[openssl-users] PKEY signing failing in fips mode

Mahoda Ratnayaka mahodardev at gmail.com
Fri Dec 4 02:16:44 UTC 2015


I'm trying to change the ssh-rsa.c to be fips compliant. So, after some
investigation I added the following code to to ssh_rsa_sign function to
make it fips compliant.

signing_key = EVP_PKEY_new();
EVP_PKEY_assign_RSA(signing_key, key->rsa);

ctx = EVP_PKEY_CTX_new(signing_key, NULL /* no engine */);
EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING);
EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256());
EVP_PKEY_sign(ctx, sig, &slen, digest, sizeof(digest));

I also, tried changing  the code to be as follows:
+ EVP_MD_CTX_init(&mctx);
+ EVP_SignInit_ex(&mctx, EVP_sha256 (), NULL);
+ EVP_SignUpdate(&mctx, data, datalen);

  slen = RSA_size(key->rsa);
  sig = xmalloc(slen);

- ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
+ EVP_SignFinal(&mctx, sig, &len, pkey);

But, unfortunately both these approaches end with the following error
"error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not allowed in fips

It would be much appreciated if anyone can let me know why I'm hitting
this, and if there is any way of getting around it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151204/d39adf81/attachment.html>

More information about the openssl-users mailing list