Ok !!
Stephen, Could you tell me which RSA Sign Verfiy functions are available in
fips mode. The FIPS 140-2 Annexure A states that RSASSA-PKCS1-v1_5 and
RSASSA-PSS contained within PKCS#1 v2.1 can be used for sign/verify. What
are the corresponding OpenSSL function which should be used?
Pankaj
On Tue, Sep 22, 2009 at 5:00 PM, Dr. Stephen Henson <st...@openssl.org>wrote:
> On Tue, Sep 22, 2009, Pankaj Aggarwal wrote:
>
> > Hi,
> >
> > My code is using the FIPS capable openssl (0.9.8j) in FIPS Mode.
> >
> > X509_get_pub_key function is used to retrieve the public key from a
> signing
> > certificate.
> >
> >
> > pubKey = X509_get_pubkey(x509Cert);
> >
> > The returned pubKey has the FIPS ALLOW Flag set :
> >
> > if((pubKey->pkey.rsa)->flags & RSA_FLAG_NON_FIPS_ALLOW)
> >
> > {
> >
> > printf("This is true\n");
> >
> > }
> >
> > Is openSSL explicity setting this flag somewhere in code?
> >
> > Subsequent call to RSA_verify succeeds because of setting of this flag.
> Is
> > this intended behaviour?
> >
>
> No this is a bug. Will be fixed in the next version. Please try the next
> snapshot or apply this patch:
>
> http://cvs.openssl.org/chngview?cn=18625
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
