Page MenuHome GnuPG

FIPS 140-3 final review comments
Closed, ResolvedPublic


We got feedback from the lab with the following findings:

  • for RSA-OAEP to get claimed, we need to run selftest for that during initialization
  • The PCT (Pairwise Consistency Tests) for RSA and ECDSA need to be executed together with the digest step using the new API
    • RSA is easy
    • ECDSA has more complext construction of the key s-expressions -- not done yet.
  • We need a one more FIPS service indicator to mark the functions gcry_sign and gcry_verify not FIPS approved as we do not want to block them hard
  • We might not need to test both decryption & signature in the PCT, but we still wait for confirmation

The current WIP implementation is attached in gitlab MR, early comments welcomed, but it is not yet final

Event Timeline

For the record, the changeset in the attached merge request is final and waiting for reviews.

werner triaged this task as Normal priority.Aug 24 2022, 6:27 PM

Applied to master and 1.10 branch.

gniibe added a project: Restricted Project.
werner changed the task status from Open to Testing.Sep 22 2022, 10:50 AM
werner removed a project: Restricted Project.