Very good point, I agree. The advantage of the shared object is I don't
need to sign the entire application again (fipsld).
My understanding is that native methods are always collected in shared
library. Shared library containing FIPS module is the only one that
needs to be fingerprinted. So why are you referring to "entire application"?
I wrote a very simple
jni wrapper for the FIPS_mode_set function that can be called anywhere
within the application.
#include <openssl/crypto.h>
#include <jni.h>
#include <jni_log.h>
#include <string.h>
void Java_com_mycompany_util_setFipsModeEnabled(JNIEnv* env, jobject
javaThis, jboolean isEnabled) {
LOGD("in set Fips enabled");
if (isEnabled) {
if(FIPS_mode_set(1)) {
And then what? How does your application call OpenSSL functions [that
invoke FIPS module]? Or do you count that shared libcrypto that you load
overrides system libcrypto.so? It's possible, but it's error-prone
solution...
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
