openssl fips patch for RSA Key Gen (186-4)

Michael Wojcik Michael.Wojcik at
Tue Jan 5 17:11:58 UTC 2021

> From: openssl-users <openssl-users-bounces at> On Behalf Of Matt
> Caswell
> Sent: Tuesday, 5 January, 2021 09:35
> On 05/01/2021 11:41, y vasavi wrote:
> >
> > We currently FOM 2.0 module for FIPS certification.
> > It doesn't have support for RSA Key generation(186-4)
> >
> > Are there any patches available ?
> Definitely there are no official ones (I'm also not aware of any
> unofficial ones).

And such a patched module would no longer be FIPS 140 validated.

I know of at least one commercial, proprietary fork of the OpenSSL FOM 2.0 with 186-4 support. It has its own validations, obtained by the vendor. It's part of a commercial software package and not available for use by other software.

If memory serves, SUSE also implemented 186-4 when they ported the FOM 2.0 to OpenSSL 1.1.1. SUSE open-sourced their changes - you can find the diffs on one of the SUSE sites - but again, they had to get a new validation. It applies only to their module when used on SLES. (Red Hat similarly did their own ports and got their own validations for RHEL. I don't know whether they published their changes.)

So it's possible, but as usual with FIPS 140, you have the time and expense of validation. That's even more complicated now than it has been in past years, thanks in part to the transition from FIPS 140-2 to 140-3. I've heard from people with contacts in the CMVP that "the queue is full" for the year, and anyone not already in line will be waiting even longer than usual for a validation.

Michael Wojcik

More information about the openssl-users mailing list