AES-cipher offload to engine in openssl-fips
Richard Levitte
levitte at openssl.org
Thu Feb 28 14:06:00 UTC 2019
On Thu, 28 Feb 2019 14:41:19 +0100,
Salz, Rich wrote:
>
> > There are two options. First, the application does the digest and
> > sign as two separate things.
>
> My memory is a foggy surrounding that scenario, so I might be wrong,
> but I think it was argued that this was invalid use from a FIPS
> perspective. Now, we can't actually stop any application from doing
> this, sure! But...
>
> No, it's not illegal -- FIPS code being used for all FIPS operations.
>
> > If the EVP API does the digesting with one module and then calls
> > another module to do the RSA signing, that is okay.
>
> That suggests to me that libcrypto could "magically" combine two
> different FIPS providers, which would be none of the two options
> mentioned above.
>
> Yes. I believe this is okay, but also that OpenSSL is not going to support this.
Matt quoted a part of the design document that confirms what you're
saying. I stand (*) corrected.
Cheers,
Richard
-----
(*) actually, I sit ;-)
--
Richard Levitte levitte at openssl.org
OpenSSL Project http://www.openssl.org/~levitte/
More information about the openssl-users
mailing list