Hi, Yes. You have to use openssl provided build files. Thanks, Murugesh P. On 7/7/20, Shirisha Dasari via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > Hi All, > > We have been trying to integrate FOM 2.0.13 with OpenSSL 1.0.2u for FIPS > compliance. Post integration, we have been able to run in FIPS mode, with > all self-tests passing as well. However, we seem to be encountering issues > in creation and parsing of ECDSA keys. > > A little background on how we build the shared libcrypto library: > > TARGET: x86_64 > BUILD HOST: x86_64 > > We do not use the OpenSSL Makefile to build the OpenSSL source. Our build > infrastructure creates multiple static archives from the OpenSSL crypto > source and finally creates a libcrypto.a from these archives as required by > fipsld. The fipscanister.o and libcrypto.a are archived to create the final > libcrypto.a and passed onto fipsld for creation of a dynamic library, > libcrypto.so. fips_premain_dso gets built as a part of the build process > too for generation of signature. These steps mimic the OpenSSL opensource > Makefile. > > fipsld embeds the signature into the final libcrypto.so successfully and we > are able to get into FIPS mode successfully at run time. Self-tests pass as > well. > > Issue: > > While trying to use ECDSA host keys for OpenSSH, we noticed that parsing of > ECDSA key fails. DSA and RSA key creation and parsing do not have this > issue. Note that the ECDSA key was generated in FIPS mode and is being > parsed in FIPS mode itself. > > root@localhost:/home/admin# openssl ec -in ssh_host_key_ecdsa -text -noout > read EC key > unable to load Key > 140020611143360:error:10067066:elliptic curve > routines:ec_GFp_simple_oct2point:invalid > encoding:../../../../vendor/openssl-fips/crypto/ec/ecp_oct.c:370: > 140020611143360:error:10092010:elliptic curve routines:d2i_ECPrivateKey:EC > lib:../../../../vendor/openssl-fips/crypto/ec/ec_asn1.c:1172: > 140020611143360:error:100D508E:elliptic curve > routines:ECKEY_PRIV_DECODE:decode > error:../../../../vendor/openssl-fips/crypto/ec/ec_ameth.c:256: > 140020611143360:error:0606F091:digital envelope > routines:EVP_PKCS82PKEY:private key decode > error:../../../../vendor/openssl-fips/crypto/evp/evp_pkey.c:92: > 140020611143360:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 > lib:../../../../vendor/openssl-fips/crypto/pem/pem_pkey.c:142: > root@localhost:/home/admin# > > A portion of the sample ECDSA key generated with curve secp384r1 via > ssh-keygen with "ssh-keygen -t ecdsa -b 384 -f ssh_host_key_ecdsa" is > provided below: > > -----BEGIN PRIVATE KEY----- > MIG2AgEAMBAGByqGSM49AgEGBSuBBAAiBIGeMIGbAgEBBDD > ........ > ........ > -----END PRIVATE KEY----- > > A few questions related to this: > > 1) Is there a specific need to build the OpenSSL source only via the > provided Makefile? > 2) FIPS self test for ECDSA passes but the key creation/parsing fails. > Could this indicate that the FIPS module APIs are not getting invoked in > the case of ECDSA? > > -- > Thanks & Regards, > Shirisha. >
