Re: PKCS12 keystore creation failing in fips mode
On Thu, May 30, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: > Hello Steve , > > Thanks for your response. > > Is there a corresponding API where we can impose this descert option? > If you are using PKCS12_create() just set the certificate PBE algorithm to NID_pbe_WithSHA1And3_Key_TripleDES_CBC Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12 keystore creation failing in fips mode
Hello Steve , Thanks for your response. Is there a corresponding API where we can impose this descert option? -Anamitra On 5/29/13 6:15 PM, "Dr. Stephen Henson" wrote: >On Wed, May 29, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: > >> We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 >> and it fails with the following error >> >> 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 >>-export >> -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore >> Enter Export Password: >> Verifying - Enter Export Password: >> 4151633544:error:060A60A3:digital envelope >> routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: >> 4151633544:error:06074078:digital envelope >> routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: >> 4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor >> cipherinit error:p12_decr.c:83: >> 4151633544:error:2306C067:PKCS12 >>routines:PKCS12_item_i2d_encrypt:encrypt >> error:p12_decr.c:175: >> 4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt >> error:p12_add.c:202: >> >> >> The same command works in FIPS mode. >> >> So I have the following questions >> >> 1. Is there a way to work around issue and still be able to create >>pkcs12 >> format keystore in FIPS mode. >> 2. This command worked in earlier version of openssl like 0.9.8l in FIPS >> mode. What has changed in 1.0.1 >> That it has stopped working in FIPS mode. >> >> Any pointers will be appreciated. >> > >That's a bug in 1.0.1 in that it tries to use an unapproved algorithm in >FIPS >mode. > >Workaround: use the -descert option. > >Steve. >-- >Dr Stephen N. Henson. OpenSSL project core developer. >Commercial tech support now available see: http://www.openssl.org >__ >OpenSSL Project http://www.openssl.org >User Support Mailing Listopenssl-users@openssl.org >Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12 keystore creation failing in fips mode
On Wed, May 29, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: > We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 > and it fails with the following error > > 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export > -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore > Enter Export Password: > Verifying - Enter Export Password: > 4151633544:error:060A60A3:digital envelope > routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: > 4151633544:error:06074078:digital envelope > routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: > 4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor > cipherinit error:p12_decr.c:83: > 4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt > error:p12_decr.c:175: > 4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt > error:p12_add.c:202: > > > The same command works in FIPS mode. > > So I have the following questions > > 1. Is there a way to work around issue and still be able to create pkcs12 > format keystore in FIPS mode. > 2. This command worked in earlier version of openssl like 0.9.8l in FIPS > mode. What has changed in 1.0.1 > That it has stopped working in FIPS mode. > > Any pointers will be appreciated. > That's a bug in 1.0.1 in that it tries to use an unapproved algorithm in FIPS mode. Workaround: use the -descert option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
