[gnutls-devel] GnuTLS | cannot generate RSA-OAEP key outside of FIPS mode with certtool (#1653)

Tue Feb 4 10:28:00 CET 2025



Alexander Sosedkin commented: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2329607755


>From my brief exploration of the code, I couldn't find why the FIPS and non-FIPS results differ, but here are two ltrace snippets that might be of interest:

non-FIPS:
```
gnutls_x509_privkey_get_seed(0x55a8a382ff30, 0, 0, 0) = 0xffffffce  # <- GNUTLS_E_INVALID_REQUEST
gnutls_x509_privkey_generate2(0x55a8a382ff30, 13, 3072, 0) = 0
gnutls_x509_spki_deinit(0x55a8a3830150, 0x55a8a3813510, 2, 0x55a8a3813a50) = 2
gnutls_x509_privkey_verify_params(0x55a8a382ff30, 0x55a8a3830140, 0x55adf9093df0, 4) = 0
gnutls_x509_privkey_get_pk_algorithm(0x55a8a382ff30, 0x7ffe74f64bf0, 0x55a8a382ff30, 7) = 13
gnutls_x509_privkey_get_seed(0x55a8a382ff30, 0, 0, 0) = 0xffffffce  # <- GNUTLS_E_INVALID_REQUEST
fwrite("Public Key Info:\n", 1, 17, 0x55a8a382f450) = 17
```

FIPS:
```
gnutls_x509_privkey_get_seed(0x55ce108b3200, 0, 0, 0) = 0xffffffce  # <- GNUTLS_E_INVALID_REQUEST
gnutls_x509_privkey_generate2(0x55ce108b3200, 13, 3072, 0) = 0
gnutls_x509_spki_deinit(0x55ce108b3420, 0x55ce108811b0, 2, 0x55ce108810f0) = 2
gnutls_x509_privkey_verify_params(0x55ce108b3200, 0x55ce108b3410, 0x55cb4c6b1873, 5) = 0
gnutls_x509_privkey_get_pk_algorithm(0x55ce108b3200, 0x7ffc1fb6c220, 0x55ce108b3200, 7) = 13
gnutls_x509_privkey_get_seed(0x55ce108b3200, 0, 0, 0) = 0xffffffcd  # <- GNUTLS_E_SHORT_MEMORY_BUFFER, suggesting key->params.seed_size is set
fwrite("Assuming --pkcs8 is given; prova"..., 1, 87, 0x7fdc0c9f74e0) = 87
fwrite("Public Key Info:\n", 1, 17, 0x55ce108a3010) = 17
```

-- 
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1653#note_2329607755
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20250204/8daa8166/attachment.html>