On 01/30/2014 07:37 AM, Leon Brits wrote: > Steve, > > Thanks for the information. > > About your last paragraph, I have to ask: The requirements for this > product only uses a subset of the algorithms provided by the FIPS > Object Module and the DualEC DRBG and RSA1024 etc. is not supported > via our API. So SP800-131A does not affect me. My assumption is that > because of this we do not have to test them even though they are > present in the FIPS Object Module. True?
So apparently you're substantially hacking the OpenSSL FIPS Object Module code. You won't need to test an algorithm that is completely absent (entirely absent, not just disabled), of course, but keep in mind that apparently common sense software engineering assumptions may not apply. So I can't really help you there; that's something you'll need to carefully review with your test lab. You can't obtain a validation without the participation of an accredited test lab, so your first step is to pick one. There can be multiple "correct" answers to questions like this, in the sense that you can take the same code to different test labs (as we have done multiple times) and end up with very different answers and approaches to various requirements. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org