You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mentioned in #44 (comment): some OpenSSL 1.0.2 builds don't include P-224. I initially noticed this while running the x/crypto wycheproof tests on my Fedora dev machine with 1.0.2o-fips, but it makes this repo's TestECDSAKeyGeneration test fail too.
I'm not sure what the best thing to do would be. For my own sake, it would be nice if at least the golang-fips/openssl tests succeeded on my main dev machine. Exporting an API that lists supported NIDs and using that to decide to skip tests seems like it would be fine for that. (If we did that, in CI, we should make sure to expect the full set of curves to be supported and test all of them, in case the "get supported curves" API makes a mistake.)
However, I'm only using Fedora out of familiarity/convenience, and I don't need to use the distro's OpenSSL 1.0.2 build. This isn't something we're expecting to happen inside Microsoft either. So: I don't know if it's worth doing anything about this. Either way, here's an issue to track it. 🙂
I tried making an openssl API for EC_get_builtin_curves (doc) to see what my OpenSSL 1.0.2 supports:
nid 714, comment "SECG curve over a 256 bit prime field"
nid 715, comment "NIST/SECG curve over a 384 bit prime field"
nid 716, comment "NIST/SECG curve over a 521 bit prime field"
nid 415, comment "X9.62/SECG curve over a 256 bit prime field"
My machine also has OpenSSL 1.1 and 3, and when I change the override to use those versions, P-224 is added to the returned list as expected.
The text was updated successfully, but these errors were encountered:
Mentioned in #44 (comment): some OpenSSL 1.0.2 builds don't include P-224. I initially noticed this while running the x/crypto
wycheprooftests on my Fedora dev machine with1.0.2o-fips, but it makes this repo'sTestECDSAKeyGenerationtest fail too.I'm not sure what the best thing to do would be. For my own sake, it would be nice if at least the golang-fips/openssl tests succeeded on my main dev machine. Exporting an API that lists supported NIDs and using that to decide to skip tests seems like it would be fine for that. (If we did that, in CI, we should make sure to expect the full set of curves to be supported and test all of them, in case the "get supported curves" API makes a mistake.)
However, I'm only using Fedora out of familiarity/convenience, and I don't need to use the distro's OpenSSL 1.0.2 build. This isn't something we're expecting to happen inside Microsoft either. So: I don't know if it's worth doing anything about this. Either way, here's an issue to track it. 🙂
I tried making an
opensslAPI forEC_get_builtin_curves(doc) to see what my OpenSSL 1.0.2 supports:My machine also has OpenSSL 1.1 and 3, and when I change the override to use those versions, P-224 is added to the returned list as expected.
The text was updated successfully, but these errors were encountered: