On 1/1/2013 1:26 AM, Sial Nije wrote:
Greetings,
I need help to generate an ECDSA key file that is passphrase protected
and the key file is used in FIPS mode. My application is StrongSwan
linked with FIPS enabled libcrypto.so, version 1.0.1c.
Seems FIPS capable openssl executable uses hard coded md5 hash on the
passphrase.
There is no md5 in FIPS. So the IPSec IKE establishment fails silently.
The log just states it cannot find private key for the subject name.
If I generate the key in non-FIPS mode and run the IPSec app in non-FIPS
mode then IPSec tunnel establishes successfully.
I built openssl-fips-2.0.2 with following:
> ./config
> make
> make install
Then openssl-1.0.1c with following:
> ./config fips
> make
> make install
> mv /usr/bin/openssl /usr/bin/openssl.old
> ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
Then the following commands to generate a password protected key file:
> export OPENSSL_FIPS=1
> openssl ecparam -genkey -name prime256v1 -out tempkey.pem
> openssl ec -aes128 -in tempkey.pem -out myprivkey.pem -passout
pass:testing123
No error at this point but the output myprivkey.pem cannot be read by
other openssl executables, whether in FIPS mode or outside FIPS mode.
To read back the key file:
>openssl ec -in myprivkey.pem -text -passin pass:testing123
Got error:
Digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
(Tried RSA key encryption for comparison, same error. But I really need
to use ECDSA.)
Then I re-built openssl with "./config -d fips" and stepped through the
"ec -aes128 ..." command.
Traced into crypto/pem/pem_lib.c where it calls EVP_BytesToKey() passing
EVP_md5() as the hasher.
There is another EVP_md5() call in pem_lib.c when doing the decrypt. If
I replace these 2 with EVP_sha1() when in FIPS mode, then openssl ec can
encrypt key file and read it back.
But my IPSec application still cannot use the password protected key in
FIPS mode.
Anyone use password protected key file in FIPS mode and how do you do it?
Thanks for help.
Sialnije
I have not tried, but perhaps the following method could work
1. On a sufficiently trusted machine (there may be procedural government
requirements here) generate the key unencrypted with the "-nodes"
option. For safety, store the private key to a ram disk, so it will go
away securely when you power cycle the machine shortly after step 2.
2. Use the following command
openssl pkcs8 -topk8 -v2 aes128
to encrypt the private key using SHA1+AES128 which seems to be the
closest to current NIST algorithms supported by the broken logic in
the current code.
P.S.
To the openssl documentation maintainers:
The openssl pkcs8 -v2 is insufficiently documented as it does not state
what hashing algorithms will be used, and the underlying libcrypto
functions appear to be undocumented.
The current code seems to end up in crypto/asn1/p5_pbev2.c which
defaults to a hard coded reference to SHA-1 unless the symmetric
algorithm is RC2 (uses MD5), GOST or some future cipher implementing
the EVP_CTRL_PBE_PRF_NID cipher control (most modern ciphers don't
implement this badly thought out nonsense and most higher level openssl
APIs and apps do not allow passing a prf NID or EVP_MD down to
PKCS5_pbe2_set_iv().
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
