[openssl-users] i2d_X509_SIG() in FIPS mode
Gayathri Manoj
gayathri.annur at gmail.com
Fri Feb 6 09:46:28 UTC 2015
Thanks Steve for looking into this. Earlier I have tested the same way and
no values came in der.
Finally i find out the crash reason. For getting digest we have used
ASN1_item_digest() and in this we have passed digest type as EVP_MD5()
which is not allowed in fips and its not thrown any error. And got return
value of this api as SUCCESS. Later i changed this to EVP_sha1() and able
to get the value in i2d_X509_SIG().
Thanks,
Gayathri
On Thu, Feb 5, 2015 at 7:21 PM, Dr. Stephen Henson <steve at openssl.org>
wrote:
> On Thu, Feb 05, 2015, Gayathri Manoj wrote:
>
> >
> > Tried with above method and its not worked. Please let me know is it
> > possible to use NID_md5WithRSAEncryption, NID_md5 in fips mode.
> >
>
> I threw together a quick test program and it has no problems for me. Let
> me know if it doesn't work for you.
>
> #include <stdio.h>
> #include <openssl/x509.h>
> #include <openssl/bio.h>
>
> main()
> {
> int len;
> unsigned char *der = NULL;
> BIO *out;
> X509_SIG *sig = X509_SIG_new();
> FIPS_mode_set(1);
> printf("Fips mode is %d\n", FIPS_mode());
> X509_ALGOR_set0(sig->algor, OBJ_nid2obj(NID_md5), V_ASN1_NULL, NULL);
> ASN1_STRING_set(sig->digest, "Hello World", -1);
> len = i2d_X509_SIG(sig, &der);
> out = BIO_new_fp(stdout, BIO_NOCLOSE);
> ASN1_parse(out, der, len, 0);
> }
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150206/68d94a9c/attachment.html>
More information about the openssl-users
mailing list