On 01/30/2014 04:00 AM, Leon Brits wrote: > Hi all, > > I've used the FIPS Object Module v2.0.2 in a product which need to be > FIPS 140-2 certified. One of the steps in this process is to certify > the module algorithms on our platform since it is not one of the > platforms which are covered by certificate #1747. I have all these > questionnaires from the certification lab about the algorithms and > some of the answers I simply do not know. E.g. for RSAPSS they want > to know what the salt length is. As far as I know this is dynamically > determined based on the modulus size and digest (correct?). Anyway, I > do not know what value to fill in as an answer. So is it possible to > get access to these "algorithm" documents which OpenSSL also had to > complete for their certification?
I'm going to answer your question with what you think you want, but I want to first caution you that what you really need isn't what you think you want. You are trying to take the OpenSSL FIPS Object Module source code and obtain your own "private label" validation (that's fine BTW, one of the intended uses of the open source based validations). But, the fact that your test lab is asking you those questions means that they aren't familiar with the OpenSSL FIPS Object Module, and neither you nor they are familiar enough with the code to figure it out. So that effort is going to be more difficult than usual for a private label validation, and you're going to be paying for that effort (one way or the other). It is true that a FIPS 140-2 validation entails a lot of arm waving, but some understanding of the actual code and algorithm implementations is still necessary. That said, what you think you want to know is this: the CAVS algorithm test forms used for the #1747 validation are at: http://opensslfoundation.com/testing/validation-2.0/forms/ The test vectors and use thereof are documented in the FIPS module User Guide: https://www.openssl.org/docs/fips/UserGuide-2.0.pdf and many of the actual test vector data sets used for the #1747 testing (and for *other* validations) can be found at: http://opensslfoundation.com/testing/validation-2.0/testvectors/ You'll want one specific to the #1747 code base, so for instance: http://opensslfoundation.com/testing/validation-2.0/testvectors/OE46.results.tar.gz You will find rather quickly that factors like SP800-131A, the deprecation of Dual EC DRBG, and the I.G. 9.10 issue (http://opensslfoundation.com/fips/ig95.html) mean that you can't use these test vector formats and the OpenSSL FIPS Object Module 2.0,2.0.1,...,2.0.5 code as-is. So don't say I didn't warn you :-) -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct [email protected] [email protected] gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
