diff options
Diffstat (limited to 'doc/man7/provider-signature.pod')
-rw-r--r-- | doc/man7/provider-signature.pod | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/doc/man7/provider-signature.pod b/doc/man7/provider-signature.pod index b26b8b6a5b..7763112d06 100644 --- a/doc/man7/provider-signature.pod +++ b/doc/man7/provider-signature.pod @@ -257,7 +257,7 @@ the I<routlen> parameter. =head2 Digest Sign Functions -OSSL_FUNC_signature_digeset_sign_init() initialises a context for signing given a +OSSL_FUNC_signature_digest_sign_init() initialises a context for signing given a provider side signature context in the I<ctx> parameter, and a pointer to a provider key object in the I<provkey> parameter. The I<params>, if not NULL, should be set on the context in a manner similar to @@ -388,6 +388,32 @@ was successful. Known answer tests can be performed if the random generator is overridden to supply known values that either pass or fail. +=item "fips-indicator" (B<OSSL_SIGNATURE_PARAM_FIPS_APPROVED_INDICATOR>) <int> + +A getter that returns 1 if the operation is FIPS approved, or 0 otherwise. +This may be used after calling either the sign or verify final functions. It may +return 0 if either the "digest-check" or the "key-check" are set to 0. +This option is used by the OpenSSL FIPS provider. + +=item "key-check" (B<OSSL_SIGNATURE_PARAM_FIPS_KEY_CHECK>) <int> + +If required this parameter should be set early via an init function +(e.g. OSSL_FUNC_signature_sign_init() or OSSL_FUNC_signature_verify_init()). +The default value of 1 causes an error during the init if the key is not FIPS +approved (e.g. The key has a security strength of less than 112 bits). +Setting this to 0 will ignore the error and set the approved "indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + +=item "digest-check" (B<OSSL_SIGNATURE_PARAM_FIPS_DIGEST_CHECK>) <int> + +If required this parameter should be set before the signature digest is set. +The default value of 1 causes an error when the digest is set if the digest is +not FIPS approved (e.g. SHA1 is used for signing). Setting this to 0 will ignore +the error and set the approved "fips-indicator" to 0. +This option is used by the OpenSSL FIPS provider, and breaks FIPS compliance if +set to 0. + =back OSSL_FUNC_signature_gettable_ctx_params() and OSSL_FUNC_signature_settable_ctx_params() get a @@ -438,6 +464,8 @@ L<provider(7)> =head1 HISTORY The provider SIGNATURE interface was introduced in OpenSSL 3.0. +The Signature Parameters "fips-indicator", "key-check" and "digest-check" +were added in OpenSSL 3.4. =head1 COPYRIGHT |