On Wed, May 29, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: > We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 > and it fails with the following error > > 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export > -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore > Enter Export Password: > Verifying - Enter Export Password: > 4151633544:error:060A60A3:digital envelope > routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: > 4151633544:error:06074078:digital envelope > routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: > 4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor > cipherinit error:p12_decr.c:83: > 4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt > error:p12_decr.c:175: > 4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt > error:p12_add.c:202: > > > The same command works in FIPS mode. > > So I have the following questions > > 1. Is there a way to work around issue and still be able to create pkcs12 > format keystore in FIPS mode. > 2. This command worked in earlier version of openssl like 0.9.8l in FIPS > mode. What has changed in 1.0.1 > That it has stopped working in FIPS mode. > > Any pointers will be appreciated. >
That's a bug in 1.0.1 in that it tries to use an unapproved algorithm in FIPS mode. Workaround: use the -descert option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org