Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
OPENSSL-FIPSINSTALL(1)		    OpenSSL		OPENSSL-FIPSINSTALL(1)

NAME
       openssl-fipsinstall - perform FIPS configuration	installation

SYNOPSIS
       openssl fipsinstall [-help] [-in	configfilename]	[-out configfilename]
       [-module	modulefilename]	[-provider_name	providername] [-section_name
       sectionname] [-verify] [-mac_name macname] [-macopt nm:v] [-noout]
       [-quiet]	[-corrupt_desc selftest_description] [-corrupt_type
       selftest_type] [-config parent_config]

DESCRIPTION
       This command is used to generate	a FIPS module configuration file.
       This configuration file can be used each	time a FIPS module is loaded
       in order	to pass	data to	the FIPS module	self tests. The	FIPS module
       always verifies its MAC,	but only needs to run the KAT's	once, at
       installation.

       The generated configuration file	consists of:

       - A MAC of the FIPS module file.
       - A test	status indicator.
	   This	indicates if the Known Answer Self Tests (KAT's) have
	   successfully	run.

       - A MAC of the status indicator.

       This file is described in fips_config(5).

OPTIONS
       -help
	   Print a usage message.

       -module filename
	   Filename of the FIPS	module to perform an integrity check on.

       -out configfilename
	   Filename to output the configuration	data to; the default is
	   standard output.

       -in configfilename
	   Input filename to load configuration	data from. Used	with the
	   -verify option.  Standard input is used if the filename is "-".

       -verify
	   Verify that the input configuration file contains the correct
	   information.

       -provider_name providername
	   Name	of the provider	inside the configuration file.	The default
	   value is "fips".

       -section_name sectionname
	   Name	of the section inside the configuration	file.  The default
	   value is "fips_sect".

       -mac_name name
	   Specifies the name of a supported MAC algorithm which will be used.
	   The MAC mechanisms that are available will depend on	the options
	   used	when building OpenSSL.	To see the list	of supported MAC's use
	   the command "openssl	list -mac-algorithms".	The default is HMAC.

       -macopt nm:v
	   Passes options to the MAC algorithm.	 A comprehensive list of
	   controls can	be found in the	EVP_MAC	implementation documentation.
	   Common control strings used for this	command	are:

	   key:string
	       Specifies the MAC key as	an alphanumeric	string (use if the key
	       contains	printable characters only).  The string	length must
	       conform to any restrictions of the MAC algorithm.  A key	must
	       be specified for	every MAC algorithm.  If no key	is provided,
	       the default that	was specified when OpenSSL was configured is
	       used.

	   hexkey:string
	       Specifies the MAC key in	hexadecimal form (two hex digits per
	       byte).  The key length must conform to any restrictions of the
	       MAC algorithm.  A key must be specified for every MAC
	       algorithm.  If no key is	provided, the default that was
	       specified when OpenSSL was configured is	used.

	   digest:string
	       Used by HMAC as an alphanumeric string (use if the key contains
	       printable characters only).  The	string length must conform to
	       any restrictions	of the MAC algorithm.  To see the list of
	       supported digests, use the command "openssl list
	       -digest-commands".  The default digest is SHA-256.

       -noout
	   Disable logging of the self tests.

       -quiet
	   Do not output pass/fail messages. Implies -noout.

       -corrupt_desc selftest_description, -corrupt_type selftest_type
	   The corrupt options can be used to test failure of one or more self
	   tests by name.  Either option or both may be	used to	select the
	   tests to corrupt.  Refer to the entries for st-desc and st-type in
	   OSSL_PROVIDER-FIPS(7) for values that can be	used.

       -config parent_config
	   Test	that a FIPS provider can be loaded from	the specified
	   configuration file.	A previous call	to this	application needs to
	   generate the	extra configuration data that is included by the base
	   "parent_config" configuration file.	See config(5) for further
	   information on how to set up	a provider section.  All other options
	   are ignored if '-config' is used.

EXAMPLES
       Calculate the mac of a FIPS module fips.so and run a FIPS self test for
       the module, and save the	fips.cnf configuration file:

	openssl	fipsinstall -module ./fips.so -out fips.cnf -provider_name fips	\
		-section_name fipsinstall -mac_name HMAC -macopt digest:SHA256 \
		-macopt	hexkey:000102030405060708090A0B0C0D0E0F10111213

       Verify that the configuration file fips.cnf contains the	correct	info:

	openssl	fipsinstall -module ./fips.so -in fips.cnf  -provider_name fips	\
		 -section_name fips_install -mac_name HMAC -macopt digest:SHA256 \
		 -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 -verify

       Corrupt any self	tests which have the description "SHA1":

	openssl	fipsinstall -module ./fips.so -out fips.cnf -provider_name fips	\
		-section_name fipsinstall -mac_name HMAC -macopt digest:SHA256 \
		-macopt	hexkey:000102030405060708090A0B0C0D0E0F10111213	\
		-corrupt_desc 'SHA1'

       Validate	that the fips module can be loaded from	a base configuration
       file:

	export OPENSSL_CONF_INCLUDE=<path of configuration files>
	export OPENSSL_MODULES=<provider_path>
	openssl	fipsinstall -config' 'default.cnf'

SEE ALSO
       config(5), fips_config(5), OSSL_PROVIDER-FIPS(7), EVP_MAC(3)

COPYRIGHT
       Copyright 2019-2020 The OpenSSL Project Authors.	All Rights Reserved.

       Licensed	under the Apache License 2.0 (the "License").  You may not use
       this file except	in compliance with the License.	 You can obtain	a copy
       in the file LICENSE in the source distribution or at
       <https://www.openssl.org/source/license.html>.

3.0.0-alpha6			  2020-08-11		OPENSSL-FIPSINSTALL(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=openssl-fipsinstall&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help