Openssl 3.0 fips usage

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Openssl 3.0 fips usage

Manish Patidar
Hi,

Can some one clarify if below usage is allowed by fips

According to FIPS 140-2 IG document, CSP defined in approved mode of operation shall not be accessed or shared with non-approved mode of  operation.

If  both default and fips provider are loaded and application generate Rsa key pair(2048 bits) from fips provider and  try to use default provider to sign with sha1,  is this allowed?
If allowed, will it not break the fips rules?

Regards
Manish
Reply | Threaded
Open this post in threaded view
|

Re: Openssl 3.0 fips usage

OpenSSL - User mailing list
  • If  both default and fips provider are loaded and application generate Rsa key pair(2048 bits) from fips provider and  try to use default provider to sign with sha1,  is this allowed?

 

The application will have to explicitly “export” the key from the FIPS provider and “import” it into the default (non-FIPS) provider. So you can share keys. Whether or not that is allowed would perhaps depend on the details of the export/import process and key protection required by FIPS. I think you would have to get an accredited validation lab to answer that question for you.

 

HOWEVER, this doesn’t your real question:

 

  • According to FIPS 140-2 IG document, CSP defined in approved mode of operation shall not be accessed or shared with non-approved mode of  operation.If allowed, will it not break the fips rules?

 

The OpenSSL FIPS-validated provider will only operate in FIPS mode and will not have a non-approved mode of operation as long as you follow the configuration and installation procedures (not yet written).

 

Disclaimer: I am not employed by an accredited lab.