fips mode and key management
Richard Levitte
levitte at openssl.org
Tue Jan 21 09:36:47 UTC 2020
This doesn't affect applications. Our FIPS module holds its own
keys, but reuse the same structures as libcrypto to hold them
internally, and *there*, the EX_DATA field is irrelevant.
Applications will never get that far in. The EX_DATA added by the
application is still valid.
I think that the misunderstanding lies in when FIPS_MODE is defined.
It's defined when the FIPS provider module is being built, never
otherwise.
Cheers,
Richard
On Sat, 18 Jan 2020 12:19:25 +0100,
Roumen Petrov wrote:
>
> Hello,
>
> Recently I note that when build is in FIPS_MODE some functionality is
> lost. For instance RSA_{g|s}et_ex_data is not available.
>
> Reading the code I expect that in FIPS mode use of external keys is
> forbidden.
> Remark: ex_data is used to store reference information for external keys.
>
> Please confirm that in FIPS mode we could use external keys?
>
>
> Regards
> Roumen Petrov
>
> P.S. If is not allowed this regression to previous FIPS
> releases(validations).
> Neither OpenSSL nor Red Hat nor Solaris FIPS validation forbid use of
> "external" keys.
>
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-project
mailing list