETERS----- BgUrgQQABg== -----END EC PARAMETERS----- -----BEGIN RSA PRIVATE KEY----- MD4CAQEEDr3zMZRjZsucD7xiGhqioAcGBSuBBAAGoSADHgAEK/bKhjxrqyPcKi3D 1H6BkcdBkiCx43oLyRyY9g== -----END RSA PRIVATE KEY----- It seems this bug has not been fixed. In fact, after I try to modify crypto/pem/pem_all.c, the problem disappears. Original: int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u) { if (FIPS_mode()) return PEM_write_PKCS8PrivateKey(fp, x, enc, (char *)kstr, klen, cb, u); else return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey, (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA), fp,(char *)x,enc,kstr,klen,cb,u); } Modification: int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc, unsigned char *kstr, int klen, pem_password_cb *cb, void *u) { if (FIPS_mode()) return PEM_write_PKCS8PrivateKey(fp, x, enc, (char *)kstr, klen, cb, u); else return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey, (((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:((x)->type == EVP_PKEY_EC)?PEM_STRING_ECPRIVATEKEY:PEM_STRING_RSA), fp,(char *)x,enc,kstr,klen,cb,u); } Hope it is helpful. Thank you! > Subject: [openssl.org #1649] openssl-fips-test-1.2.0 bug > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > CC: [email protected] > Date: Sat, 8 Mar 2008 13:27:16 +0100 > >> [EMAIL PROTECTED] - Fri Mar 07 09:30:15 2008]: >> >> >> 2) >> [EMAIL PROTECTED] pwd >> /home/boqian/fips/openssl-fips-0.9.8f-dev >> [EMAIL PROTECTED] ./Configure hpux-cc fipscanisterbuild >> > > You should do: > > ./config fipscanisterbuild > >> >> It shows the eckey_secp112r1.pem file's format may be wrong. >> Is there any workaround? Could you investigate this problem? >> Thank you and looking forward to your reply! >> > > The 1.2 module has been submitted for validation and the code is now > frozen. We can't modify that at this stage. > > However you can use the 1.2 test tarball to generate the FIPS module and > then use a later version of OpenSSL 0.9.8-fips to produce the libraries. > I suggest you see if your problem applies to that version too. If so > we'll fix it. > > See the documentation for details about how to link 0.9.8-fips against > the test FIPS module. > > Note that the EC implementation is not part of the FIPS modules so will > not be an approved algorithm in FIPS mode. > > Well nothing has been validated yet as testing isn't complete... _________________________________________________________________ 手机也能上 MSN 聊天了,快来试试吧! http://mobile.msn.com.cn/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
