Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for running pkcs11 provider in FIPS Mode #498

Merged
merged 6 commits into from
Jan 15, 2025
Merged

Add support for running pkcs11 provider in FIPS Mode #498

merged 6 commits into from
Jan 15, 2025

Conversation

Jakuje
Copy link
Contributor

@Jakuje Jakuje commented Jan 15, 2025

Description

When OpenSSL runs in FIPS Mode, it will not use any providers
that do not provide a property fips=yes, rendering the pkcs11
provider unusable in FIPS Mode. This is a regression and for
many users that need to have smart cards working in FIPS Mode.

Unfortunately, proper signalization from pkcs11 modules regarding
the tokens FIPS certification status is not standardized yet,
this will be left up to the user to decide if the pkcs11 modules
talk to FIPS certified token or not.

This involves adjusting the algorithm lists to contain dynamic
properties based on this configuration option, where we previously
had hardcoded just provider=pkcs11.

Fixes: #469

Checklist

  • Code modified for feature
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • This feature/change has adequate documentation added
  • Code conform to coding style that today cannot yet be enforced via the check style test
  • Commits have short titles and sensible commit messages
  • Coverity Scan has run if needed (code PR) and no new defects were found

@Jakuje
provider: Add new configuration option assume_fips
02d6cba 
When OpenSSL runs in FIPS Mode, it will not use any providers
that do not provide a property fips=yes, rendering the pkcs11
provider unusable in FIPS Mode. This is a regression and for
many users that need to have smart cards working in FIPS Mode.

Unfortunately, proper signalization from pkcs11 modules regarding
the tokens FIPS certification status is not standardized yet,
this will be left up to the user to decide if the pkcs11 modules
talk to FIPS certified token or not.

This involves adjusting the algorithm lists to contain dynamic
properties based on this configuration option, where we previously
had hardcoded just provider=pkcs11.

Fixes: latchset#469, latchset#164

Signed-off-by: Jakub Jelen <[email protected]>
@Jakuje Jakuje force-pushed the fips branch 2 times, most recently from 38c7334 to 29e0bab Compare January 15, 2025 15:37
@Jakuje Jakuje requested a review from simo5 January 15, 2025 15:46
simo5
simo5 approved these changes Jan 15, 2025
View reviewed changes
Copy link
Member

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Excellent, I do not see anything bad in here!

@simo5 simo5 merged commit 5dec656 into latchset:main Jan 15, 2025
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simo5 simo5 simo5 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

pcks11-provider doesn't work when FIPS mode is enabled
2 participants
@Jakuje @simo5