[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    FIPS-140 approved curves?
From:       Jordan Brown <openssl () jordan ! maileater ! net>
Date:       2023-11-04 2:05:53
Message-ID: 0101018b98145c09-ec7b99d1-deb5-4434-adc9-69e8f692771b-000000 () us-west-2 ! amazonses ! com
[Download RAW message or body]

EC_get_builtin_curves() will give you a list of supported curves. 
However, in a FIPS-140 installation, EVP_EC_gen() appears to reject most
of them.  (Oddly, saying "unknown group".)

And even for the 15 that EVP_EC_gen() accepts, several (B-163, K-163,
P-192) can't be used for signing certificates and requests.  (Says
"Curve X-yyy cannot be used for signing".)

Is there an easy way to get a list of FIPS-140 approved curves that can
be used for signing certificates and requests, or do you have to try
each one and see if it works?

OpenSSL 3.0.10.

-- 
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris

[Attachment #3 (text/html)]

<!DOCTYPE html>
<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body>
    EC_get_builtin_curves() will give you a list of supported curves. 
    However, in a FIPS-140 installation, EVP_EC_gen() appears to reject
    most of them.  (Oddly, saying "unknown group".)<br>
    <br>
    And even for the 15 that EVP_EC_gen() accepts, several (B-163,
    K-163, P-192) can't be used for signing certificates and requests. 
    (Says "Curve X-yyy cannot be used for signing".)<br>
    <br>
    Is there an easy way to get a list of FIPS-140 approved curves that
    can be used for signing certificates and requests, or do you have to
    try each one and see if it works?<br>
    <br>
    OpenSSL 3.0.10.<br>
    <pre class="moz-signature" cols="72">-- 
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris</pre>
  </body>
</html>


[prev in list] [next in list] [prev in thread] [next in thread]