OpenSSL shared library in FIPS mode
murugesh.pitchaiah at gmail.com
Tue Jul 7 15:09:34 UTC 2020
Yes. You have to use openssl provided build files.
On 7/7/20, Shirisha Dasari via openssl-users <openssl-users at openssl.org> wrote:
> Hi All,
> We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
> compliance. Post integration, we have been able to run in FIPS mode, with
> all self-tests passing as well. However, we seem to be encountering issues
> in creation and parsing of ECDSA keys.
> A little background on how we build the shared libcrypto library:
> TARGET: x86_64
> BUILD HOST: x86_64
> We do not use the OpenSSL Makefile to build the OpenSSL source. Our build
> infrastructure creates multiple static archives from the OpenSSL crypto
> source and finally creates a libcrypto.a from these archives as required by
> fipsld. The fipscanister.o and libcrypto.a are archived to create the final
> libcrypto.a and passed onto fipsld for creation of a dynamic library,
> libcrypto.so. fips_premain_dso gets built as a part of the build process
> too for generation of signature. These steps mimic the OpenSSL opensource
> fipsld embeds the signature into the final libcrypto.so successfully and we
> are able to get into FIPS mode successfully at run time. Self-tests pass as
> While trying to use ECDSA host keys for OpenSSH, we noticed that parsing of
> ECDSA key fails. DSA and RSA key creation and parsing do not have this
> issue. Note that the ECDSA key was generated in FIPS mode and is being
> parsed in FIPS mode itself.
> root at localhost:/home/admin# openssl ec -in ssh_host_key_ecdsa -text -noout
> read EC key
> unable to load Key
> 140020611143360:error:10067066:elliptic curve
> 140020611143360:error:10092010:elliptic curve routines:d2i_ECPrivateKey:EC
> 140020611143360:error:100D508E:elliptic curve
> 140020611143360:error:0606F091:digital envelope
> routines:EVP_PKCS82PKEY:private key decode
> 140020611143360:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1
> root at localhost:/home/admin#
> A portion of the sample ECDSA key generated with curve secp384r1 via
> ssh-keygen with "ssh-keygen -t ecdsa -b 384 -f ssh_host_key_ecdsa" is
> provided below:
> -----BEGIN PRIVATE KEY-----
> -----END PRIVATE KEY-----
> A few questions related to this:
> 1) Is there a specific need to build the OpenSSL source only via the
> provided Makefile?
> 2) FIPS self test for ECDSA passes but the key creation/parsing fails.
> Could this indicate that the FIPS module APIs are not getting invoked in
> the case of ECDSA?
> Thanks & Regards,
More information about the openssl-users