OpenSSL 3 FIPS on iOS
pauli at openssl.org
pauli at openssl.org
Thu Feb 3 06:39:59 UTC 2022
This does not mean we wouldn't be interested in having better iOS
support if someone was willing to contribute.
Paul Dale
On 3/2/22 5:38 pm, pauli at openssl.org wrote:
> The FIPS provider will likely not work with iOS as it currently stands.
>
> The development team are not up to speed on iOS and not much effort
> was put into supporting it (or Android for the same reason). We
> didn't even get remotely close to having code signed.
>
>
> Paul Dale
>
>
> On 27/1/22 4:41 am, Kevin Millson wrote:
>>
>> Hello All,
>>
>> Has anyone tried using the FIPS provider on iOS and got it uploaded
>> and successfully reviewed by Apple?
>>
>> Apple won't let you just put the 'fips.dylib' in your app's bundle so
>> we've wrapped it in a iOS Framework Bundle, which solves some of the
>> problems. But Apple are scanning the dylib's mach-o header and
>> finding the type bit field set to 'bundle' rather than 'execute' and
>> rejecting it. I think they might also be looking for particular load
>> commands in the header and not finding them either. I guess changes
>> to the FIPS build process are required to effect any change to the
>> file header?
>>
>> The Framework Bundle must be signed, as every iOS executable must be,
>> so this has to be done before the FIPS Configuration is created via
>> FIPS Install. If you try to perform these operations in the reverse
>> order, i.e. create configuration and then sign, then the values
>> within the configuration won't match the calculated values when the
>> FIPS Provider subsequently loads and runs. I haven't examined the
>> implementation of FIPS Install but I suspect it's not just examining
>> the mach-o segment with the executable code in it and is instead
>> detecting any change, i.e. also header changes as a result of iOS
>> signing. Currently we create configurations for all our signing
>> scenarios and then ensure individual FIPS frameworks are not
>> re-signed at any point subsequently. Sign for App Store Distribution
>> remains troublesome though and what if Apple re-sign the app and
>> consequently the FIPS framework? Failure to load the FIPS Provider
>> would then result.
>>
>> So we're unsure how OpenSSL 3 FIPS can be deployed within iOS apps
>> from the Apple App Store. Would be great to hear whether anyone else
>> has got this working and through an Apple app review.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220203/93353bb8/attachment.htm>
More information about the openssl-users
mailing list