Re: FIPS capable openssl X509_get_pub_key

Dr. Stephen Henson Tue, 22 Sep 2009 05:23:40 -0700

On Tue, Sep 22, 2009, Pankaj Aggarwal wrote:

> Hi,
> 
> My code is using the FIPS capable openssl (0.9.8j) in FIPS Mode.
> 
> X509_get_pub_key function is used to retrieve the public key from a signing
> certificate.
> 
> 
> pubKey = X509_get_pubkey(x509Cert);
> 
> The returned pubKey has the FIPS ALLOW Flag set :
> 
> if((pubKey->pkey.rsa)->flags & RSA_FLAG_NON_FIPS_ALLOW)
> 
> {
> 
>         printf("This is true\n");
> 
> }
> 
> Is openSSL explicity setting this flag somewhere in code?
> 
> Subsequent call to RSA_verify succeeds because of setting of this flag. Is
> this intended behaviour?
>


No this is a bug. Will be fixed in the next version. Please try the next
snapshot or apply this patch:

http://cvs.openssl.org/chngview?cn=18625

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: FIPS capable openssl X509_get_pub_key

Reply via email to