I am using openssl 0.9.7m . Yes,I have the used the OPENSSL_FIPS=1 when
calling the command . i am attaching the testscript which i am using.
please help me
Thanks
Joshi
On Thu, Sep 25, 2008 at 10:02 PM, Dr. Stephen Henson <[EMAIL PROTECTED]>wrote:
> On Thu, Sep 25, 2008, joshi chandran wrote:
>
> > I am trying to test the Fips capable openssl and when i am testing it i
> am
> > getting some error
> >
> > openssl req -x509 -newkey rsa:2048 -out $HOME/exampleca/cacert.pem
> -outform
> > PEM
> >
> > Generating a 2048 bit RSA private key
> >
> ....................................................................................+++
> > ......+++
> > writing new private key to '//exampleca/private/cakey.pem'
> > Enter PEM pass phrase:
> > Verifying - Enter PEM pass phrase:
> > -----
> > digest.c(150): OpenSSL internal error, assertion failed: Digest update
> > previous FIPS forbidden algorithm error ignored
> > IOT/Abort trap(coredump)
> >
>
> What version of OpenSSL are you using to produce that error?
>
> Do you have the environment variable OPENSSL_FIPS=1 when you call that
> command?
>
> Does your config file openssl.cnf use MD5 as a signing algorithm? If so you
> need to change it to SHA1.
>
> Steve.
> --
> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
> OpenSSL project core developer and freelance consultant.
> Homepage: http://www.drh-consultancy.demon.co.uk
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager [EMAIL PROTECTED]
>
--
Regards
Joshi Chandran
#! /bin/ksh
integer final_count=30
integer err_count=0
integer pass_count=0
report()
{
if [ $? -ne 0 ]; then
(( err_count = err_count + 1 ));
echo
"*****************************Failed*****************************"
fi
}
# Creating the CA's environment
echo "***************Creating the CA's environment***********"
rm -r $HOME/exampleca >/dev/null 2>&1
rm -r $HOME/server_req >/dev/null 2>&1
rm mail* >/dev/null 2>&1
mkdir -p $HOME/exampleca
cd $HOME/exampleca
mkdir certs private
chmod g-rwx,o-rwx private
echo '01' > serial
touch index.txt
dir=$HOME"/exampleca"
cd ~
# Creating the configuration file for CA
echo "***************Creating the configuration file for CA************"
cat >> $HOME/exampleca/openssl.cnf << EOF
[ ca ]
default_ca = exampleca
[ exampleca ]
dir = $HOME/exampleca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = md5
policy = exampleca_policy
x509_extensions = certificate_extensions
[ exampleca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = $HOME/exampleca/private/cakey.pem
default_md = md5
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
[ root_ca_distinguished_name ]
commonName = Example CA
stateOrProvinceName = Virginia
countryName = US
emailAddress = [EMAIL PROTECTED]
organizationName = Root Certification Authority
[ root_ca_extensions ]
basicConstraints = CA:true
EOF
report
# Telling OpenSSL where to find our configuration file
OPENSSL_CONF=$HOME/exampleca/openssl.cnf
export OPENSSL_CONF
# Generating our self-signed root certificate
echo "*************************************Generating our self-signed root
certificate************************************"
openssl req -x509 -newkey rsa:2048 -out $HOME/exampleca/cacert.pem -outform PEM
report
echo "*************************************Displaying self-signed root
certificate************************************"
openssl x509 -in $HOME/exampleca/cacert.pem -text -noout
report
echo "*************************************End of
Display*************************************"
# Generating a certificate request
echo "*************************************Generating a certificate
request************************************"
mkdir -p $HOME/server_req
cat >> $HOME/server_req/openssl.cnf << EOF
[ ca ]
default_ca = exampleca
[ exampleca ]
dir = $HOME/exampleca
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/certs
private_key = $dir/private/cakey.pem
serial = $dir/serial
default_crl_days = 7
default_days = 365
default_md = md5
policy = examplecert_policy
x509_extensions = certificate_extensions
[ examplecert_policy ]
commonName = optional
stateOrProvinceName = optional
countryName = optional
emailAddress = optional
organizationName = optional
organizationalUnitName = optional
[ certificate_extensions ]
basicConstraints = CA:false
[ req ]
default_bits = 2048
default_keyfile = cakey.pem
default_md = md5
prompt = no
distinguished_name = cert_distinguished_name
x509_extensions = cert_extensions
[ cert_distinguished_name ]
commonName = IBM India
stateOrProvinceName = b'lore
countryName = IN
emailAddress = ibm.im
organizationName = IBM India Pvt Ltd
[ cert_extensions ]
basicConstraints = CA:false
EOF
OPENSSL_CONF=$HOME/server_req/openssl.cnf
export OPENSSL_CONF
openssl req -newkey rsa:1024 -keyout $HOME/server_req/server_priv_key.pem
-keyform PEM -out $HOME/server_req/server_req.pem -outform PEM
report
# Testing S/MIME commands
echo "God is Great" >> $HOME/server_req/mail.txt
openssl smime -encrypt -in $HOME/server_req/mail.txt -des3 -out
$HOME/server_req/mail.enc $HOME/exampleca/certs/01.pem
report
openssl smime -decrypt -in $HOME/server_req/mail.enc -inkey
$HOME/server_req/server_priv_key.pem -out $HOME/server_req/mail.txt
report
openssl smime -sign -in $HOME/server_req/mail.txt -signer
$HOME/exampleca/certs/01.pem -inkey $HOME/server_req/server_priv_key.pem -out
$HOME/server_req/mail.sgn
report
openssl smime -verify -in $HOME/server_req/mail.sgn -out
$HOME/server_req/mail.txt -CAfile $HOME/exampleca/cacert.pem
report
# ASN.1 parsing tool
echo "*********************************Testing ASN.1 parsing
tool*********************************"
openssl asn1parse -in $HOME/exampleca/cacert.pem
report
openssl asn1parse -genstr 'UTF8:Hello World'
report
openssl asn1parse -genstr 'BOOL:TRUE'
report
openssl asn1parse -genstr 'UTF8:some random string'
report
echo "*********************************Completed Testing ASN.1 parsing
tool*********************************"
# Testing Certificate display and signing utility
echo "*********************************Testing Certificate display and signing
utility*********************************"
openssl x509 -in $HOME/exampleca/cacert.pem -noout -serial
report
openssl x509 -in $HOME/exampleca/cacert.pem -noout -subject
report
openssl x509 -in $HOME/exampleca/cacert.pem -noout -subject -nameopt RFC2253
report
openssl x509 -in $HOME/exampleca/certs/01.pem -noout -subject -nameopt
oneline,-esc_msb
report
openssl x509 -in $HOME/exampleca/certs/01.pem -noout -fingerprint
report
openssl x509 -sha1 -in $HOME/exampleca/certs/01.pem -noout -fingerprint
report
openssl x509 -in $HOME/exampleca/certs/01.pem -inform PEM -out cert.der
-outform DER
report
openssl x509 -x509toreq -in $HOME/exampleca/certs/01.pem -out req.pem -signkey
$HOME/exampleca/private/cakey.pem
report
openssl x509 -x509toreq -in $HOME/exampleca/certs/01.pem -out req.pem -signkey
$HOME/exampleca/private/cakey.pem
report
openssl x509 -in $HOME/exampleca/certs/01.pem -addtrust clientAuth -setalias
"Steve's Class 1 CA" -out trust.pem
report
echo "*********************************Completed *Testing Certificate display
and signing utility***************************"
# CRL utility
echo "*********************************Testing CRL
utility*********************************"
cp $HOME/exampleca/certs/01.pem $HOME/server_req/testcert.pem
openssl ca -revoke $HOME/server_req/testcert.pem
report
openssl ca -gencrl -out $HOME/server_req/exampleca.crl
report
openssl crl -in $HOME/server_req/exampleca.crl -text -noout
report
openssl crl -in $HOME/server_req/exampleca.crl -noout -CAfile
$HOME/exampleca/cacert.pem
report
echo "*********************************Completed CompletedTesting CRL
utility*********************************"
# Create a PKCS#7 structure from a CRL and certificates
echo "*********************************Testing PKCS#7 structure from a
CRL*********************************"
openssl crl2pkcs7 -in $HOME/server_req/exampleca.crl -certfile
$HOME/server_req/testcert.pem -out $HOME/server_req/p7.pem
report
openssl crl2pkcs7 -nocrl -certfile $HOME/server_req/testcert.pem -certfile
$HOME/exampleca/cacert.pem -outform DER -out $HOME/server_req/p7.der
report
echo "*********************************Completed Testing PKCS#7 structure from
a CRL*********************************"
# Test Results
echo "Total number of Test Cases Executed : "$final_count
echo "Total number of Test Cases Failed : "$err_count
(( pass_count = final_count - err_count ));
echo "Total number of Test Cases Passed : "$pass_count
#! /bin/ksh
integer final_count=42
integer err_count=0
integer pass_count=0
report()
{
if [ $? -ne 0 ]; then
(( err_count = err_count + 1 ));
fi
}
# Remove the existing files
rm dh* dsa* rsa* cipher* plain* sig* base* dig* >/dev/null 2>&1
# Diffie-Hellman
echo "*********************************Generating Diffie-Hellman
Parameters***************************"
openssl dhparam -out dhparam.pem -2 1024 >/dev/null 2>&1
report
openssl dhparam -in dhparam.pem -noout -C >/dev/null 2>&1
report
echo "*********************************Completed Generating Diffie-Hellman
Parameters***************************"
# Digital Signature Algorithm
echo "*********************************Testing Digital Signature
Algorithm***************************"
openssl dsaparam -out dsaparam.pem 1024 >/dev/null 2>&1
report
openssl gendsa -out dsaprivatekey.pem dsaparam.pem >/dev/null 2>&1
report
openssl dsa -in dsaprivatekey.pem -pubout -out dsapublickey.pem >/dev/null 2>&1
report
openssl dsa -in dsaprivatekey.pem -out dsaprivatekey.pem -des3 -passin pass:
-passout pass:openssl123 >/dev/null 2>&1
report
echo "*********************************Completed Testing Digital Signature
Algorithm***************************"
# RSA
echo "*********************************Testing RSA***************************"
openssl genrsa -out rsaprivatekey.pem 1024 >/dev/null 2>&1
report
openssl rsa -in rsaprivatekey.pem -pubout -out rsapublickey.pem >/dev/null 2>&1
report
echo "God is Great!" > plain.txt
openssl rsautl -encrypt -pubin -inkey rsapublickey.pem -in plain.txt -out
cipher.txt >/dev/null 2>&1
report
openssl rsautl -decrypt -inkey rsaprivatekey.pem -in cipher.txt -out plain.txt
>/dev/null 2>&1
report
openssl rsautl -sign -inkey rsaprivatekey.pem -in plain.txt -out signature.bin
>/dev/null 2>&1
report
openssl rsautl -verify -pubin -inkey rsapublickey.pem -in signature.bin -out
plain.txt >/dev/null 2>&1
report
echo "*********************************Completed Testing
RSA***************************"
# Message Digest Algorithms
echo "*********************************Testing Message Digest
Algorithms*********************************"
openssl dgst -sha1 plain.txt >/dev/null 2>&1
report
openssl sha1 -out digest.txt plain.txt >/dev/null 2>&1
report
openssl dgst -passin pass:openssl123 -dss1 -sign dsaprivatekey.pem -out
dsasign.bin plain.txt >/dev/null 2>&1
report
openssl dgst -passin pass:openssl123 -dss1 -prverify dsaprivatekey.pem
-signature dsasign.bin plain.txt >/dev/null 2>&1
report
openssl sha1 -passin pass:openssl123 -sign rsaprivatekey.pem -out rsasign.bin
plain.txt >/dev/null 2>&1
report
openssl sha1 -verify rsapublickey.pem -signature rsasign.bin plain.txt
>/dev/null 2>&1
report
echo "*********************************Completed Testing Message Digest
Algorithms*********************************"
# Symmetric Ciphers
echo "*********************************Testing Symmetric
Ciphers*********************************"
openssl enc -des3 -salt -in plain.txt -out ciphertext.bin -k openssl123
>/dev/null 2>&1
report
openssl enc -des-ede3-ofb -d -in ciphertext.bin -out plain.txt -k openssl123
>/dev/null 2>&1
report
openssl bf-cfb -salt -in plain.txt -out ciphertext.bin -k openssl123 >/dev/null
2>&1
report
openssl base64 -in ciphertext.bin -out base64.txt >/dev/null 2>&1
report
openssl rc2-64-cbc -in plain.txt -out ciphertext.bin -S C62CB1D49F158ADC -iv
E9EDACA1BD7090C6 -K 89D4B1678D604FAA3DBFFD030A314B29 >/dev/null 2>&1
report
echo "*********************************Completed Testing Symmetric
Ciphers*********************************"
# SSL cipher display and cipher list tool
echo "*********************************Testing SSL cipher display and cipher
list tool*********************************"
openssl ciphers -v -ssl3 'ALL:eNULL'
report
openssl ciphers -v -ssl2 'ALL:!ADH:@STRENGTH'
report
openssl ciphers -v '3DES:+RSA'
report
openssl ciphers -v 'RC4:!COMPLEMENTOFDEFAULT'
report
openssl ciphers -v 'RSA:!COMPLEMENTOFALL'
echo "*********************************Completed Testing SSL cipher display and
cipher list tool****************************"
# Testing passwd command
echo "*********************************Testing passwd
command*********************************"
openssl passwd -crypt -salt xx password
report
openssl passwd -1 -salt xxxxxxxx password
report
openssl passwd -apr1 -salt xxxxxxxx password
report
echo "*********************************Completed Testing passwd
command*********************************"
# Generating pseudo-random bytes
echo "*********************************Testing Generating pseudo-random
bytes*********************************"
openssl rand -out new 12
report
openssl rand -base64 9
report
echo "*********************************Completed Testing Generating
pseudo-random bytes*********************************"
# Testing the performance of cryptographic algorithms
echo "*********************************Testing the performance of cryptographic
algorithms*********************************"
openssl speed
report
echo "*********************************Completed Testing the performance of
cryptographic algorithms************************"
# Verifying certificate chains
echo "*********************************Verifying certificate
chains*********************************"
openssl verify -CAfile $HOME/exampleca/cacert.pem -issuer_checks -verbose
$HOME/exampleca/cacert.pem
report
openssl verify -CAfile $HOME/exampleca/cacert.pem -verbose
$HOME/exampleca/certs/01.pem
report
openssl verify -CAfile $HOME/exampleca/cacert.pem -verbose -purpose sslserver
$HOME/exampleca/certs/01.pem
report
echo "*********************************Completed Verifying certificate
chains*********************************"
# Printing OpenSSL version information
echo "*********************************Printing OpenSSL version
information**********************************"
openssl version -a
report
openssl version -v
report
openssl version -o
report
openssl version -b
report
openssl version -f
report
openssl version -p
report
echo "*********************************Completed Printing OpenSSL version
information**********************************"
# Test Results
echo "Total number of Test Cases Executed : "$final_count
echo "Total number of Test Cases Failed : "$err_count
(( pass_count = final_count - err_count ));
echo "Total number of Test Cases Passed : "$pass_count
