-
Notifications
You must be signed in to change notification settings - Fork 95
Algorithms Restrictions: FIPS mode, SHA1 etc.
Stefan Berger edited this page Sep 16, 2024
·
8 revisions
The following are tests for checking what restrictions OpenSSL has on RSA signing and verification in FIPS mode and how the environment variable OPENSSL_ENABLE_SHA1_SIGNATURES can be used to circumvent these restrictions. The restrictions on signing with EC keys seem to be the same.
| RHEL 9.4 | CentOS 9 (8/27/2024) | Command | |
|---|---|---|---|
| RSA 1024 keygen | does not work | works | openssl genrsa -out rsa1024.pem 1024 |
| RSA 2048 keygen | works | works | openssl genrsa -out rsa2048.pem 2048 |
| RSA 1024 + SHA1 signing | no key | does not work | echo | openssl dgst -sha1 -sign rsa1024.pem -out sha1.sign |
| RSA 1024 + SHA1 verify | does not work | echo | openssl dgst -sha1 -verify rsa1024.pem -signature sha1.sign | |
| RSA 2048 + SHA1 signing | does not work | does not work | echo | openssl dgst -sha1 -sign rsa2048.pem -out sha1.sign |
| RSA 1024 + SHA256 signing | no key/does not work | works | echo | openssl dgst -sha256 -sign rsa1024.pem -out sha256.sign |
| RSA 1024 + SHA256 verify | no key | works | echo | openssl dgst -sha256 -verify rsa1024.pem -signature sha256.sign |
| RHEL 9.4 | CentOS 9 (8/27/2024) | Command | |
|---|---|---|---|
| RSA 1024 keygen | does not work | works | openssl genrsa -out rsa1024.pem 1024 |
| RSA 2048 keygen | works | works | openssl genrsa -out rsa2048.pem 2048 |
| RSA 1024 + SHA1 signing | no key | works | echo | OPENSSL_ENABLE_SHA1_SIGNATURES=1 openssl dgst -sha1 -sign rsa1024.pem -out sha1.sign |
| RSA 1024 + SHA1 verify | does not work | echo | OPENSSL_ENABLE_SHA1_SIGNATURES=1 openssl dgst -sha1 -verify rsa1024.pem -signature sha1.sign | |
| RSA 2048 + SHA1 signing | does not work | works | echo | OPENSSL_ENABLE_SHA1_SIGNATURES=1 openssl dgst -sha1 -sign rsa2048.pem -out sha1.sign |
| RSA 2048 + SHA1 verify | does not work | echo | OPENSSL_ENABLE_SHA1_SIGNATURES=1 openssl dgst -sha1 -verify rsa2048.pem -signature sha1.sign |
| RHEL 9.4 | CentOS 9 (8/27/2024) | Fedora 40 | Command | |
|---|---|---|---|---|
| RSA 1024 keygen | works | works | works | openssl genrsa -out rsa1024.pem 1024 |
| RSA 2048 keygen | works | works | works | openssl genrsa -out rsa2048.pem 2048 |
| RSA 1024 + SHA1 signing | does not work | does not work | works | echo | openssl dgst -sha1 -sign rsa1024.pem -out sha1.sign |
| RSA 2048 + SHA1 signing | does not work | does not work | works | echo | openssl dgst -sha1 -sign rsa2048.pem -out sha1.sign |
| RSA 1024 + SHA256 signing | works | works | works | echo | openssl dgst -sha256 -sign rsa1024.pem -out sha256.sign |
| RSA 1024 + SHA256 verify | works | works | works | echo | openssl dgst -sha256 -verify rsa1024.pem -signature sha256.sign |
| RHEL 9.4 | CentOS 9 (8/27/2024) | Command | |
|---|---|---|---|
| RSA 1024 keygen | works | works | openssl genrsa -out rsa1024.pem 1024 |
| RSA 2048 keygen | works | works | openssl genrsa -out rsa2048.pem 2048 |
| RSA 1024 + SHA1 signing | works | works | echo | OPENSSL_ENABLE_SHA1_SIGNATURES=1 openssl dgst -sha1 -sign rsa1024.pem -out sha1.sign |
| RSA 2048 + SHA1 signing | works | works | echo | OPENSSL_ENABLE_SHA1_SIGNATURES=1 openssl dgst -sha1 -verify rsa2048.pem -signature sha1.sign |