RE: FIPS doesn't verify certificate with 1024-bit keys

Nou Dadoun Mon, 18 Jun 2012 11:12:15 -0700

Sorry accidentally hit send, the oddity is (as I mentioned before) that 
comparable certificates with larger keys using the same signing algorithm pass 
verification. E.g. this one is passing:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=www.casofti.com, ST=BC, 
C=CA/emailAddress=dniko...@casofti.com, O=Teradici CA
        Validity
            Not Before: Jun 15 16:45:07 2012 GMT
            Not After : Sep 21 16:45:06 2020 GMT
        Subject: CN=pcoip_test_2048.com, ST=BC, C=CA, O=pcoip_test_2048
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b3:30:6d:1a:5f:54:cd:f3:6a:12:da:36:0e:ee:
                    ef:0d:62:0f:8e:0b:94:75:2c:cf:f8:cc:46:d6:88:
                    f7:a2:7c:8d:8f:63:25:b0:c5:8c:c9:77:ce:63:64:
                    df:af:7d:5f:0c:fc:c1:a1:e6:86:47:08:04:08:2e:
                    29:02:25:81:fe:16:1c:4f:f3:92:b7:27:ff:17:94:
                    dd:00:1e:6f:9a:ac:f6:d3:98:26:d3:80:03:8a:cd:
                    18:d1:e1:f1:3e:6a:ef:cc:59:f1:71:b9:86:98:5e:
                    33:41:b5:4d:19:1d:e2:db:ae:a2:dd:e3:ed:31:f1:
                    7b:3f:6f:85:13:ee:61:68:cf:84:bc:a5:aa:19:d8:
                    15:9b:47:02:c7:70:ef:db:b2:68:0d:d3:48:79:a1:
                    6e:07:20:38:96:03:1e:f1:42:4a:89:60:42:e4:11:
                    2f:b2:44:9a:84:40:bd:34:cd:ca:e6:ca:ca:eb:1f:
                    ff:1d:31:be:09:94:2c:85:af:32:94:bf:e9:74:42:
                    c4:39:a4:50:18:e2:73:ec:0b:db:c1:bc:b7:e4:37:
                    5d:56:88:0d:83:88:e7:46:50:ea:36:78:00:80:40:
                    99:3f:d5:80:f5:7a:b1:ca:cb:b6:22:c6:a5:e3:42:
                    91:5a:5f:ab:09:d4:f5:29:32:bd:97:88:99:52:4d:
                    dd:97
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: md5WithRSAEncryption


N.




---
Nou Dadoun
ndad...@teradici.com
604-628-1215 


-----Original Message-----
From: Nou Dadoun 
Sent: June 18, 2012 11:06 AM
To: 'openssl-users@openssl.org'
Subject: RE: FIPS doesn't verify certificate with 1024-bit keys

Here's the certificate which is failing:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=www.casofti.com, ST=BC, 
C=CA/emailAddress=dniko...@casofti.com, O=Teradici CA
        Validity
            Not Before: Mar 20 23:12:14 2012 GMT
            Not After : Mar 20 23:12:14 2013 GMT
        Subject: CN=www.terasofti.com, ST=BC, C=CA, O=tera_test_1024
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:a8:35:18:8f:a2:4f:79:99:70:57:37:bf:f7:f6:
                    ee:d8:6f:3b:fe:1b:c1:da:be:55:a0:f9:c4:d4:39:
                    a4:99:dd:b3:9f:d4:bd:0a:3a:50:7d:ad:f2:b6:29:
                    22:b3:3f:1e:c1:45:da:49:8b:43:fd:62:9a:94:c9:
                    bd:f5:54:96:c8:a1:d1:f8:0d:b7:a6:7d:54:00:72:
                    10:59:13:7c:b1:4f:93:d7:75:76:23:ea:14:8b:f8:
                    f5:59:c8:6a:f4:b7:f6:cd:0f:8e:f9:f5:65:d4:91:
                    af:48:87:3f:fa:da:c0:94:0a:57:5d:7e:fe:32:f8:
                    70:e4:c8:9f:3d:44:c2:ef:bd
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
    Signature Algorithm: md5WithRSAEncryption


Is it failing because of the (unapproved) md5 signature algorithm? ... N


---
Nou Dadoun
ndad...@teradici.com
604-628-1215 


-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: June 18, 2012 10:45 AM
To: openssl-users@openssl.org
Subject: Re: FIPS doesn't verify certificate with 1024-bit keys

On Mon, Jun 18, 2012, Nou Dadoun wrote:

> 
> Why is it failing with the fips library and passing with the non-fips library 
> - does it have anything to do with the 1024 bit key? (i.e. 2048 and 4096-key 
> certs both work, and the ca cert has a 2048-bit key)
> 

Do you get an additional error from ERR_print_errors_fp(stderr)? Is the key
size 1024 bits exactly or 1023? What digest algorithm is used? Is it FIPS
approved SHA1 or SHA2 or an unapproved algorithm like MD5?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

RE: FIPS doesn't verify certificate with 1024-bit keys

Reply via email to