Re: Disabling for FIPS mode, take 2

Wed, 07 Jul 2004 11:40:50 -0700 

On Wed, Jul 07, 2004, Marquess, Steve Mr JMLFDC wrote:

> On Tuesday, July 06, 2004 Dr. Stephen Henson wrote:
> 
> >> So you're saying just have PEM_write_bio_PrivateKey drop through to
> >> PEM_write_bio_PKCS8PrivateKey in FIPS mode?  That could work.  I suppose I
> >> could do the same substitution at the application level as well, in lieu of
> >> hacking OpenSSL.
> >
> >Yes, you'd also need some related calls which modify
> >PEM_wriet_bio_RSAPrivateKey() and related calls. Nothing too difficult though.
> 
> This looks suspiciously easy -- seems to me that it can all be done in
> pem.h by just redefining the legacy names.
> 
> The pod/man documentation says that "The {RSA|DSA}PrivateKey functions
> ... handles ... same formats as the PrivateKey functions but an error
> occurs if the private key is not {RSA|DSA}" but I sure can't see where
> that error is ever generated.  Can you think of any reason RSAPrivateKey
> can't just be defined as
> 
> #ifndef OPENSSL_FIPS
> #define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \
>              PEM_ASN1_write((int (*)())i2d_RSAPrivateKey,PEM_STRING_RSA,fp,\
>                         (char *)x,enc,kstr,klen,cb,u)
> #else
> #define PEM_write_RSAPrivateKey(fp,x,enc,kstr,klen,cb,u) \
>              PEM_write_PKCS8PrivateKey(fp,x,enc,kstr,klen,cb,u)
> #endif
> 
> in pem.h, and ditto for PEM_write_DSAPrivateKey and PEM_write_PrivateKey?
> 

Those macros aren't actually used any more. The real implementatsions are in
pem_all.c, the error for a different key type is caused by the call to
EVP_PKEY_get1_RSA().

You can't make the call above in any case because the RSAPrivateKey takes (RSA
*) for the key and PKCS8PrivateKey takes (EVP_PKEY *) so the types would need
to be converted.

Additionally you might want to have this behave like some other functions:
only have the new behaviour if FIPS mode is enabled.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to