> Is reading a rsakey in fips mode different from reading the rsa key in non fips mode.
In FIPS mode apart from certain exceptions the MD5 digest algorithm use is
forbidden. OpenSSL "traditional" encrypted private key format uses MD5 to
derive the symmetric algorithm key and has no option to change that.
This is a problem because functions such as PEM_write_PrivateKey() would use
that algorithm directly and woudl be unable to work in FIPS mode.
The more secure PKCS#8 format using PKCS#5 v2 can use FIPS approved algorithms
such as SHA1 for the key derivation. Functions such as PEM_read_PrivateKey()
can also handle this format transparently.
Instead of making up another non-standard private key format for FIPS mode it
was decided to switch to PKCS#8 mode using SHA1 when function such as
PEM_write_PrivateKey() are used. This means that existing application can use
PEM_write_PrivateKey() in FIPS mode without modification: provided they use a
approved FIPS symmetric algorithm such as 3DES or AES.