Re: Openssl 3.0 fips usage

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

  • If  both default and fips provider are loaded and application generate Rsa key pair(2048 bits) from fips provider and  try to use default provider to sign with sha1,  is this allowed?

 

The application will have to explicitly “export” the key from the FIPS provider and “import” it into the default (non-FIPS) provider. So you can share keys. Whether or not that is allowed would perhaps depend on the details of the export/import process and key protection required by FIPS. I think you would have to get an accredited validation lab to answer that question for you.

 

HOWEVER, this doesn’t your real question:

 

  • According to FIPS 140-2 IG document, CSP defined in approved mode of operation shall not be accessed or shared with non-approved mode of  operation.If allowed, will it not break the fips rules?

 

The OpenSSL FIPS-validated provider will only operate in FIPS mode and will not have a non-approved mode of operation as long as you follow the configuration and installation procedures (not yet written).

 

Disclaimer: I am not employed by an accredited lab.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux