Thanks All.
Conclusion: RSA_public_decrypt/encrypt is not supported in FIPS mode. For
making FIPS compliance I have to replace signing algorithm with
EVP_sign*() and verification by EVP_verify*()
Thanks,
Gayathri
On Thu, Nov 13, 2014 at 9:19 PM, Dr. Stephen Henson
wrote:
> On Thu, Nov 13, 2
On Thu, Nov 13, 2014, Gayathri Manoj wrote:
> Hi Stephen,
>
> I am extracting raw digest by using then below command.
>
> /* decrypt the content using the RSA pub key */
> elen = RSA_public_decrypt(sLen, sData, ebuf, rsaKey, RSA_PKCS1_PADDING);
>
> /* comuptes SHA1 hash*/
> SHA1_Init(&ctx);
>
> I am extracting raw digest by using then below command.
>
> /* decrypt the content using the RSA pub key */
> elen = RSA_public_decrypt(sLen, sData, ebuf, rsaKey, RSA_PKCS1_PADDING);
>
> /* comuptes SHA1 hash*/
> SHA1_Init(&ctx);
> SHA1_Update(&ctx, dataBlk, dataLen);
> SHA1_Final(hash, &ctx);
oj wrote:
>
> > Hi Steve,
> >
> > Conclusion of previous thread : For making FIPS compliance we have to
> > replace RSA_public_decrypt() with EVP_verify*() APIs. It requires hash
> of
> > the the entire message and not the hash of the 'signed message'
On Wed, Nov 12, 2014, Gayathri Manoj wrote:
> Hi Steve,
>
> Conclusion of previous thread : For making FIPS compliance we have to
> replace RSA_public_decrypt() with EVP_verify*() APIs. It requires hash of
> the the entire message and not the hash of the 'signed message&#
Hi Steve,
Conclusion of previous thread : For making FIPS compliance we have to
replace RSA_public_decrypt() with EVP_verify*() APIs. It requires hash of
the the entire message and not the hash of the 'signed message'.
Currently I am getting only hash of the signed message from my p
On Thu, Oct 30, 2014, Gayathri Manoj wrote:
> Hi Matt,
>
> Currently I am getting the signed hash message from some other entity. So i
> can't make changes for the signing part.
> My current implementation is phone will send the signed hash message and
> our application will decrypt the signed me
Hi Matt,
Currently I am getting the signed hash message from some other entity. So i
can't make changes for the signing part.
My current implementation is phone will send the signed hash message and
our application will decrypt the signed message by using
RSA_public_decrypt() and then we compare t
Hi Matt,
Sorry for the inconvenience caused by you through my mail.
1. In RSA_public_decrypt(), the below line is added in latest version of
the openssl. I have used the same in 0.9.8l
#ifdef OPENSSL_FIPS
if(FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
{
On 29/10/14 09:03, Gayathri Manoj wrote:
> Hi Matt,
>
> Thanks Matt.
>
> Please let me know RSA_public_decypt() is FIPS complaint in later
> version (openssl 1.0.x).
>
> Currently I am using RSA_public_decypt() in openssl-0.9.8l and not found
> any issues in FIPS mode. To address some of the C
Hi Matt,
Thanks Matt.
Please let me know RSA_public_decypt() is FIPS complaint in later version
(openssl 1.0.x).
Currently I am using RSA_public_decypt() in openssl-0.9.8l and not found
any issues in FIPS mode. To address some of the CVE, I have upgraded
openssl - from 0.9.8l to openssl-0.9.8ZA
On 28 October 2014 05:58, Gayathri Manoj wrote:
> Hi All,
>
> I am using openssl-0.9.9za and I came to know EVP_PKEY_CTX is available
> from 1.0.0.
> Please let me know which API i can use in FIPS context instead of
> RSA_public_decrypt().
Well FIPS puts a different light on your question. From
Hi All,
I am using openssl-0.9.9za and I came to know EVP_PKEY_CTX is available
from 1.0.0.
Please let me know which API i can use in FIPS context instead of
RSA_public_decrypt().
Thanks,
Gayathri
On Tue, Oct 28, 2014 at 10:45 AM, Gayathri Manoj
wrote:
> Hi All,
>
> Thank you all for your de
Hi All,
Thank you all for your detailed update. Now I understood my mistake. I
haven't copied the original message in dBuffer while calling
EVP_VerifyUpdate(). Actually my aim is to make my system FIPs complaint.
RSA_public_decrypt() is not FIPS complaint. hence I tried to replace this
with EVP_Ve
> On Oct 27, 2014, at 4:33 AM, Gayathri Manoj wrote:
>
> Hi All,
>
> How can I replace RSA_public_decrypt() with EVP_Verify*().
>
> I wanted to replace the below api with EVP_verify*()
>
> RSA_public_decrypt(Len, SgnData, dBuffer, rsa_pub_key, RSA_PKCS1_PADDING);
>
You’d need to share mor
On 27/10/14 08:33, Gayathri Manoj wrote:
> Hi All,
>
> How can I replace RSA_public_decrypt() with EVP_Verify*().
These two functions do not do the same thing. A simple one for one
replacement is not possible.
RSA_public_decrypt just decrypts a ciphertext encrypted with a private
RSA key. It c
On 27 October 2014 14:03, Gayathri Manoj wrote:
> Hi All,
>
> How can I replace RSA_public_decrypt() with EVP_Verify*().
>
> I wanted to replace the below api with EVP_verify*()
>
> RSA_public_decrypt(Len, SgnData, dBuffer, rsa_pub_key, RSA_PKCS1_PADDING);
>
> I have tried with
>
> EVP_MD_CTX
Hi All,
How can I replace RSA_public_decrypt() with EVP_Verify*().
I wanted to replace the below api with EVP_verify*()
RSA_public_decrypt(Len, SgnData, dBuffer, rsa_pub_key, RSA_PKCS1_PADDING);
I have tried with
EVP_MD_CTX md_ctx;
unsigned char *decryptBuffer = NULL;
EVP_PKEY *pubKey =
18 matches
Mail list logo
