cannot password protect key file in FIPS mode

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

cannot password protect key file in FIPS mode

Sial Nije
Greetings,

I need help to generate an ECDSA key file that is passphrase protected and the key file is used in FIPS mode. My application is StrongSwan linked with FIPS enabled libcrypto.so, version 1.0.1c.
Seems FIPS capable openssl executable uses hard coded md5 hash on the passphrase.
There is no md5 in FIPS. So the IPSec IKE establishment fails silently. The log just states it cannot find private key for the subject name.
If I generate the key in non-FIPS mode and run the IPSec app in non-FIPS mode then IPSec tunnel establishes successfully.

I built openssl-fips-2.0.2 with following:
> ./config
> make
> make install

Then openssl-1.0.1c with following:
> ./config fips
> make
> make install
> mv /usr/bin/openssl /usr/bin/openssl.old
> ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

Then the following commands to generate a password protected key file:
> export OPENSSL_FIPS=1
> openssl ecparam -genkey -name prime256v1 -out tempkey.pem
> openssl ec -aes128 -in tempkey.pem -out myprivkey.pem -passout pass:testing123

No error at this point but the output myprivkey.pem cannot be read by other openssl executables, whether in FIPS mode or outside FIPS mode.

To read back the key file:
>openssl ec -in myprivkey.pem -text -passin pass:testing123

Got error:
Digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

(Tried RSA key encryption for comparison, same error. But I really need to use ECDSA.)

Then I re-built openssl with "./config -d fips" and stepped through the "ec -aes128 ..." command.
Traced into crypto/pem/pem_lib.c where it calls EVP_BytesToKey() passing EVP_md5() as the hasher.
There is another EVP_md5() call in pem_lib.c when doing the decrypt. If I replace these 2 with EVP_sha1() when in FIPS mode, then openssl ec can encrypt key file and read it back.
But my IPSec application still cannot use the password protected key in FIPS mode.

Anyone use password protected key file in FIPS mode and how do you do it?
Thanks for help.

Sialnije



Reply | Threaded
Open this post in threaded view
|

Re: cannot password protect key file in FIPS mode

Dr. Stephen Henson
On Mon, Dec 31, 2012, Sial Nije wrote:

> Greetings,
>
> I need help to generate an ECDSA key file that is passphrase protected and
> the key file is used in FIPS mode. My application is StrongSwan linked with
> FIPS enabled libcrypto.so, version 1.0.1c.
> Seems FIPS capable openssl executable uses hard coded md5 hash on the
> passphrase.
> There is no md5 in FIPS. So the IPSec IKE establishment fails silently. The
> log just states it cannot find private key for the subject name.
> If I generate the key in non-FIPS mode and run the IPSec app in non-FIPS
> mode then IPSec tunnel establishes successfully.
>

Ugh, that's a bug. OpenSSL should switch to PKCS#8 format in FIPS mode and
just work. It does that in OpenSSL 0.9.8 but the relevant code didn't make
it into the FIPS capable 1.0.1 and later.

I'll look into fixing it.

Workaround for now is to convert to PKCS#8 format manually (as mentioned in
other replies).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: cannot password protect key file in FIPS mode

Dave Thompson-5
> From: [hidden email] On Behalf Of Dr. Stephen Henson
> Sent: Wednesday, 02 January, 2013 11:13

> On Mon, Dec 31, 2012, Sial Nije wrote:
>
<snip: ECDSA created with ecparam -genkey and encrypted with ec -aes128
used old EVP_BytesToKey PBKDF1-mostly/md5 even in FIPS mode
which fails to read it back because md5 is unapproved>
>
> Ugh, that's a bug. OpenSSL should switch to PKCS#8 format in FIPS mode and
> just work. It does that in OpenSSL 0.9.8 but the relevant code didn't make
> it into the FIPS capable 1.0.1 and later.
>
> I'll look into fixing it.
>
> Workaround for now is to convert to PKCS#8 format manually (as mentioned
in
> other replies).
>
Or use 'pkey' to encrypt, or 'genpkey' to generate encrypted
to start with; both always use PKCS8 with PBKDF2/sha1.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]