[openssl-users] RSA_generate_key fails in FIPS Mode with key size 2048

Dr. Stephen Henson steve at openssl.org
Wed Feb 24 23:14:03 UTC 2016

On Wed, Feb 24, 2016, Neptune wrote:

> Using:
> FIPS Object Module 2.0.9
> OpenSSL 1.0.1l
> When I call RSA_generate_key:
> if (rsa = RSA_generate_key(keySize, RSA_F4, NULL, NULL))
> I get the following error string:
> (OPENSSL error:04081078:rsa routines:RSA_BUILTIN_KEYGEN:key size too small)
> As I understand, RSA Key size must be 2048 or greater in FIPS mode, so I
> printed out the key size just before calling the above function:
> ******** KEYSIZE = 2048.
> What else could cause this function to report a key size too small if it is
> 2048 bits? Is 2048 still FIPS-compliant? 
> BTW: this works if FIPS mode is off.

That isn't the error I'd expect if it was rejecting the key size straight
away. Do you have a small program that can reproduce this?

What happens if you do:

OPENSSL_FIPS=1 openssl genrsa 2048

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list