OpenSSL shared library in FIPS mode

murugesh pitchaiah murugesh.pitchaiah at gmail.com
Tue Jul 7 15:09:34 UTC 2020


Hi,

Yes. You have to use openssl provided build files.

Thanks,
Murugesh P.

On 7/7/20, Shirisha Dasari via openssl-users <openssl-users at openssl.org> wrote:
> Hi All,
>
> We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
> compliance. Post integration, we have been able to run in FIPS mode, with
> all self-tests passing as well. However, we seem to be encountering issues
> in creation and parsing of ECDSA keys.
>
> A little background on how we build the shared libcrypto library:
>
> TARGET: x86_64
> BUILD HOST: x86_64
>
> We do not use the OpenSSL Makefile to build the OpenSSL source. Our build
> infrastructure  creates multiple static archives from the OpenSSL crypto
> source and finally creates a libcrypto.a from these archives as required by
> fipsld. The fipscanister.o and libcrypto.a are archived to create the final
> libcrypto.a and passed onto fipsld for creation of a dynamic library,
> libcrypto.so. fips_premain_dso gets built as a part of the build process
> too for generation of signature. These steps mimic the OpenSSL opensource
> Makefile.
>
> fipsld embeds the signature into the final libcrypto.so successfully and we
> are able to get into FIPS mode successfully at run time. Self-tests pass as
> well.
>
> Issue:
>
> While trying to use ECDSA host keys for OpenSSH, we noticed that parsing of
> ECDSA key fails. DSA and RSA key creation and parsing do not have this
> issue. Note that the ECDSA key was generated in FIPS mode and is being
> parsed in FIPS mode itself.
>
> root at localhost:/home/admin#  openssl ec -in ssh_host_key_ecdsa -text -noout
> read EC key
> unable to load Key
> 140020611143360:error:10067066:elliptic curve
> routines:ec_GFp_simple_oct2point:invalid
> encoding:../../../../vendor/openssl-fips/crypto/ec/ecp_oct.c:370:
> 140020611143360:error:10092010:elliptic curve routines:d2i_ECPrivateKey:EC
> lib:../../../../vendor/openssl-fips/crypto/ec/ec_asn1.c:1172:
> 140020611143360:error:100D508E:elliptic curve
> routines:ECKEY_PRIV_DECODE:decode
> error:../../../../vendor/openssl-fips/crypto/ec/ec_ameth.c:256:
> 140020611143360:error:0606F091:digital envelope
> routines:EVP_PKCS82PKEY:private key decode
> error:../../../../vendor/openssl-fips/crypto/evp/evp_pkey.c:92:
> 140020611143360:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1
> lib:../../../../vendor/openssl-fips/crypto/pem/pem_pkey.c:142:
> root at localhost:/home/admin#
>
> A portion of the sample ECDSA key generated with curve secp384r1 via
> ssh-keygen with "ssh-keygen -t ecdsa -b 384 -f  ssh_host_key_ecdsa" is
> provided below:
>
> -----BEGIN PRIVATE KEY-----
> MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD
> ........
> ........
> -----END PRIVATE KEY-----
>
>  A few questions related to this:
>
> 1) Is there a specific need to build the OpenSSL source only via the
> provided Makefile?
> 2) FIPS self test for ECDSA passes but the key creation/parsing fails.
> Could this indicate that the FIPS module APIs are not getting invoked in
> the case of ECDSA?
>
> --
> Thanks & Regards,
> Shirisha.
>


More information about the openssl-users mailing list