New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EC explicit parameters in FIPS mode work in key generation and signature #18452
Comments
How are you loading the FIPS provider here? It does not seem to be mentioned on your command line. Is this via config? Do you also load the default provider? |
For these commands I used |
IMO this is not really relevant to #17998 because we automatically convert the explicit parameters to named if they are matching existing named curve. |
To clarify - the conversion happens in decoders which are not part of the FIPS provider. The same applies to the -param_enc explicit - that is done in the encoders which are again not part of the FIPS provider. |
@t8m, yes but after conversion it looks reasonable to save them as named curve, not as an explicit. |
Saving is done by encoder - you've asked to encode as explicit params with the |
All the other operations except for the active crypto (keygen and signing) IMO still happen outside of the FIPS provider so they are not affected by #17998. As I proposed on one of the OTC meetings it would be IMO interesting to add a new build time option to completely disable the explicit curve support in the whole library, but that would be only for master branch. |
In my understanding we could enforce the name curve parameters inside the FIPS provider. Though I didn't succeed yet |
You cannot enforce it in the FIPS provider because the conversion happens outside of it. |
Fix disabling support of explicit EC parameters in FIPS mode implemented in #17998 looks incomplete.
Commands
produces:
Private key also contains EC parameters in explicit form
The text was updated successfully, but these errors were encountered: