Hi OpenSSL Developers,

Thank you for your advise.

I tried to use the latest source via ftp://ftp.openssl.org/snapshot/opens...0080312.tar.gz and followed the instructions to build fips openssl.

Below is what I get:
root@sshia1# pwd
/home/boqian/fips/openssl-0.9.8-fips-test-SNAP-20080312/apps
root@sshia1# ldd openssl
libssl.so.0.9.8 => /home/boqian/fips/openssl-0.9.8-fips-test-SNAP-20080312/libssl.so.0.9.8
libcrypto.so.0.9.8 => /home/boqian/fips/openssl-0.9.8-fips-test-SNAP-20080312/libcrypto.so.0.9.8
libdl.so.1 => /usr/lib/hpux32/libdl.so.1
libc.so.1 => /usr/lib/hpux32/libc.so.1
libcrypto.so.0.9.8 => /home/boqian/fips/openssl-0.9.8-fips-test-SNAP-20080312/libcrypto.so.0.9.8
libdl.so.1 => /usr/lib/hpux32/libdl.so.1
root@sshia1# ./openssl version
OpenSSL 0.9.8h-fips-dev xx XXX xxxx
root@sshia1# ./openssl ecparam -out eckey_secp112r1.pem -name secp112r1 -genkey
root@sshpa6# ./openssl ec -in eckey_secp112r1.pem -des3 -out key_out_secp112r1.pem -passout passass
read EC key
unable to load Key
3859:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1294:
3859:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:830:
3859:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=n, Type=RSA
3859:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99:
3859:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 libem_pkey.c:125:
root@sshia1# cat eckey_secp112r1.pem
-----BEGIN EC PARAMETERS-----
BgUrgQQABg==
-----END EC PARAMETERS-----
-----BEGIN RSA PRIVATE KEY-----
MD4CAQEEDr3zMZRjZsucD7xiGhqioAcGBSuBBAAGoSADHgAEK/bKhjxrqyPcKi3D
1H6BkcdBkiCx43oLyRyY9g==
-----END RSA PRIVATE KEY-----

It seems this bug has not been fixed.
In fact, after I try to modify crypto/pem/pem_all.c, the problem disappears.
Original:
int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
unsigned char *kstr, int klen,
pem_password_cb *cb, void *u)
{
if (FIPS_mode())
return PEM_write_PKCS8PrivateKey(fp, x, enc,
(char *)kstr, klen, cb, u);
else
return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey,
(((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA:PEM_STRING_RSA),
fp,(char *)x,enc,kstr,klen,cb,u);
}

Modification:
int PEM_write_PrivateKey(FILE *fp, EVP_PKEY *x, const EVP_CIPHER *enc,
unsigned char *kstr, int klen,
pem_password_cb *cb, void *u)
{
if (FIPS_mode())
return PEM_write_PKCS8PrivateKey(fp, x, enc,
(char *)kstr, klen, cb, u);
else
return PEM_ASN1_write((i2d_of_void *)i2d_PrivateKey,
(((x)->type == EVP_PKEY_DSA)?PEM_STRING_DSA(x)->type == EVP_PKEY_EC)?PEM_STRING_ECPRIVATEKEY:PEM_STRING_RS A),
fp,(char *)x,enc,kstr,klen,cb,u);
}

Hope it is helpful.
Thank you!



> Subject: [openssl.org #1649] openssl-fips-test-1.2.0 bug
> From: rt@openssl.org
> To: qianbohound@hotmail.com
> CC: openssl-dev@openssl.org
> Date: Sat, 8 Mar 2008 13:27:16 +0100
>
>> [qianbohound@hotmail.com - Fri Mar 07 09:30:15 2008]:
>>
>>
>> 2)
>> root@sshpa6# pwd
>> /home/boqian/fips/openssl-fips-0.9.8f-dev
>> root@sshpa6# ./Configure hpux-cc fipscanisterbuild
>>

>
> You should do:
>
> ./config fipscanisterbuild
>
>>
>> It shows the eckey_secp112r1.pem file's format may be wrong.
>> Is there any workaround? Could you investigate this problem?
>> Thank you and looking forward to your reply!
>>

>
> The 1.2 module has been submitted for validation and the code is now
> frozen. We can't modify that at this stage.
>
> However you can use the 1.2 test tarball to generate the FIPS module and
> then use a later version of OpenSSL 0.9.8-fips to produce the libraries.
> I suggest you see if your problem applies to that version too. If so
> we'll fix it.
>
> See the documentation for details about how to link 0.9.8-fips against
> the test FIPS module.
>
> Note that the EC implementation is not part of the FIPS modules so will
> not be an approved algorithm in FIPS mode.
>
> Well nothing has been validated yet as testing isn't complete...


__________________________________________________ _______________
手机也能上 MSN 聊天了,快来试试吧!
http://mobile.msn.com.cn/


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org