On Wed, Jul 07, 2004, Marquess, Steve Mr JMLFDC wrote: > On Tuesday, July 06, 2004 Dr. Stephen Henson wrote: > > >> So you're saying just have PEM_write_bio_PrivateKey drop through to > >> PEM_write_bio_PKCS8PrivateKey in FIPS mode? That could work. I suppose I > >> could do the same substitution at the application level as well, in lieu of > >> hacking OpenSSL. > > > >Yes, you'd also need some related calls which modify > >PEM_wriet_bio_RSAPrivateKey() and related calls. Nothing too difficult though. > > This looks suspiciously easy -- seems to me that it can all be done in > pem.h by just redefining the legacy names. > > The pod/man documentation says that "The {RSA|DSA}PrivateKey functions > ... handles ... same formats as the PrivateKey functions but an error > occurs if the private key is not {RSA|DSA}" but I sure can't see where > that error is ever generated. Can you think of any reason RSAPrivateKey > can't just be defined as > > #ifndef OPENSSL_FIPS > #define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \ > PEM_ASN1_write((int (*)())i2d_RSAPrivateKey,PEM_STRING_RSA,fp,\ > (char *)x,enc,kstr,klen,cb,u) > #else > #define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \ > PEM_write_PKCS8PrivateKey(fp,x,enc,kstr,klen,cb,u) > #endif > > in pem.h, and ditto for PEM_write_DSAPrivateKey and PEM_write_PrivateKey? >
Those macros aren't actually used any more. The real implementatsions are in pem_all.c, the error for a different key type is caused by the call to EVP_PKEY_get1_RSA(). You can't make the call above in any case because the RSAPrivateKey takes (RSA *) for the key and PKCS8PrivateKey takes (EVP_PKEY *) so the types would need to be converted. Additionally you might want to have this behave like some other functions: only have the new behaviour if FIPS mode is enabled. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]