Thank you Steve,
I had problem in creating certificate and key in FIPS mode. With your
suggestion now I am able to create FIPS supported certificate
When I create it with a passphrase the key looks as below
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICxjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIKdsTY4y2xlsCAggA
..<snip>
toGSfl42MUwLRpuoYfQ/WFNVMKUr78WqrFHd1VV1VCAnaFi95seEJKqE
-----END ENCRYPTED PRIVATE KEY-----
Now it fails at "PKCS8_decrypt" in "PEM_read_bio_PrivateKey". I verified
that passphase returned by the cb is as same as the one that I used to
create the certificate. Any hint if I miss something in the key
generation
The command I used to create this key is
./openssl req -x509 -days 1460 -newkey rsa:1024 -keyout wv-key.pem -out
wv-cert.pem
If I create the key with out passphrase then the code hits this snippet
of the code (PEM_read_bio_PrivateKey) and works fine
..
..
p8inf=d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, len);
if(!p8inf) goto p8err;
ret = EVP_PKCS82PKEY(p8inf);
..
..
Thanks
John Paul
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, October 06, 2010 9:48 PM
To: [email protected]
Subject: Re: FIPS mode - fails to read the RSA key
On Wed, Oct 06, 2010, [email protected] wrote:
> Thanks again
>
> I do have the env Variable OPENSSL_FIPS set to 1. And the key
> generated is as below
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: DES-EDE3-CBC,6238C2ACEDF888E5
>
> bmtRXSn8WHfHAUBX6m7RLs/yVctQf9TG8WmUbuc1rJ+GrP3yOc+YzY8uhgw5TZRb
> vtV2WAJ9rfeYlenV+F9PvgnGOr7mLojzQhndnuVr7ZMDciuCAd/nVvp8trUPBtFJ
> .
> .
> .
> .hXasFeSrd5IpLMOBsQ3bcpUoRiqe0gNzyIZRSsx4+OZbhLbzBxTSiUUh3NiqmhXG
> bfJi1dm+M35+0BbZrGI/z2EkRW30FV5C9OLUd77AJjZITCpPl28Aew==
> -----END RSA PRIVATE KEY-----
>
> But still it fails at the same method "PEM_do_header"
>
If that happens the version of OpenSSL isn't in FIPS mode. You should
get:
-----BEGIN PRIVATE KEY-----
and no Proc-Type, DEK-Info lines if it worked. If you also do:
OPENSSL_FIPS=1 openssl md5 somefile
it should fail with an error if FIPS mode is entered correctly.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
Please do not print this email unless it is absolutely necessary.
The information contained in this electronic message and any attachments to
this message are intended for the exclusive use of the addressee(s) and may
contain proprietary, confidential or privileged information. If you are not the
intended recipient, you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately and destroy all copies of this message and
any attachments.
WARNING: Computer viruses can be transmitted via email. The recipient should
check this email and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted by this
email.
www.wipro.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
