[openssl-dev] FIPS compliant digital signature

Dr. Stephen Henson steve at openssl.org
Wed Feb 4 19:21:19 UTC 2015


On Wed, Feb 04, 2015, Rex Bloom wrote:

> Can someone help me understand what type of digital signature I can use for FIPS compliance.
> 
> I used this command:
> 
> openssl genrsa -aes128 -passout pass:mypassphrase -out privkey.pem 2048
> 
> to generate a pem file but when I tried to load this as follows:
> 
> RSA *rkey = PEM_read_bio_RSAPrivateKey( bio, 0, 0, (void*)"mypassphrase");
> 
> I receive this error
> 
> error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips'.
> 
> Can you point to anything I am doing wrong here?
> 

This is an openssl-users question not openssl-dev.

You need to be in FIPS mode when you create the key. So if you do:

OPENSSL_FIPS=1 openssl genrsa ...

It should work.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


More information about the openssl-dev mailing list