AES-cipher offload to engine in openssl-fips
Jakob Bohm
jb-openssl at wisemo.com
Wed Feb 27 20:55:29 UTC 2019
On 27/02/2019 20:59, Salz, Rich via openssl-users wrote:
> If you change a single line of code or do not build it EXACTLY as documented, you cannot claim to use the OpenSSL validation.
>
>
I believe the context here is one I also mentioned in my comment on
the 3.0 draft spec:
- OpenSSL FIPS Module provides FIPS validated software implementations of
all/most of the permitted algorithms.
- Engine provides FIPS validated (hardware?) implementations of one or
more implementations, under a separate FIPS validation, perhaps done
at the hardware level.
- FIPS-capable OpenSSL (outside the FIPS boundary) is somehow made to use
both FIPS validated modules depending on various conditions (such as
algorithm availability). FIPS-capable OpenSSL can be changed without
breaking the FIPS validation of the modules.
- Overall application claims FIPS compliance as all crypto is done by
FIPS validated modules.
A hypothetical US gov example would be using a certificate on a FIPS
validated FIPS 201 PIV ID card.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list