> There are two options. First, the application does the digest and
> sign as two separate things.
My memory is a foggy surrounding that scenario, so I might be wrong,
but I think it was argued that this was invalid use from a FIPS
perspective. Now, we can't actually stop any application from doing
this, sure! But...
No, it's not illegal -- FIPS code being used for all FIPS operations.
> If the EVP API does the digesting with one module and then calls
> another module to do the RSA signing, that is okay.
That suggests to me that libcrypto could "magically" combine two
different FIPS providers, which would be none of the two options
mentioned above.
Yes. I believe this is okay, but also that OpenSSL is not going to support this.
