AES-cipher offload to engine in openssl-fips
rsalz at akamai.com
Thu Feb 28 13:41:19 UTC 2019
> There are two options. First, the application does the digest and
> sign as two separate things.
My memory is a foggy surrounding that scenario, so I might be wrong,
but I think it was argued that this was invalid use from a FIPS
perspective. Now, we can't actually stop any application from doing
this, sure! But...
No, it's not illegal -- FIPS code being used for all FIPS operations.
> If the EVP API does the digesting with one module and then calls
> another module to do the RSA signing, that is okay.
That suggests to me that libcrypto could "magically" combine two
different FIPS providers, which would be none of the two options
Yes. I believe this is okay, but also that OpenSSL is not going to support this.
More information about the openssl-users