I am using openssl 0.9.7m . Yes,I have the used the OPENSSL_FIPS=1 when calling the command . i am attaching the testscript which i am using. please help me
Thanks Joshi On Thu, Sep 25, 2008 at 10:02 PM, Dr. Stephen Henson <[EMAIL PROTECTED]>wrote: > On Thu, Sep 25, 2008, joshi chandran wrote: > > > I am trying to test the Fips capable openssl and when i am testing it i > am > > getting some error > > > > openssl req -x509 -newkey rsa:2048 -out $HOME/exampleca/cacert.pem > -outform > > PEM > > > > Generating a 2048 bit RSA private key > > > ....................................................................................+++ > > ......+++ > > writing new private key to '//exampleca/private/cakey.pem' > > Enter PEM pass phrase: > > Verifying - Enter PEM pass phrase: > > ----- > > digest.c(150): OpenSSL internal error, assertion failed: Digest update > > previous FIPS forbidden algorithm error ignored > > IOT/Abort trap(coredump) > > > > What version of OpenSSL are you using to produce that error? > > Do you have the environment variable OPENSSL_FIPS=1 when you call that > command? > > Does your config file openssl.cnf use MD5 as a signing algorithm? If so you > need to change it to SHA1. > > Steve. > -- > Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage > OpenSSL project core developer and freelance consultant. > Homepage: http://www.drh-consultancy.demon.co.uk > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
#! /bin/ksh integer final_count=30 integer err_count=0 integer pass_count=0 report() { if [ $? -ne 0 ]; then (( err_count = err_count + 1 )); echo "*****************************Failed*****************************" fi } # Creating the CA's environment echo "***************Creating the CA's environment***********" rm -r $HOME/exampleca >/dev/null 2>&1 rm -r $HOME/server_req >/dev/null 2>&1 rm mail* >/dev/null 2>&1 mkdir -p $HOME/exampleca cd $HOME/exampleca mkdir certs private chmod g-rwx,o-rwx private echo '01' > serial touch index.txt dir=$HOME"/exampleca" cd ~ # Creating the configuration file for CA echo "***************Creating the configuration file for CA************" cat >> $HOME/exampleca/openssl.cnf << EOF [ ca ] default_ca = exampleca [ exampleca ] dir = $HOME/exampleca certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = md5 policy = exampleca_policy x509_extensions = certificate_extensions [ exampleca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = supplied organizationName = supplied organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = $HOME/exampleca/private/cakey.pem default_md = md5 prompt = no distinguished_name = root_ca_distinguished_name x509_extensions = root_ca_extensions [ root_ca_distinguished_name ] commonName = Example CA stateOrProvinceName = Virginia countryName = US emailAddress = [EMAIL PROTECTED] organizationName = Root Certification Authority [ root_ca_extensions ] basicConstraints = CA:true EOF report # Telling OpenSSL where to find our configuration file OPENSSL_CONF=$HOME/exampleca/openssl.cnf export OPENSSL_CONF # Generating our self-signed root certificate echo "*************************************Generating our self-signed root certificate************************************" openssl req -x509 -newkey rsa:2048 -out $HOME/exampleca/cacert.pem -outform PEM report echo "*************************************Displaying self-signed root certificate************************************" openssl x509 -in $HOME/exampleca/cacert.pem -text -noout report echo "*************************************End of Display*************************************" # Generating a certificate request echo "*************************************Generating a certificate request************************************" mkdir -p $HOME/server_req cat >> $HOME/server_req/openssl.cnf << EOF [ ca ] default_ca = exampleca [ exampleca ] dir = $HOME/exampleca certificate = $dir/cacert.pem database = $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial default_crl_days = 7 default_days = 365 default_md = md5 policy = examplecert_policy x509_extensions = certificate_extensions [ examplecert_policy ] commonName = optional stateOrProvinceName = optional countryName = optional emailAddress = optional organizationName = optional organizationalUnitName = optional [ certificate_extensions ] basicConstraints = CA:false [ req ] default_bits = 2048 default_keyfile = cakey.pem default_md = md5 prompt = no distinguished_name = cert_distinguished_name x509_extensions = cert_extensions [ cert_distinguished_name ] commonName = IBM India stateOrProvinceName = b'lore countryName = IN emailAddress = ibm.im organizationName = IBM India Pvt Ltd [ cert_extensions ] basicConstraints = CA:false EOF OPENSSL_CONF=$HOME/server_req/openssl.cnf export OPENSSL_CONF openssl req -newkey rsa:1024 -keyout $HOME/server_req/server_priv_key.pem -keyform PEM -out $HOME/server_req/server_req.pem -outform PEM report # Testing S/MIME commands echo "God is Great" >> $HOME/server_req/mail.txt openssl smime -encrypt -in $HOME/server_req/mail.txt -des3 -out $HOME/server_req/mail.enc $HOME/exampleca/certs/01.pem report openssl smime -decrypt -in $HOME/server_req/mail.enc -inkey $HOME/server_req/server_priv_key.pem -out $HOME/server_req/mail.txt report openssl smime -sign -in $HOME/server_req/mail.txt -signer $HOME/exampleca/certs/01.pem -inkey $HOME/server_req/server_priv_key.pem -out $HOME/server_req/mail.sgn report openssl smime -verify -in $HOME/server_req/mail.sgn -out $HOME/server_req/mail.txt -CAfile $HOME/exampleca/cacert.pem report # ASN.1 parsing tool echo "*********************************Testing ASN.1 parsing tool*********************************" openssl asn1parse -in $HOME/exampleca/cacert.pem report openssl asn1parse -genstr 'UTF8:Hello World' report openssl asn1parse -genstr 'BOOL:TRUE' report openssl asn1parse -genstr 'UTF8:some random string' report echo "*********************************Completed Testing ASN.1 parsing tool*********************************" # Testing Certificate display and signing utility echo "*********************************Testing Certificate display and signing utility*********************************" openssl x509 -in $HOME/exampleca/cacert.pem -noout -serial report openssl x509 -in $HOME/exampleca/cacert.pem -noout -subject report openssl x509 -in $HOME/exampleca/cacert.pem -noout -subject -nameopt RFC2253 report openssl x509 -in $HOME/exampleca/certs/01.pem -noout -subject -nameopt oneline,-esc_msb report openssl x509 -in $HOME/exampleca/certs/01.pem -noout -fingerprint report openssl x509 -sha1 -in $HOME/exampleca/certs/01.pem -noout -fingerprint report openssl x509 -in $HOME/exampleca/certs/01.pem -inform PEM -out cert.der -outform DER report openssl x509 -x509toreq -in $HOME/exampleca/certs/01.pem -out req.pem -signkey $HOME/exampleca/private/cakey.pem report openssl x509 -x509toreq -in $HOME/exampleca/certs/01.pem -out req.pem -signkey $HOME/exampleca/private/cakey.pem report openssl x509 -in $HOME/exampleca/certs/01.pem -addtrust clientAuth -setalias "Steve's Class 1 CA" -out trust.pem report echo "*********************************Completed *Testing Certificate display and signing utility***************************" # CRL utility echo "*********************************Testing CRL utility*********************************" cp $HOME/exampleca/certs/01.pem $HOME/server_req/testcert.pem openssl ca -revoke $HOME/server_req/testcert.pem report openssl ca -gencrl -out $HOME/server_req/exampleca.crl report openssl crl -in $HOME/server_req/exampleca.crl -text -noout report openssl crl -in $HOME/server_req/exampleca.crl -noout -CAfile $HOME/exampleca/cacert.pem report echo "*********************************Completed CompletedTesting CRL utility*********************************" # Create a PKCS#7 structure from a CRL and certificates echo "*********************************Testing PKCS#7 structure from a CRL*********************************" openssl crl2pkcs7 -in $HOME/server_req/exampleca.crl -certfile $HOME/server_req/testcert.pem -out $HOME/server_req/p7.pem report openssl crl2pkcs7 -nocrl -certfile $HOME/server_req/testcert.pem -certfile $HOME/exampleca/cacert.pem -outform DER -out $HOME/server_req/p7.der report echo "*********************************Completed Testing PKCS#7 structure from a CRL*********************************" # Test Results echo "Total number of Test Cases Executed : "$final_count echo "Total number of Test Cases Failed : "$err_count (( pass_count = final_count - err_count )); echo "Total number of Test Cases Passed : "$pass_count
#! /bin/ksh integer final_count=42 integer err_count=0 integer pass_count=0 report() { if [ $? -ne 0 ]; then (( err_count = err_count + 1 )); fi } # Remove the existing files rm dh* dsa* rsa* cipher* plain* sig* base* dig* >/dev/null 2>&1 # Diffie-Hellman echo "*********************************Generating Diffie-Hellman Parameters***************************" openssl dhparam -out dhparam.pem -2 1024 >/dev/null 2>&1 report openssl dhparam -in dhparam.pem -noout -C >/dev/null 2>&1 report echo "*********************************Completed Generating Diffie-Hellman Parameters***************************" # Digital Signature Algorithm echo "*********************************Testing Digital Signature Algorithm***************************" openssl dsaparam -out dsaparam.pem 1024 >/dev/null 2>&1 report openssl gendsa -out dsaprivatekey.pem dsaparam.pem >/dev/null 2>&1 report openssl dsa -in dsaprivatekey.pem -pubout -out dsapublickey.pem >/dev/null 2>&1 report openssl dsa -in dsaprivatekey.pem -out dsaprivatekey.pem -des3 -passin pass: -passout pass:openssl123 >/dev/null 2>&1 report echo "*********************************Completed Testing Digital Signature Algorithm***************************" # RSA echo "*********************************Testing RSA***************************" openssl genrsa -out rsaprivatekey.pem 1024 >/dev/null 2>&1 report openssl rsa -in rsaprivatekey.pem -pubout -out rsapublickey.pem >/dev/null 2>&1 report echo "God is Great!" > plain.txt openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in plain.txt -out cipher.txt >/dev/null 2>&1 report openssl rsautl -decrypt -inkey rsaprivatekey.pem -in cipher.txt -out plain.txt >/dev/null 2>&1 report openssl rsautl -sign -inkey rsaprivatekey.pem -in plain.txt -out signature.bin >/dev/null 2>&1 report openssl rsautl -verify -pubin -inkey rsapublickey.pem -in signature.bin -out plain.txt >/dev/null 2>&1 report echo "*********************************Completed Testing RSA***************************" # Message Digest Algorithms echo "*********************************Testing Message Digest Algorithms*********************************" openssl dgst -sha1 plain.txt >/dev/null 2>&1 report openssl sha1 -out digest.txt plain.txt >/dev/null 2>&1 report openssl dgst -passin pass:openssl123 -dss1 -sign dsaprivatekey.pem -out dsasign.bin plain.txt >/dev/null 2>&1 report openssl dgst -passin pass:openssl123 -dss1 -prverify dsaprivatekey.pem -signature dsasign.bin plain.txt >/dev/null 2>&1 report openssl sha1 -passin pass:openssl123 -sign rsaprivatekey.pem -out rsasign.bin plain.txt >/dev/null 2>&1 report openssl sha1 -verify rsapublickey.pem -signature rsasign.bin plain.txt >/dev/null 2>&1 report echo "*********************************Completed Testing Message Digest Algorithms*********************************" # Symmetric Ciphers echo "*********************************Testing Symmetric Ciphers*********************************" openssl enc -des3 -salt -in plain.txt -out ciphertext.bin -k openssl123 >/dev/null 2>&1 report openssl enc -des-ede3-ofb -d -in ciphertext.bin -out plain.txt -k openssl123 >/dev/null 2>&1 report openssl bf-cfb -salt -in plain.txt -out ciphertext.bin -k openssl123 >/dev/null 2>&1 report openssl base64 -in ciphertext.bin -out base64.txt >/dev/null 2>&1 report openssl rc2-64-cbc -in plain.txt -out ciphertext.bin -S C62CB1D49F158ADC -iv E9EDACA1BD7090C6 -K 89D4B1678D604FAA3DBFFD030A314B29 >/dev/null 2>&1 report echo "*********************************Completed Testing Symmetric Ciphers*********************************" # SSL cipher display and cipher list tool echo "*********************************Testing SSL cipher display and cipher list tool*********************************" openssl ciphers -v -ssl3 'ALL:eNULL' report openssl ciphers -v -ssl2 'ALL:!ADH:@STRENGTH' report openssl ciphers -v '3DES:+RSA' report openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT' report openssl ciphers -v 'RSA:!COMPLEMENTOFALL' echo "*********************************Completed Testing SSL cipher display and cipher list tool****************************" # Testing passwd command echo "*********************************Testing passwd command*********************************" openssl passwd -crypt -salt xx password report openssl passwd -1 -salt xxxxxxxx password report openssl passwd -apr1 -salt xxxxxxxx password report echo "*********************************Completed Testing passwd command*********************************" # Generating pseudo-random bytes echo "*********************************Testing Generating pseudo-random bytes*********************************" openssl rand -out new 12 report openssl rand -base64 9 report echo "*********************************Completed Testing Generating pseudo-random bytes*********************************" # Testing the performance of cryptographic algorithms echo "*********************************Testing the performance of cryptographic algorithms*********************************" openssl speed report echo "*********************************Completed Testing the performance of cryptographic algorithms************************" # Verifying certificate chains echo "*********************************Verifying certificate chains*********************************" openssl verify -CAfile $HOME/exampleca/cacert.pem -issuer_checks -verbose $HOME/exampleca/cacert.pem report openssl verify -CAfile $HOME/exampleca/cacert.pem -verbose $HOME/exampleca/certs/01.pem report openssl verify -CAfile $HOME/exampleca/cacert.pem -verbose -purpose sslserver $HOME/exampleca/certs/01.pem report echo "*********************************Completed Verifying certificate chains*********************************" # Printing OpenSSL version information echo "*********************************Printing OpenSSL version information**********************************" openssl version -a report openssl version -v report openssl version -o report openssl version -b report openssl version -f report openssl version -p report echo "*********************************Completed Printing OpenSSL version information**********************************" # Test Results echo "Total number of Test Cases Executed : "$final_count echo "Total number of Test Cases Failed : "$err_count (( pass_count = final_count - err_count )); echo "Total number of Test Cases Passed : "$pass_count