RE: openssl fips patch for RSA Key Gen (186-4)
> From: openssl-users On Behalf Of Matt > Caswell > Sent: Tuesday, 5 January, 2021 09:35 > > On 05/01/2021 11:41, y vasavi wrote: > > > > We currently FOM 2.0 module for FIPS certification. > > It doesn't have support for RSA Key generation(186-4) > > > > Are there any patches available ? > > Definitely there are no official ones (I'm also not aware of any > unofficial ones). And such a patched module would no longer be FIPS 140 validated. I know of at least one commercial, proprietary fork of the OpenSSL FOM 2.0 with 186-4 support. It has its own validations, obtained by the vendor. It's part of a commercial software package and not available for use by other software. If memory serves, SUSE also implemented 186-4 when they ported the FOM 2.0 to OpenSSL 1.1.1. SUSE open-sourced their changes - you can find the diffs on one of the SUSE sites - but again, they had to get a new validation. It applies only to their module when used on SLES. (Red Hat similarly did their own ports and got their own validations for RHEL. I don't know whether they published their changes.) So it's possible, but as usual with FIPS 140, you have the time and expense of validation. That's even more complicated now than it has been in past years, thanks in part to the transition from FIPS 140-2 to 140-3. I've heard from people with contacts in the CMVP that "the queue is full" for the year, and anyone not already in line will be waiting even longer than usual for a validation. -- Michael Wojcik
Re: openssl fips patch for RSA Key Gen (186-4)
On Tue, Jan 05, 2021 at 04:34:36PM +, Matt Caswell wrote: > > > On 05/01/2021 11:41, y vasavi wrote: > > > > Hi All, > > > > We currently FOM 2.0 module for FIPS certification. > > It doesn't have support for RSA Key generation(186-4) > > > > Are there any patches available ? > > Definitely there are no official ones (I'm also not aware of any > unofficial ones). In some vendor FIPS patch sets (e.g. Redhat or SUSE) there are RSA Key generation methods meeting FIPS 186-4, for 1.0 and 1.1 based openssls. Ciao, Marcus
Re: private key not available for client_cert_cb
Hi, On 05/01/21 07:39, George wrote: Hi, I was looking at the code in https://github.com/jjkeijser/ppp/blob/eap-tls/pppd/eap-tls.c and realized I forgot to call ENGINE_ctrl_cmd(...) to setup "LOAD_CERT_CTRL". However, when I do this, the callback function is no longer being called during the mutual authentication handshake. I'm wondering if I have the parameter "cert_info.s_slot_cert_id" incorrectly configured. Here is what my code looks like: struct { const char* s_slot_cert_id; X509* cert; } cert_info; *cert_info.s_slot_cert_id = "a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45";* cert_info.cert = NULL; *ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, _info, NULL, 0);* *SSL_CTX_use_certificate(sslContext, cert_info.cert);* I tried manually using LOAD_CERT_CTRL in the openssl shell but I cannot seem to get it to work and cannot find any examples of how to use it. Is the syntax for *LOAD_CERT_CTRL* correct? I am using***"LOAD_CERT_CTRL:".* OpenSSL> engine - -t dynamic -pre "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program Files (x86)\HID Global\ActivClient\\acpkcs211.dll" -pre PIN:123456 -pre FORCE_LOGIN *-pre "LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45" *(dynamic) Dynamic engine loading support [Success]: SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:C:\Program Files (x86)\HID Global\ActivClient\\acpkcs211.dll [Success]: PIN:123456 [Success]: FORCE_LOGIN *[Failure]: LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45** **4196:error:260AB086:engine routines:ENGINE_ctrl_cmd_string:cmd not executable:.\crypto\engine\eng_ctrl.c:316:* Loaded: (pkcs11) pkcs11 engine [ available ] SO_PATH: Specifies the path to the 'pkcs11' engine shared library (input flags): STRING MODULE_PATH: Specifies the path to the PKCS#11 module shared library (input flags): STRING PIN: Specifies the pin code (input flags): STRING VERBOSE: Print additional details (input flags): NO_INPUT QUIET: Remove additional details (input flags): NO_INPUT *LOAD_CERT_CTRL: Get the certificate from card** ** (input flags): [Internal]* INIT_ARGS: Specifies additional initialization arguments to the PKCS#11 module (input flags): STRING SET_USER_INTERFACE: Set the global user interface (internal) (input flags): [Internal] SET_CALLBACK_DATA: Set the global user interface extra data (internal) (input flags): [Internal] FORCE_LOGIN: Force login to the PKCS#11 module (input flags): NO_INPUT OpenSSL> I'm using the certificate object ID "a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45" for LOAD_CERT_CTRL. Is this right? (I also tried adding "0:" in front of it to indicate slot 0, but that did not work either. this has little to do with OpenSSL at the moment and more with libp11 - perhaps someone more knowledgable on the libp11 mailing list can help you. I'd try to use -post LOAD_CERT_CTRL instead of '-pre', as you want this done after the engine has been loaded. The cert ID does look OK. Note that if you want to use the s_client command that you canNOT specify the certificate form '-certform engine' as the code does not grok that. HTH, JJK
Re: openssl fips patch for RSA Key Gen (186-4)
On 05/01/2021 11:41, y vasavi wrote: > > Hi All, > > We currently FOM 2.0 module for FIPS certification. > It doesn't have support for RSA Key generation(186-4) > > Are there any patches available ? Definitely there are no official ones (I'm also not aware of any unofficial ones). The 3.0 module which will be part of OpenSSL 3.0 when it is released supports 186-4 RSA Key gen. Matt > > Thanks, > Vasavi.
Re: Verify a certificate
Hello, just in case you want to check a webserver installation (which is not explicitly mentioned in Viktor's answer) I want to add this... In this case (IMHO) the s_client tool of openssl can do what you need. Try openssl s_client -connect yourhost.example.org:443 -CAfile SpecialCAFile.pem where "SpecialCAFile.pem" only contains the root certificate of your "Root X" CA. This gives quite a bit of text as output. Look for a line "Verification: OK" in this output (usually after the PEM-encoded server certificate), if you can find it the certificate chain should be OK. Otherwise you'll find something like "Verification error: unable to get local issuer certificate" Hope this helps, Ted ;) On 2021-01-05 13:43, Yassine Chaouche wrote: Dear list, I would like to learn how to use openssl tools to make sure a chained certificate is valid ? example : Let's say I got the Cert certificate signed by Intermdiate X, but by making the full chain certificate I inadvertly inserted Intermediate Y instead of X. The (broken) certificate chain inside Cert would be : Cert < Intermediate Y < Root X How do I detect this error with openssl tools ? are there tools that print issuer and subject of each certificate in a chain ? Thanks for your guidance.
Re: Verify a certificate
On Tue, Jan 05, 2021 at 01:43:12PM +0100, Yassine Chaouche wrote: > How do I detect this error with openssl tools ? are there > tools that print issuer and subject of each certificate in > a chain ? If, by chain, you mean a PEM file with one or more X509 certificates, then yes. Suppose the file is "certs.pem": $ openssl crl2pkcs7 -nocrl -certfile certs.pem | openssl pkcs7 -print_certs -noout -subject -issuer If you want to instead verify the chain, against some root CA in some file (perhaps the very same file, just use certs.pem instead of roots.pem): $ openssl verify -untrusted certs.pem -trusted roots.pem certs.pem You can also check for the expected hostname with $ openssl verify -untrusted certs.pem -trusted roots.pem \ -verify_hostname www.example.com certs.pem -- Viktor.
Verify a certificate
Dear list, I would like to learn how to use openssl tools to make sure a chained certificate is valid ? example : Let's say I got the Cert certificate signed by Intermdiate X, but by making the full chain certificate I inadvertly inserted Intermediate Y instead of X. The (broken) certificate chain inside Cert would be : Cert < Intermediate Y < Root X How do I detect this error with openssl tools ? are there tools that print issuer and subject of each certificate in a chain ? Thanks for your guidance.
openssl fips patch for RSA Key Gen (186-4)
Hi All, We currently FOM 2.0 module for FIPS certification. It doesn't have support for RSA Key generation(186-4) Are there any patches available ? Thanks, Vasavi.