DEK-info - FIPS openssl

When using the openssl command to create an RSA private key in non FIPS mode there is this preamble in the .pem file:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,9B77844F30335D00

However when creating an RSA private ke while in FIPS mode this preamble does not exist.

I'd like to determine if a key has been created by a FIPS enabled openssl executable and delete it and create a new one. Can I reliably detemine that the key has not been generated while openssl was in FIPS mode if this preamble is missing?

Or is there a better way to determine is a private key, or certificate had been generated by openssl while not in FIPS mode?

Thanks.

On Thu, Nov 05, 2009, Mike Trent wrote:

Quick answer: no there isn't a reliable way to detect keys or certificates
created in FIPS mode.

Long answer:

The default private key encryption for OpenSSL 0.9.8 and earlier used MD5 for
key derivation which isn't allowed in FIPS mode. It also used a non-standard
format.

To address this PKCS#8 is used which can use SHA1 for key derivation
instead. It also has the advantage that keys can be transparently handled:
that is if you use the PEM format it just works if you have traditional or
PKCS#8 format.

Due to the non-standard way of using keys and use of MD5 it was decided to
make PKCS#8 format the default for OpenSSL 1.0 and later.

So if you don't see DEK-Info it could be from:

OpenSSL 0.9.8 in FIPS mode.
OpenSSL 1.0.0 using new default key format.
OpenSSL 0.9.8 or earlier specifically using PKCS#8 format.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...