RE: FIPS mode - fails to read the RSA key
Again thank you Steve, Invoking OpenSSL_add_all_algorithms() made the certificate processing without any trouble. Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, October 08, 2010 4:09 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Fri, Oct 08, 2010, john.mattapi...@wipro.com wrote: Thank you Steve, I had problem in creating certificate and key in FIPS mode. With your suggestion now I am able to create FIPS supported certificate When I create it with a passphrase the key looks as below -BEGIN ENCRYPTED PRIVATE KEY- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA ..snip toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE -END ENCRYPTED PRIVATE KEY- Now it fails at PKCS8_decrypt in PEM_read_bio_PrivateKey. I verified that passphase returned by the cb is as same as the one that I used to create the certificate. Any hint if I miss something in the key generation The command I used to create this key is ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out wv-cert.pem If I create the key with out passphrase then the code hits this snippet of the code (PEM_read_bio_PrivateKey) and works fine .. .. p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); .. .. Have you included OpenSSL_add_all_algorithms() in your code? If so then see the FAQ for details of how to print out error messages. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS mode - fails to read the RSA key
Thank you Steve, I had problem in creating certificate and key in FIPS mode. With your suggestion now I am able to create FIPS supported certificate When I create it with a passphrase the key looks as below -BEGIN ENCRYPTED PRIVATE KEY- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA ..snip toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE -END ENCRYPTED PRIVATE KEY- Now it fails at PKCS8_decrypt in PEM_read_bio_PrivateKey. I verified that passphase returned by the cb is as same as the one that I used to create the certificate. Any hint if I miss something in the key generation The command I used to create this key is ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out wv-cert.pem If I create the key with out passphrase then the code hits this snippet of the code (PEM_read_bio_PrivateKey) and works fine .. .. p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); .. .. Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 9:48 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Thanks again I do have the env Variable OPENSSL_FIPS set to 1. And the key generated is as below -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5 bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ . . . .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew== -END RSA PRIVATE KEY- But still it fails at the same method PEM_do_header If that happens the version of OpenSSL isn't in FIPS mode. You should get: -BEGIN PRIVATE KEY- and no Proc-Type, DEK-Info lines if it worked. If you also do: OPENSSL_FIPS=1 openssl md5 somefile it should fail with an error if FIPS mode is entered correctly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS mode - fails to read the RSA key
On Fri, Oct 08, 2010, john.mattapi...@wipro.com wrote: Thank you Steve, I had problem in creating certificate and key in FIPS mode. With your suggestion now I am able to create FIPS supported certificate When I create it with a passphrase the key looks as below -BEGIN ENCRYPTED PRIVATE KEY- MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA ..snip toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE -END ENCRYPTED PRIVATE KEY- Now it fails at PKCS8_decrypt in PEM_read_bio_PrivateKey. I verified that passphase returned by the cb is as same as the one that I used to create the certificate. Any hint if I miss something in the key generation The command I used to create this key is ./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out wv-cert.pem If I create the key with out passphrase then the code hits this snippet of the code (PEM_read_bio_PrivateKey) and works fine .. .. p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, p, len); if(!p8inf) goto p8err; ret = EVP_PKCS82PKEY(p8inf); .. .. Have you included OpenSSL_add_all_algorithms() in your code? If so then see the FAQ for details of how to print out error messages. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS mode - fails to read the RSA key
Hello there I am trying to use the OpenSSL-fips version 1.2 for our application ( Webserver ) in Vxworks. I was able to integrate the library and executing FIPS_mode_set is successful. After initializing the SSL_library_init, The code tries to read the RSA key from a key.pem file. I notice that it uses the methods PEM_read_bio_RSAPrivateKey- PEM_read_bio_PrivateKey - PEM_bytes_read_bio -PEM_do_header and the PEM_do_header fails always once I enable the FIPS_mode if not it succesfully decrypts the RSA Key I googled around and found a link where they faced a similar problem in OpenSSH. In which he changed the digest parameter from EVP_md5() to EVP_sha1() in method EVP_BytesToKey I tried the same but still it fails to decrypt the information from the key I would really appreciate if someone can throw some hint what I might be doing wrong Thanks John Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Hello there I am trying to use the OpenSSL-fips version 1.2 for our application ( Webserver ) in Vxworks. I was able to integrate the library and executing FIPS_mode_set is successful. After initializing the SSL_library_init, The code tries to read the RSA key from a key.pem file. Technically you shouldn't use keys created outside FIPS mode in FIPS mode. In FIPS mode the traditional format is not supported because it used MD5 for key derivation. The more standard PKCS#8 mode using SHA1 for key derivation is use instead. You can convert keys using the pkcs8 command outside FIPS mode but again technically you aren't supposed to... Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS mode - fails to read the RSA key
Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported John -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 4:36 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Hello there I am trying to use the OpenSSL-fips version 1.2 for our application ( Webserver ) in Vxworks. I was able to integrate the library and executing FIPS_mode_set is successful. After initializing the SSL_library_init, The code tries to read the RSA key from a key.pem file. Technically you shouldn't use keys created outside FIPS mode in FIPS mode. In FIPS mode the traditional format is not supported because it used MD5 for key derivation. The more standard PKCS#8 mode using SHA1 for key derivation is use instead. You can convert keys using the pkcs8 command outside FIPS mode but again technically you aren't supposed to... Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported The openssl utility is not in FIPS mode by default. You need to set the environment variable OPENSSL_FIPS to 1 when you call it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS mode - fails to read the RSA key
On 10/6/2010 5:01 AM, john.mattapi...@wipro.com wrote: Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported John You need to defined the environment variable 'OPENSSL_FIPS'. Otherwise, the 'openssl' executable will never call FIPS_mode_set(1) as required by the security policy. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: FIPS mode - fails to read the RSA key
Thanks again I do have the env Variable OPENSSL_FIPS set to 1. And the key generated is as below -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5 bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ . . . .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew== -END RSA PRIVATE KEY- But still it fails at the same method PEM_do_header Any hint? Thanks John Paul -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, October 06, 2010 6:02 PM To: openssl-users@openssl.org Subject: Re: FIPS mode - fails to read the RSA key On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Thanks Steve, I used the following commands to create the certificate using the openssl built with FIPS support openssl genrsa -des3 -out wv-key.pem 1024 openssl req -new -x509 -key wv-key.pem -out wv-cert.pem -days 365 Do I miss any option to make it FIPS supported The openssl utility is not in FIPS mode by default. You need to set the environment variable OPENSSL_FIPS to 1 when you call it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org Please do not print this email unless it is absolutely necessary. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, john.mattapi...@wipro.com wrote: Thanks again I do have the env Variable OPENSSL_FIPS set to 1. And the key generated is as below -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5 bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ . . . .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew== -END RSA PRIVATE KEY- But still it fails at the same method PEM_do_header If that happens the version of OpenSSL isn't in FIPS mode. You should get: -BEGIN PRIVATE KEY- and no Proc-Type, DEK-Info lines if it worked. If you also do: OPENSSL_FIPS=1 openssl md5 somefile it should fail with an error if FIPS mode is entered correctly. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org