openssl fips patch for RSA Key Gen (186-4)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl fips patch for RSA Key Gen (186-4)

y vasavi

Hi All,

We currently FOM 2.0 module for FIPS certification.
It doesn't have support for RSA Key generation(186-4)

Are there any patches available ?

Thanks,
Vasavi.
Reply | Threaded
Open this post in threaded view
|

Re: openssl fips patch for RSA Key Gen (186-4)

Matt Caswell-2


On 05/01/2021 11:41, y vasavi wrote:
>
> Hi All,
>
> We currently FOM 2.0 module for FIPS certification.
> It doesn't have support for RSA Key generation(186-4)
>
> Are there any patches available ?

Definitely there are no official ones (I'm also not aware of any
unofficial ones).

The 3.0 module which will be part of OpenSSL 3.0 when it is released
supports 186-4 RSA Key gen.

Matt



>
> Thanks,
> Vasavi.
Reply | Threaded
Open this post in threaded view
|

Re: openssl fips patch for RSA Key Gen (186-4)

Marcus Meissner
On Tue, Jan 05, 2021 at 04:34:36PM +0000, Matt Caswell wrote:

>
>
> On 05/01/2021 11:41, y vasavi wrote:
> >
> > Hi All,
> >
> > We currently FOM 2.0 module for FIPS certification.
> > It doesn't have support for RSA Key generation(186-4)
> >
> > Are there any patches available ?
>
> Definitely there are no official ones (I'm also not aware of any
> unofficial ones).

In some vendor FIPS patch sets (e.g. Redhat or SUSE) there are RSA Key
generation methods meeting FIPS 186-4, for 1.0 and 1.1 based openssls.
 
Ciao, Marcus
Reply | Threaded
Open this post in threaded view
|

RE: openssl fips patch for RSA Key Gen (186-4)

Michael Wojcik
In reply to this post by Matt Caswell-2
> From: openssl-users <[hidden email]> On Behalf Of Matt
> Caswell
> Sent: Tuesday, 5 January, 2021 09:35
>
> On 05/01/2021 11:41, y vasavi wrote:
> >
> > We currently FOM 2.0 module for FIPS certification.
> > It doesn't have support for RSA Key generation(186-4)
> >
> > Are there any patches available ?
>
> Definitely there are no official ones (I'm also not aware of any
> unofficial ones).

And such a patched module would no longer be FIPS 140 validated.

I know of at least one commercial, proprietary fork of the OpenSSL FOM 2.0 with 186-4 support. It has its own validations, obtained by the vendor. It's part of a commercial software package and not available for use by other software.

If memory serves, SUSE also implemented 186-4 when they ported the FOM 2.0 to OpenSSL 1.1.1. SUSE open-sourced their changes - you can find the diffs on one of the SUSE sites - but again, they had to get a new validation. It applies only to their module when used on SLES. (Red Hat similarly did their own ports and got their own validations for RHEL. I don't know whether they published their changes.)

So it's possible, but as usual with FIPS 140, you have the time and expense of validation. That's even more complicated now than it has been in past years, thanks in part to the transition from FIPS 140-2 to 140-3. I've heard from people with contacts in the CMVP that "the queue is full" for the year, and anyone not already in line will be waiting even longer than usual for a validation.

--
Michael Wojcik