OpenSSL shared library in FIPS mode

murugesh pitchaiah murugesh.pitchaiah at
Tue Jul 7 15:09:34 UTC 2020


Yes. You have to use openssl provided build files.

Murugesh P.

On 7/7/20, Shirisha Dasari via openssl-users <openssl-users at> wrote:
> Hi All,
> We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
> compliance. Post integration, we have been able to run in FIPS mode, with
> all self-tests passing as well. However, we seem to be encountering issues
> in creation and parsing of ECDSA keys.
> A little background on how we build the shared libcrypto library:
> TARGET: x86_64
> BUILD HOST: x86_64
> We do not use the OpenSSL Makefile to build the OpenSSL source. Our build
> infrastructure  creates multiple static archives from the OpenSSL crypto
> source and finally creates a libcrypto.a from these archives as required by
> fipsld. The fipscanister.o and libcrypto.a are archived to create the final
> libcrypto.a and passed onto fipsld for creation of a dynamic library,
> fips_premain_dso gets built as a part of the build process
> too for generation of signature. These steps mimic the OpenSSL opensource
> Makefile.
> fipsld embeds the signature into the final successfully and we
> are able to get into FIPS mode successfully at run time. Self-tests pass as
> well.
> Issue:
> While trying to use ECDSA host keys for OpenSSH, we noticed that parsing of
> ECDSA key fails. DSA and RSA key creation and parsing do not have this
> issue. Note that the ECDSA key was generated in FIPS mode and is being
> parsed in FIPS mode itself.
> root at localhost:/home/admin#  openssl ec -in ssh_host_key_ecdsa -text -noout
> read EC key
> unable to load Key
> 140020611143360:error:10067066:elliptic curve
> routines:ec_GFp_simple_oct2point:invalid
> encoding:../../../../vendor/openssl-fips/crypto/ec/ecp_oct.c:370:
> 140020611143360:error:10092010:elliptic curve routines:d2i_ECPrivateKey:EC
> lib:../../../../vendor/openssl-fips/crypto/ec/ec_asn1.c:1172:
> 140020611143360:error:100D508E:elliptic curve
> routines:ECKEY_PRIV_DECODE:decode
> error:../../../../vendor/openssl-fips/crypto/ec/ec_ameth.c:256:
> 140020611143360:error:0606F091:digital envelope
> routines:EVP_PKCS82PKEY:private key decode
> error:../../../../vendor/openssl-fips/crypto/evp/evp_pkey.c:92:
> 140020611143360:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1
> lib:../../../../vendor/openssl-fips/crypto/pem/pem_pkey.c:142:
> root at localhost:/home/admin#
> A portion of the sample ECDSA key generated with curve secp384r1 via
> ssh-keygen with "ssh-keygen -t ecdsa -b 384 -f  ssh_host_key_ecdsa" is
> provided below:
> ........
> ........
> -----END PRIVATE KEY-----
>  A few questions related to this:
> 1) Is there a specific need to build the OpenSSL source only via the
> provided Makefile?
> 2) FIPS self test for ECDSA passes but the key creation/parsing fails.
> Could this indicate that the FIPS module APIs are not getting invoked in
> the case of ECDSA?
> --
> Thanks & Regards,
> Shirisha.

More information about the openssl-users mailing list