Re: [openssl-users] genpkey usage for openssl-1.0.1k on openSUSE-13.2
From: openssl-users On Behalf Of open...@lists.killian.com Sent: Wednesday, February 18, 2015 13:26 I noticed that openssl(1) says that various things have been superseded by genpkey, so I tried changing my scripts to use it. It works fine for RSA, but the man page is not very helpful on EC. I tried openssl genpkey -out key.new -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 and got parameter setting error 139638314907280:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404: snip genpkey has a standard idea, across all algorithms that have parameters (which RSA does not), to generate parameters and key(s) as separate steps with a file in between. For DSA and DH this is good; you may want to generate your own params, or you may want to use existing ones (in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less sense, as generating your own curve is complicated (OpenSSL certainly doesn't do it) and in practice everyone* uses the named curves. Nonetheless you still do: openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x pfile openssl genpkey -paramfile pfile keyfile Depending on your OS and shell you may be able to combine these like openssl genpkey -genparam | openssl genpkey -paramfile /dev/fd/0 or openssl genpkey -paramfile $(openssl genpkey -genparam) * Well, everybody except the crowd around Dan Bernstein, and they use non-Weierstrauss curves that OpenSSL can't even represent (now?). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
On 02/19/2015 11:09 AM, Salz, Rich wrote: For instance, any of the void DES_*_encrypt(). This cursory observation is also supported by a vendor application code such as: Ah, okay. Those functions are 'just math' They depend on no external state. They can't fail. It's shifts and masking, etc. Which incidentally is true also of most of the FIPS 140-2 required KATs; they are tautological in the sense that they only way they can possibly fail is if the math is wrong, i.e. 1+1 != 2. Apparently in the dim mists of time from whence the basic FIPS 140-2 requirements originated, when cryptography was done with mechanical devices and dedicated discrete component electronics, such failures were a serious concern. So to this day in a FIPS module the POST does the equivalent of diligently confirming that 1+1=2, many times over. If one of those tautological tests *does* fail, then you have worse problems than a non-functioning FIPS module. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
From: Dr. Stephen Henson st...@openssl.org To: openssl-users@openssl.org Date: 02/19/15 11:34 Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting The low level cipher and digest APIs cannot be used in FIPS mode: you have to use EVP. That's quite an important point. It brings a question: how are the 'continuous' FIPS tests performed ? Are they automatically called at the beginning of an EVP_* method ? Do they run periodically in the background ? Both ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS, continuous tests, and error reporting
Hello, I have some questions regarding table '6b - Conditional Tests' of the 2.0.7 Security Policy. It is mentioned that there are continuous tests for stuck fault. Is the meaning of 'continuous' a the matter of frequency ? Or are these continuous tests ran each time an algorithm is used ? The document mentions: In the event of a DRBG self-test failure the calling application must... - how is the result communicated to the application ? For that matter and in a general sense, so far I've seen that many encryption methods do not return any error code. How does error reporting generally works ? Regards. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL FIPS mode system integration
Hello, Could you please comment on the following ? Any suggestion, insight, hint, is greatly appreciated. In FIPS mode, the OS, the device, must be aware of crypto errors, and adopt a certain behaviour when one occurs. Like shutting down all data output interfaces. This means that when using OpenSSL, a link must be made between OpenSSL (or the application using it) and the OS, if only to signal the OS of such errors. I would like to modify the FIPS OpenSSL library in such a way that a OS-specific action is taken when a FIPS error is detected. That action could be writing a file, writing a specific log msg, sending a signal to an application, etc. To continue in the same vein, are there major exit points in the library that could reduce the amount of modifications to be made ? Is error information inh FIPS mode traveling in the library in such a way that it could be examined and acted upon at a precise point, covering all error conditions ? Are these mainlines making sense, based on your experience with the OpenSSL library ? Another way would be to modify the applications that uses the OpenSSL library. I tend to think that it would be more efficient and easier on maintenance to modify the OpenSSL library. But then, the complexity of tapping on (every) exit point from the library could be overwhelming, when compared to the source code of several applications. Any comment, suggestions welcomed. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
On Thu, Feb 19, 2015 at 05:19:37AM -0500, jone...@teksavvy.com wrote: Hello, Could you please comment on the following ? Any suggestion, insight, hint, is greatly appreciated. In FIPS mode, the OS, the device, must be aware of crypto errors, and adopt a certain behaviour when one occurs. Like shutting down all data output interfaces. This means that when using OpenSSL, a link must be made between OpenSSL (or the application using it) and the OS, if only to signal the OS of such errors. I would like to modify the FIPS OpenSSL library in such a way that a OS-specific action is taken when a FIPS error is detected. That action could be writing a file, writing a specific log msg, sending a signal to an application, etc. To continue in the same vein, are there major exit points in the library that could reduce the amount of modifications to be made ? Is error information inh FIPS mode traveling in the library in such a way that it could be examined and acted upon at a precise point, covering all error conditions ? Are these mainlines making sense, based on your experience with the OpenSSL library ? Another way would be to modify the applications that uses the OpenSSL library. I tend to think that it would be more efficient and easier on maintenance to modify the OpenSSL library. But then, the complexity of tapping on (every) exit point from the library could be overwhelming, when compared to the source code of several applications. Well, the writing is that the crypto module must stop operating on error. We solved this by calling abort(); in the openssl library on FIPS related error conditions. Ciao, Marcus ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] genpkey usage for openssl-1.0.1k on openSUSE-13.2
On Thu, Feb 19, 2015, Dave Thompson wrote: From: openssl-users On Behalf Of open...@lists.killian.com Sent: Wednesday, February 18, 2015 13:26 I noticed that openssl(1) says that various things have been superseded by genpkey, so I tried changing my scripts to use it. It works fine for RSA, but the man page is not very helpful on EC. I tried openssl genpkey -out key.new -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 and got parameter setting error 139638314907280:error:06089094:digital envelope routines:EVP_PKEY_CTX_ctrl:invalid operation:pmeth_lib.c:404: snip genpkey has a standard idea, across all algorithms that have parameters (which RSA does not), to generate parameters and key(s) as separate steps with a file in between. For DSA and DH this is good; you may want to generate your own params, or you may want to use existing ones (in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less sense, as generating your own curve is complicated (OpenSSL certainly doesn't do it) and in practice everyone* uses the named curves. Nonetheless you still do: openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x pfile openssl genpkey -paramfile pfile keyfile Depending on your OS and shell you may be able to combine these like openssl genpkey -genparam | openssl genpkey -paramfile /dev/fd/0 or openssl genpkey -paramfile $(openssl genpkey -genparam) For OpenSSL 1.0.2 you can specify the parameters when a key is generated. So the OPs command should work with 1.0.2. It's also common to use the named curve form of encoding which isn't the default in 1.0.x branches (for compatiblity reasons). So in 1.0.2 you can do: openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -pkeyopt \ ec_param_enc:named_curve Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
For that matter and in a general sense, so far I've seen that many encryption methods do not return any error code. How does error reporting generally works ? Really? Which ones? ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
On 02/19/2015 05:19 AM, jone...@teksavvy.com wrote: ...This means that when using OpenSSL, a link must be made between OpenSSL (or the application using it) and the OS, if only to signal the OS of such errors. Ummm, no. The FIPS module stops functioning (i.e. doesn't perform any useful crypto operations) in the (highly unlikely) event of POST, KAT, or continuous test errors. Your application might as well curl up and die at that point (hint: look at the error codes from the API calls, in particular FIPS_mode_set()), but the module itself will fail without any intervention. ... I would like to modify the FIPS OpenSSL library ... That's a non-starter right there: the instant you modify the FIPS module, at all or for any reason, it instantly becomes non validated. Without the all-important validated status that code is worthless and there is no reason to use it (unless you want to pay and wait for your own custom validation of the modified code). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
For instance, any of the void DES_*_encrypt(). This cursory observation is also supported by a vendor application code such as: Ah, okay. Those functions are 'just math' They depend on no external state. They can't fail. It's shifts and masking, etc. This is basically why I'm wondering about how errors propagate in the OpenSSL library. Functions that can fail return a status. Those that are just math are often void. There's an error stack where functions can put more detailed status, and it propagates; see ERR_get_error, ERR_clear_error, etc., for details. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] genpkey usage for openssl-1.0.1k on openSUSE-13.2
On 2015/2/19 00:22, Dave Thompson wrote: genpkey has a standard idea, across all algorithms that have parameters (which RSA does not), to generate parameters and key(s) as separate steps with a file in between. For DSA and DH this is good; you may want to generate your own params, or you may want to use existing ones (in an existing file) e.g. Oakley or SSH-non-GEX. For EC it makes less sense, as generating your own curve is complicated (OpenSSL certainly doesn't do it) and in practice everyone* uses the named curves. Nonetheless you still do: openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:x pfile openssl genpkey -paramfile pfile keyfile Thank you, this is clear now. It might be worth adding an example to the man page to prevent others from being similarly confused. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Separate signing and encryption certificates for Thunderbird
I wanted to switch to having separate signing and encryption certificates. I followed the outline at Stefan Holek's excellent http://pki-tutorial.readthedocs.org/en/latest/expert/index.html That is the signing cert request used keyUsage= critical,digitalSignature extendedKeyUsage= emailProtection,clientAuth subjectKeyIdentifier= hash subjectAltName = email:move And the encryption cert request used keyUsage= critical,keyEncipherment extendedKeyUsage= emailProtection subjectKeyIdentifier= hash subjectAltName = email:move The generated csrs were signed by my own CA using the following -extensions keyUsage= critical,digitalSignature basicConstraints= CA:false extendedKeyUsage= emailProtection,clientAuth,msSmartcardLogin subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info crlDistributionPoints = @crl_info and keyUsage= critical,keyEncipherment basicConstraints= CA:false extendedKeyUsage= emailProtection,msEFS subjectKeyIdentifier= hash authorityKeyIdentifier = keyid:always authorityInfoAccess = @issuer_info crlDistributionPoints = @crl_info respectively, resulting in certificate serials 0x19, and 0x0D. This was done with openssl-1.0.1k on openSUSE 13.2. I imported the CA cert into Thunderbird under Authorities and set it to be trusted, and imported 0x19 and 0x0D into Thunderbird under Your Certificates. I then went to Account Settings Security, and clicked on Select button for the Digital Signing box. It offers me a choice of 0x19 or my old combined sign/encrypt cert. I pick 0x19. It asks me whether I want to use it for encryption too, and I said no. I then clicked on the Select for the Encryption box. It offered me the same two certs as choices: 0x19 or my old combined cert. It did not offer 0x0D. So the question is what does the above recipe fail to do to make an encryption cert that Thunderbird would recognize and offer as a choice? The CN and SAN of the two certs are identical (my name and my email address respectively). Is that a problem? How do others create separate signing and encryption certs? I don't want to delete my old combined cert, since then I would not be able to read old S/MIME messages to me. Suggestions and comments welcome. -Earl ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
Hello, I have some questions regarding table '6b - Conditional Tests' of the 2.0.7 Security Policy. It is mentioned that there are continuous tests for stuck fault. Is the meaning of 'continuous' a the matter of frequency ? Or are these continuous tests ran each time an algorithm is used ? The CRNGT test is described in section 4.9.2 of FIPS 140-2. It is continuous in that it is applied to all the output of the RNG. The spec is absolutely not clear on what you do with a failure, nor is it an effective stuck at fault test. It is not present in the ISO equivalent spec, nor was it present in the drafts of the (now defunct) 140-3 draft. It is a data modifying test and has interest mathematical properties that raise concerns that it is something other than a stuck-at test. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
On Thu, Feb 19, 2015, jonetsu wrote: -Original Message- From: Salz, Rich rs...@akamai.com To: openssl-users@openssl.org Date: 02/19/15 07:43 Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting For that matter and in a general sense, so far I've seen that many encryption methods do not return any error code. How does error reporting generally works ? Really? Which ones? For instance, any of the void DES_*_encrypt(). This cursory observation is also supported by a vendor application code such as: The low level cipher and digest APIs cannot be used in FIPS mode: you have to use EVP. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS, continuous tests, and error reporting
-Original Message- From: Salz, Rich rs...@akamai.com To: openssl-users@openssl.org Date: 02/19/15 07:43 Subject: Re: [openssl-users] FIPS, continuous tests, and error reporting For that matter and in a general sense, so far I've seen that many encryption methods do not return any error code. How does error reporting generally works ? Really? Which ones? For instance, any of the void DES_*_encrypt(). This cursory observation is also supported by a vendor application code such as: static void des_encrypt(char key1[8], char key2[8], char key3[8], char ivec[8], char *input, char *output, int len, int encrypt) { [snip] DES_set_key(des_key1, schedule1); DES_set_key(des_key2, schedule2); DES_set_key(des_key3, schedule3); DES_ede3_cbc_encrypt((unsigned char *)input, (unsigned char *)output, len, schedule1, schedule2, schedule3, des_ivec, encrypt); } This is basically why I'm wondering about how errors propagate in the OpenSSL library. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
-Original Message- From: Marcus Meissner meiss...@suse.de To: openssl-users@openssl.org Date: 02/19/15 08:07 Subject: Re: [openssl-users] OpenSSL FIPS mode system integration Well, the writing is that the crypto module must stop operating on error. We solved this by calling abort(); in the openssl library on FIPS related error conditions. H... What I have written from a consultancy compliance report is that all crypto operations must stop and, all data output of the designed Data Output interface(s) must also stop. Hence my concern for the OS knowing about FIPS crypto test results. Thanks for your comment. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL FIPS mode system integration
jone...@teksavvy.com jone...@teksavvy.com writes: Hello, Could you please comment on the following ? Any suggestion, insight, hint, is greatly appreciated. In FIPS mode, the OS, the device, must be aware of crypto errors, and adopt a certain behaviour when one occurs. Like shutting down all data output interfaces. This means that when using OpenSSL, a link must be made between OpenSSL (or the application using it) and the OS, if only to signal the OS of such errors. I'm not sure it will be called on every conceivable error in the FIPS module, but what I do in similar situations is something like this: static int post_cb(int op, int id, int subid, void *ex) { if (op == FIPS_POST_FAIL) system(/bin/fipserror); return 1; } And there somewhere: FIPS_post_set_callback(post_cb); -- Henrik Grindal Bakken h...@ifi.uio.no PGP ID: 8D436E52 Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52 ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users