Skip to content

Commit 3928f38

Browse files
jschmidbjschmidb
committed
fips update: show minimum RSA public exponent in icainfo
In fips mode the minimum allowed RSA public exponent is 65537. RSA key generation is always performed via openssl. Check at runtime what openssl supports. Signed-off-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
1 parent 44950b3 commit 3928f38

1 file changed

Lines changed: 60 additions & 0 deletions

File tree

src/icainfo.c

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,44 @@ int rsa_keylen_supported_by_openssl(unsigned int modulus_bitlength)
174174
return rc == 0 ? 1 : 0;
175175
}
176176

177+
int rsa_pubexp_supported_by_openssl(unsigned int pubexp)
178+
{
179+
unsigned char modexpo_public_e[256] = { 0 };
180+
unsigned char modexpo_public_n[256] = { 0 };
181+
unsigned char crt_private_p[128] = { 0 };
182+
unsigned char crt_private_q[128] = { 0 };
183+
unsigned char crt_private_dp[128] = { 0 };
184+
unsigned char crt_private_dq[128] = { 0 };
185+
unsigned char crt_private_inv_q[128] = { 0 };
186+
ica_adapter_handle_t ah;
187+
ica_rsa_key_mod_expo_t public_key;
188+
ica_rsa_key_crt_t private_key;
189+
int rc;
190+
191+
rc = ica_open_adapter(&ah);
192+
if (rc != 0)
193+
return 0;
194+
195+
public_key.modulus = modexpo_public_n;
196+
public_key.exponent = modexpo_public_e;
197+
public_key.key_length = 256;
198+
199+
private_key.p = crt_private_p;
200+
private_key.q = crt_private_q;
201+
private_key.dp = crt_private_dp;
202+
private_key.dq = crt_private_dq;
203+
private_key.qInverse = crt_private_inv_q;
204+
private_key.key_length = 256;
205+
206+
*(int*)((unsigned char *)public_key.exponent + 256 - sizeof(int)) = pubexp;
207+
208+
rc = ica_rsa_key_generate_crt(ah, 2048, &public_key, &private_key);
209+
210+
ica_close_adapter(ah);
211+
212+
return rc == 0 ? 1 : 0;
213+
}
214+
177215
int get_rsa_minlen(void)
178216
{
179217
int keylen_array[] = { 57, 512, 1024, 2048, 4096 };
@@ -188,21 +226,43 @@ int get_rsa_minlen(void)
188226
return -1;
189227
}
190228

229+
int get_rsa_min_pubexp(void)
230+
{
231+
int pubexp_array[] = { 3, 65537 };
232+
size_t i;
233+
234+
for (i = 0; i < sizeof(pubexp_array) / sizeof(int); i++) {
235+
if (rsa_pubexp_supported_by_openssl(pubexp_array[i])) {
236+
return pubexp_array[i];
237+
}
238+
}
239+
240+
return -1;
241+
}
242+
191243
/**
192244
* Print out the minimum and maximum RSA key length. The maximum length is
193245
* restricted to 4096 bits by crypto cards. The minimum accepted length in
194246
* libica is 57 bits, but the available min length depends on the openssl
195247
* version and fips mode.
248+
* Also print the minimum allowed value of the public exponent. In FIPS mode
249+
* the minimum public exponent is 65537.
196250
*/
197251
void print_rsa(void)
198252
{
199253
int minlen = get_rsa_minlen();
254+
int min_pubexp = get_rsa_min_pubexp();
200255

201256
if (minlen > 0)
202257
printf("RSA key lengths: %d ... 4096 bits.\n", minlen);
203258
else
204259
printf("Error: cannot determine supported RSA key lengths via openssl.\n");
205260

261+
if (min_pubexp > 0)
262+
printf("RSA public exponents greater or equal to %d.\n", min_pubexp);
263+
else
264+
printf("Error: cannot determine supported RSA public exponents via openssl.\n");
265+
206266
#ifdef ICA_FIPS
207267
printf("Built-in FIPS support: FIPS 140-3 mode %s.\n",
208268
ica_fips_status() & ICA_FIPS_MODE ? "active" : "inactive");

0 commit comments

Comments
 (0)