Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provider FIPS property management #164

Open
beldmit opened this issue Jan 5, 2023 · 0 comments
Open

Provider FIPS property management #164

beldmit opened this issue Jan 5, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@beldmit
Copy link
Collaborator

beldmit commented Jan 5, 2023

Describe the feature
PKCS11 provider may provide the same algorithms with or without FIPS property. It depends on the underlying token certification status. Algorithm properties should be manageable via config.

Expected behavior

  • Minimal requirement: if we have smth like "fips=1" in the configuration section, all the algorithms provided by provider should have "fips=yes" property.
  • Real-life requirement: support of syntax like "fips-capable = alg1, alg2" allows specifying which algorithms provided by driver have the "fips=yes" property.
@beldmit beldmit added the enhancement New feature or request label Jan 5, 2023
@simo5 simo5 mentioned this issue Nov 20, 2024
Closed
Jakuje added a commit to Jakuje/pkcs11-provider that referenced this issue Jan 15, 2025
@Jakuje
provider: Add new configuration option assume_fips
02d6cba 
When OpenSSL runs in FIPS Mode, it will not use any providers
that do not provide a property fips=yes, rendering the pkcs11
provider unusable in FIPS Mode. This is a regression and for
many users that need to have smart cards working in FIPS Mode.

Unfortunately, proper signalization from pkcs11 modules regarding
the tokens FIPS certification status is not standardized yet,
this will be left up to the user to decide if the pkcs11 modules
talk to FIPS certified token or not.

This involves adjusting the algorithm lists to contain dynamic
properties based on this configuration option, where we previously
had hardcoded just provider=pkcs11.

Fixes: latchset#469, latchset#164

Signed-off-by: Jakub Jelen <[email protected]>
simo5 pushed a commit that referenced this issue Jan 15, 2025
@Jakuje @simo5
provider: Add new configuration option assume_fips
d7e80bc 
When OpenSSL runs in FIPS Mode, it will not use any providers
that do not provide a property fips=yes, rendering the pkcs11
provider unusable in FIPS Mode. This is a regression and for
many users that need to have smart cards working in FIPS Mode.

Unfortunately, proper signalization from pkcs11 modules regarding
the tokens FIPS certification status is not standardized yet,
this will be left up to the user to decide if the pkcs11 modules
talk to FIPS certified token or not.

This involves adjusting the algorithm lists to contain dynamic
properties based on this configuration option, where we previously
had hardcoded just provider=pkcs11.

Fixes: #469, #164

Signed-off-by: Jakub Jelen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@beldmit