OpenSSL shared library in FIPS mode

Tue Jul 7 15:33:28 UTC 2020

Thanks Murugesh. I just wanted to add that the FOM (OpenSSL FIPS object
module) is built using the instructions provided by the User Guide:

./config
make
make install

The built fipscanister.o is integrated into the OpenSSL distribution via
our own build infrastructure by mimicking the OpenSSL makefiles (including
invoking fipsld to embed the signature into the library).

On Tue, Jul 7, 2020 at 8:39 PM murugesh pitchaiah <
murugesh.pitchaiah at gmail.com> wrote:

> Hi,
>
> Yes. You have to use openssl provided build files.
>
> Thanks,
> Murugesh P.
>
> On 7/7/20, Shirisha Dasari via openssl-users <openssl-users at openssl.org>
> wrote:
> > Hi All,
> >
> > We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS
> > compliance. Post integration, we have been able to run in FIPS mode, with
> > all self-tests passing as well. However, we seem to be encountering
> issues
> > in creation and parsing of ECDSA keys.
> >
> > A little background on how we build the shared libcrypto library:
> >
> > TARGET: x86_64
> > BUILD HOST: x86_64
> >
> > We do not use the OpenSSL Makefile to build the OpenSSL source. Our build
> > infrastructure  creates multiple static archives from the OpenSSL crypto
> > source and finally creates a libcrypto.a from these archives as required
> by
> > fipsld. The fipscanister.o and libcrypto.a are archived to create the
> final
> > libcrypto.a and passed onto fipsld for creation of a dynamic library,
> > libcrypto.so. fips_premain_dso gets built as a part of the build process
> > too for generation of signature. These steps mimic the OpenSSL opensource
> > Makefile.
> >
> > fipsld embeds the signature into the final libcrypto.so successfully and
> we
> > are able to get into FIPS mode successfully at run time. Self-tests pass
> as
> > well.
> >
> > Issue:
> >
> > While trying to use ECDSA host keys for OpenSSH, we noticed that parsing
> of
> > ECDSA key fails. DSA and RSA key creation and parsing do not have this
> > issue. Note that the ECDSA key was generated in FIPS mode and is being
> > parsed in FIPS mode itself.
> >
> > root at localhost:/home/admin#  openssl ec -in ssh_host_key_ecdsa -text
> -noout
> > read EC key
> > unable to load Key
> > 140020611143360:error:10067066:elliptic curve
> > routines:ec_GFp_simple_oct2point:invalid
> > encoding:../../../../vendor/openssl-fips/crypto/ec/ecp_oct.c:370:
> > 140020611143360:error:10092010:elliptic curve
> routines:d2i_ECPrivateKey:EC
> > lib:../../../../vendor/openssl-fips/crypto/ec/ec_asn1.c:1172:
> > 140020611143360:error:100D508E:elliptic curve
> > routines:ECKEY_PRIV_DECODE:decode
> > error:../../../../vendor/openssl-fips/crypto/ec/ec_ameth.c:256:
> > 140020611143360:error:0606F091:digital envelope
> > routines:EVP_PKCS82PKEY:private key decode
> > error:../../../../vendor/openssl-fips/crypto/evp/evp_pkey.c:92:
> > 140020611143360:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1
> > lib:../../../../vendor/openssl-fips/crypto/pem/pem_pkey.c:142:
> > root at localhost:/home/admin#
> >
> > A portion of the sample ECDSA key generated with curve secp384r1 via
> > ssh-keygen with "ssh-keygen -t ecdsa -b 384 -f  ssh_host_key_ecdsa" is
> > provided below:
> >
> > -----BEGIN PRIVATE KEY-----
> > MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD
> > ........
> > ........
> > -----END PRIVATE KEY-----
> >
> >  A few questions related to this:
> >
> > 1) Is there a specific need to build the OpenSSL source only via the
> > provided Makefile?
> > 2) FIPS self test for ECDSA passes but the key creation/parsing fails.
> > Could this indicate that the FIPS module APIs are not getting invoked in
> > the case of ECDSA?
> >
> > --
> > Thanks & Regards,
> > Shirisha.
> >
>

-- 
Thanks & Regards,
Shirisha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200707/a03954a2/attachment-0001.html>