We got feedback from the lab with the following findings:
- for RSA-OAEP to get claimed, we need to run selftest for that during initialization
- The PCT (Pairwise Consistency Tests) for RSA and ECDSA need to be executed together with the digest step using the new API
- RSA is easy
- ECDSA has more complext construction of the key s-expressions -- not done yet.
- We need a one more FIPS service indicator to mark the functions gcry_sign and gcry_verify not FIPS approved as we do not want to block them hard
- We might not need to test both decryption & signature in the PCT, but we still wait for confirmation
The current WIP implementation is attached in gitlab MR, early comments welcomed, but it is not yet final