[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: FIPS-140 approved curves?
From: Jordan Brown <openssl () jordan ! maileater ! net>
Date: 2023-11-04 2:05:53
Message-ID: 0101018b98145c09-ec7b99d1-deb5-4434-adc9-69e8f692771b-000000 () us-west-2 ! amazonses ! com
[Download RAW message or body]
EC_get_builtin_curves() will give you a list of supported curves.
However, in a FIPS-140 installation, EVP_EC_gen() appears to reject most
of them. (Oddly, saying "unknown group".)
And even for the 15 that EVP_EC_gen() accepts, several (B-163, K-163,
P-192) can't be used for signing certificates and requests. (Says
"Curve X-yyy cannot be used for signing".)
Is there an easy way to get a list of FIPS-140 approved curves that can
be used for signing certificates and requests, or do you have to try
each one and see if it works?
OpenSSL 3.0.10.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
[Attachment #3 (text/html)]
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
EC_get_builtin_curves() will give you a list of supported curves.
However, in a FIPS-140 installation, EVP_EC_gen() appears to reject
most of them. (Oddly, saying "unknown group".)<br>
<br>
And even for the 15 that EVP_EC_gen() accepts, several (B-163,
K-163, P-192) can't be used for signing certificates and requests.
(Says "Curve X-yyy cannot be used for signing".)<br>
<br>
Is there an easy way to get a list of FIPS-140 approved curves that
can be used for signing certificates and requests, or do you have to
try each one and see if it works?<br>
<br>
OpenSSL 3.0.10.<br>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris</pre>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic