EC explicit parameters in FIPS mode work in key generation and signature

[beldmit]

Fix disabling support of explicit EC parameters in FIPS mode implemented in #17998 looks incomplete.

Commands

openssl ecparam -param_enc explicit -genkey -out key.pem -name prime256v1
openssl req -x509 -key key.pem -out cert.crt -subj /CN=localhost -nodes -batch
openssl x509 -in ca/cert.crt -noout -text

produces:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5a:61:b5:09:7e:ff:68:a2:44:ef:e6:81:47:af:fd:30:85:ed:b8:d2
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = localhost
        Validity
            Not Before: May 27 13:01:49 2022 GMT
            Not After : Jun 26 13:01:49 2022 GMT
        Subject: CN = localhost
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:d9:eb:33:3b:24:2f:d8:a8:a3:26:2a:73:49:9a:
                    b8:fe:e0:f8:c8:4f:e2:68:f3:e1:11:56:f8:82:14:
                    10:4b:af:24:bd:39:9b:a2:e9:d3:b2:ce:90:4d:c2:
                    cf:30:6a:e1:d3:4f:b4:82:8b:72:ee:2a:92:92:52:
                    54:dd:26:aa:30
                Field Type: prime-field
                Prime:
                    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
                    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:ff
                A:   
                    00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
                    00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
                    ff:ff:fc
                B:   
                    5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
                    bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
                    60:4b
                Generator (uncompressed):
                    04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
                    40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
                    98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
                    7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
                    68:37:bf:51:f5
                Order: 
                    00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
                    ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
                    63:25:51
                Cofactor:  1 (0x1)
                Seed:
                    c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
                    b7:81:9f:7e:90
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                35:FC:49:D8:BB:37:90:53:AF:28:5A:63:7B:5A:42:4C:E6:1D:83:82
            X509v3 Authority Key Identifier: 
                35:FC:49:D8:BB:37:90:53:AF:28:5A:63:7B:5A:42:4C:E6:1D:83:82
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:21:00:e0:de:53:f0:f4:2a:0c:4f:65:5e:2e:b2:fd:
        bd:93:d3:90:fd:3a:b2:26:27:2a:d5:fb:13:74:42:5c:ee:e4:
        ab:02:20:2f:38:fd:99:05:e7:e6:1a:a3:70:2d:92:08:b8:01:
        76:1b:3f:bc:33:64:c7:03:e1:3b:0d:9a:5e:6d:e5:06:27

Private key also contains EC parameters in explicit form

[mattcaswell]

How are you loading the FIPS provider here? It does not seem to be mentioned on your command line. Is this via config? Do you also load the default provider?

[beldmit]

For these commands I used util/wrap -fips so yes, via config. In the environment we use we have base provider, fips provider, default provider, and fips=yes fetching properties.

[t8m]

IMO this is not really relevant to #17998 because we automatically convert the explicit parameters to named if they are matching existing named curve.

[t8m]

To clarify - the conversion happens in decoders which are not part of the FIPS provider.

The same applies to the -param_enc explicit - that is done in the encoders which are again not part of the FIPS provider.

[beldmit]

@t8m, yes but after conversion it looks reasonable to save them as named curve, not as an explicit.

[t8m]

Saving is done by encoder - you've asked to encode as explicit params with the -param_enc explicit so the encoder happily converts them.

[t8m]

All the other operations except for the active crypto (keygen and signing) IMO still happen outside of the FIPS provider so they are not affected by #17998.

As I proposed on one of the OTC meetings it would be IMO interesting to add a new build time option to completely disable the explicit curve support in the whole library, but that would be only for master branch.

[beldmit]

In my understanding we could enforce the name curve parameters inside the FIPS provider. Though I didn't succeed yet

[t8m]

You cannot enforce it in the FIPS provider because the conversion happens outside of it.