Openssl 3.0 fips usage

Salz, Rich rsalz at
Tue Feb 4 15:23:13 UTC 2020

  *   If  both default and fips provider are loaded and application generate Rsa key pair(2048 bits) from fips provider and  try to use default provider to sign with sha1,  is this allowed?

The application will have to explicitly “export” the key from the FIPS provider and “import” it into the default (non-FIPS) provider. So you can share keys. Whether or not that is allowed would perhaps depend on the details of the export/import process and key protection required by FIPS. I think you would have to get an accredited validation lab to answer that question for you.

HOWEVER, this doesn’t your real question:

  *   According to FIPS 140-2 IG document, CSP defined in approved mode of operation shall not be accessed or shared with non-approved mode of  operation.If allowed, will it not break the fips rules?

The OpenSSL FIPS-validated provider will only operate in FIPS mode and will not have a non-approved mode of operation as long as you follow the configuration and installation procedures (not yet written).

Disclaimer: I am not employed by an accredited lab.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list