On Thu, 28 Feb 2019 14:41:19 +0100, Salz, Rich wrote: > > > There are two options. First, the application does the digest and > > sign as two separate things. > > My memory is a foggy surrounding that scenario, so I might be wrong, > but I think it was argued that this was invalid use from a FIPS > perspective. Now, we can't actually stop any application from doing > this, sure! But... > > No, it's not illegal -- FIPS code being used for all FIPS operations. > > > If the EVP API does the digesting with one module and then calls > > another module to do the RSA signing, that is okay. > > That suggests to me that libcrypto could "magically" combine two > different FIPS providers, which would be none of the two options > mentioned above. > > Yes. I believe this is okay, but also that OpenSSL is not going to support this. Matt quoted a part of the design document that confirms what you're saying. I stand (*) corrected. Cheers, Richard ----- (*) actually, I sit ;-) -- Richard Levitte levitte@xxxxxxxxxxx OpenSSL Project http://www.openssl.org/~levitte/
