On 03/15/2016 08:38 PM, Satya Das wrote: > Steve, > > How does one get a hold of the embedded signature in libcrypto.so ? I assume you're referring to the known-good FIPS 140-2 integrity check digest that is used for the runtime integrity check in the POST. Several people have already tried to explain that finding that digest DOES NOT repeat NOT prove that the application runtime binary is using a FIPS 140-2 validated module. The digest was inserted when the application was (correctly) linked to the FIPS module, and I've already told you a way it could be located, but having such a tool gains you nothing. The magical pixie dust that distinguishes a validated module from a bit-for-bit identical non-validated module is undetectable by any kind of software, thus it is impossible -- even blue-sky theoretically -- to develop a technical tool or utility of any kind that will suffice as proof a product is using a validated cryptographic module. It is even less possible than the "secure backdoor" in FBI/DoJ fantasies. -Steve M. -- Steve Marquess OpenSSL Validation Services, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
