On 05/12/2015 10:44 AM, Paul Wouters wrote:
So you are talking about FIPS Power on self tests/ Known answer tests? You can do that as follows:On Tue, 12 May 2015, Robert Relyea wrote:So, in FIPS mode, in a standalone test program, what is the correct way toturn g^ir into PK11SymKey.PK11SymKey *sym_key = PK11_ImportSymKey(slot, CKM_DH_PKCS_DERIVE, PK11_OriginUnwrap,CKA_ENCRYPT, &key_item,NULL); which is of course not valid in FIPS mode.This should be fine for CAVs testing, as long as it is running the same code as it would run if it's in FIPS mode (which it will).I'm not sure you understood. We have two problems. If we want to run CAVS testing on building packages, and the builder machine runs in FIPS, we have a problem. We would like to run these CAVS tests on daemon startup, even in FIPS mode.
1) derive your test known answer key. 2) use the known answer key to encrypt a some known data. 3) compare the encrypted data with the known encrypted answer.You can't access the generated key in FIPS mode because that violates the softoken FIPS boundary.
For your actual CAVS testing, you actually need the real key data. In that case you have to work within the FIPS boundary. (Of course this all goes away when we push the IKE derive function into softoken itself and have softoken run the CAVS and POST, freeing libreswan from needing a separate validation.
bob
Paul
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto