[openssl-users] RSA_generate_key fails in FIPS Mode with key size 2048
Dr. Stephen Henson
steve at openssl.org
Wed Feb 24 23:14:03 UTC 2016
On Wed, Feb 24, 2016, Neptune wrote:
> FIPS Object Module 2.0.9
> OpenSSL 1.0.1l
> When I call RSA_generate_key:
> if (rsa = RSA_generate_key(keySize, RSA_F4, NULL, NULL))
> I get the following error string:
> (OPENSSL error:04081078:rsa routines:RSA_BUILTIN_KEYGEN:key size too small)
> As I understand, RSA Key size must be 2048 or greater in FIPS mode, so I
> printed out the key size just before calling the above function:
> ******** KEYSIZE = 2048.
> What else could cause this function to report a key size too small if it is
> 2048 bits? Is 2048 still FIPS-compliant?
> BTW: this works if FIPS mode is off.
That isn't the error I'd expect if it was rejecting the key size straight
away. Do you have a small program that can reproduce this?
What happens if you do:
OPENSSL_FIPS=1 openssl genrsa 2048
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users