[openssl-dev] FIPS compliant digital signature

Rex Bloom rex at kalos-inc.com
Wed Feb 4 19:30:29 UTC 2015

Thank you!!  Worked perfectly and was exactly what I was missing.

-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Wednesday, February 4, 2015 1:21 PM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] FIPS compliant digital signature

On Wed, Feb 04, 2015, Rex Bloom wrote:

> Can someone help me understand what type of digital signature I can use for FIPS compliance.
> I used this command:
> openssl genrsa -aes128 -passout pass:mypassphrase -out privkey.pem 
> 2048
> to generate a pem file but when I tried to load this as follows:
> RSA *rkey = PEM_read_bio_RSAPrivateKey( bio, 0, 0, 
> (void*)"mypassphrase");
> I receive this error
> error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips'.
> Can you point to anything I am doing wrong here?

This is an openssl-users question not openssl-dev.

You need to be in FIPS mode when you create the key. So if you do:

OPENSSL_FIPS=1 openssl genrsa ...

It should work.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org _______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

More information about the openssl-dev mailing list