OpenSSL shared library in FIPS mode

Shirisha Dasari shirisha.dasari at broadcom.com
Tue Jul 7 05:36:17 UTC 2020


Hi All,

We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
compliance. Post integration, we have been able to run in FIPS mode, with
all self-tests passing as well. However, we seem to be encountering issues
in creation and parsing of ECDSA keys.

A little background on how we build the shared libcrypto library:

TARGET: x86_64
BUILD HOST: x86_64

We do not use the OpenSSL Makefile to build the OpenSSL source. Our build
infrastructure  creates multiple static archives from the OpenSSL crypto
source and finally creates a libcrypto.a from these archives as required by
fipsld. The fipscanister.o and libcrypto.a are archived to create the final
libcrypto.a and passed onto fipsld for creation of a dynamic library,
libcrypto.so. fips_premain_dso gets built as a part of the build process
too for generation of signature. These steps mimic the OpenSSL opensource
Makefile.

fipsld embeds the signature into the final libcrypto.so successfully and we
are able to get into FIPS mode successfully at run time. Self-tests pass as
well.

Issue:

While trying to use ECDSA host keys for OpenSSH, we noticed that parsing of
ECDSA key fails. DSA and RSA key creation and parsing do not have this
issue. Note that the ECDSA key was generated in FIPS mode and is being
parsed in FIPS mode itself.

root at localhost:/home/admin#  openssl ec -in ssh_host_key_ecdsa -text -noout
read EC key
unable to load Key
140020611143360:error:10067066:elliptic curve
routines:ec_GFp_simple_oct2point:invalid
encoding:../../../../vendor/openssl-fips/crypto/ec/ecp_oct.c:370:
140020611143360:error:10092010:elliptic curve routines:d2i_ECPrivateKey:EC
lib:../../../../vendor/openssl-fips/crypto/ec/ec_asn1.c:1172:
140020611143360:error:100D508E:elliptic curve
routines:ECKEY_PRIV_DECODE:decode
error:../../../../vendor/openssl-fips/crypto/ec/ec_ameth.c:256:
140020611143360:error:0606F091:digital envelope
routines:EVP_PKCS82PKEY:private key decode
error:../../../../vendor/openssl-fips/crypto/evp/evp_pkey.c:92:
140020611143360:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1
lib:../../../../vendor/openssl-fips/crypto/pem/pem_pkey.c:142:
root at localhost:/home/admin#

A portion of the sample ECDSA key generated with curve secp384r1 via
ssh-keygen with "ssh-keygen -t ecdsa -b 384 -f  ssh_host_key_ecdsa" is
provided below:

-----BEGIN PRIVATE KEY-----
MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD
........
........
-----END PRIVATE KEY-----

 A few questions related to this:

1) Is there a specific need to build the OpenSSL source only via the
provided Makefile?
2) FIPS self test for ECDSA passes but the key creation/parsing fails.
Could this indicate that the FIPS module APIs are not getting invoked in
the case of ECDSA?

-- 
Thanks & Regards,
Shirisha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200707/91494317/attachment.html>


More information about the openssl-users mailing list