RSA key generation in FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 28, 2015, Randy Steck wrote:

> Thus, it appears that there is a function in the FIPS API that allows
> for the creation of RSA keys in a non-approved manner.
> 
> Am I missing something?  Is this by design, or is it a bug?
> 

Yes you're right it uses the unapproved keygen algorithm by default.

The FIPS capable OpenSSL does this too which I'd say this was a bug which
should be fixed.

> Assuming I was to remediate this for one of my clients (hardware
> validation),
> the wrapper function within the canister should replace the call to the
> builtin function with a call to the RSA_X931_generate_key_ex() function,
> and/or the struct creation function should explicitly set the rsa_keygen
> method.  Correct?
> 

Well you don't have to modify the FIPS module at all. The FIPS capable OpenSSL
can be modified to call FIPS_rsa_x931_generate_key_ex in FIPS mode.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux