In FIPS mode use PKCS#8 format when writing private keys:
authorDr. Stephen Henson <steve@openssl.org>
Mon, 7 Jan 2013 16:14:15 +0000 (16:14 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Mon, 7 Jan 2013 16:16:43 +0000 (16:16 +0000)
traditional format uses MD5 which is prohibited in FIPS mode.

crypto/pem/pem_all.c

index 5c8c6f415829be8f5ca3fdb82fb515986056b541..e18f6aed3d5dccef7129174e79db3d3f5662bbd0 100644 (file)
@@ -193,7 +193,61 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
 
 #endif
 
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+       if (FIPS_mode())
+               {
+               EVP_PKEY *k;
+               int ret;
+               k = EVP_PKEY_new();
+               if (!k)
+                       return 0;
+               EVP_PKEY_set1_RSA(k, x);
+
+               ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+               EVP_PKEY_free(k);
+               return ret;
+               }
+       else
+               return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey,
+                                       PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+       if (FIPS_mode())
+               {
+               EVP_PKEY *k;
+               int ret;
+               k = EVP_PKEY_new();
+               if (!k)
+                       return 0;
+
+               EVP_PKEY_set1_RSA(k, x);
+
+               ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+               EVP_PKEY_free(k);
+               return ret;
+               }
+       else
+               return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey,
+                                       PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+
+#endif
+
 IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
 
@@ -223,7 +277,59 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
        return pkey_get_dsa(pktmp, dsa);        /* will free pktmp */
 }
 
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+       if (FIPS_mode())
+               {
+               EVP_PKEY *k;
+               int ret;
+               k = EVP_PKEY_new();
+               if (!k)
+                       return 0;
+               EVP_PKEY_set1_DSA(k, x);
+
+               ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+               EVP_PKEY_free(k);
+               return ret;
+               }
+       else
+               return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey,
+                                       PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+       if (FIPS_mode())
+               {
+               EVP_PKEY *k;
+               int ret;
+               k = EVP_PKEY_new();
+               if (!k)
+                       return 0;
+               EVP_PKEY_set1_DSA(k, x);
+               ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+               EVP_PKEY_free(k);
+               return ret;
+               }
+       else
+               return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey,
+                                       PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+
+#endif
+
 IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
 
 #ifndef OPENSSL_NO_FP_API
@@ -269,8 +375,63 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb,
 
 IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
 
+
+
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+       if (FIPS_mode())
+               {
+               EVP_PKEY *k;
+               int ret;
+               k = EVP_PKEY_new();
+               if (!k)
+                       return 0;
+               EVP_PKEY_set1_EC_KEY(k, x);
+
+               ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+               EVP_PKEY_free(k);
+               return ret;
+               }
+       else
+               return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey,
+                                               PEM_STRING_ECPRIVATEKEY,
+                                               bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
+                                               unsigned char *kstr, int klen,
+                                               pem_password_cb *cb, void *u)
+{
+       if (FIPS_mode())
+               {
+               EVP_PKEY *k;
+               int ret;
+               k = EVP_PKEY_new();
+               if (!k)
+                       return 0;
+               EVP_PKEY_set1_EC_KEY(k, x);
+               ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+               EVP_PKEY_free(k);
+               return ret;
+               }
+       else
+               return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey,
+                                               PEM_STRING_ECPRIVATEKEY,
+                                               fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
 IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
 
+#endif
+
 IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
 
 #ifndef OPENSSL_NO_FP_API