mirror of
https://github.com/openssl/openssl.git
synced 2024-12-27 06:21:43 +08:00
148 lines
3.8 KiB
Plaintext
148 lines
3.8 KiB
Plaintext
|
=pod
|
||
|
|
||
|
=head1 NAME
|
||
|
|
||
|
openssl-fipsinstall - perform FIPS configuration installation
|
||
|
|
||
|
=head1 SYNOPSIS
|
||
|
|
||
|
B<openssl fipsinstall>
|
||
|
[B<-help>]
|
||
|
[B<-in configfilename>]
|
||
|
[B<-out configfilename>]
|
||
|
[B<-module modulefilename>]
|
||
|
[B<-provider_name providername>]
|
||
|
[B<-section_name sectionname>]
|
||
|
[B<-verify>]
|
||
|
[B<-mac_name macname>]
|
||
|
[B<-macopt>]
|
||
|
|
||
|
B<openssl> I<fipsinstall> [B<...>]
|
||
|
|
||
|
=head1 DESCRIPTION
|
||
|
|
||
|
This utility is used to generate a FIPS module configuration file.
|
||
|
The generated configuration file consists of:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item - A mac of the FIPS module file.
|
||
|
|
||
|
=item - A status indicator that indicates if the known answer Self Tests (KAT's)
|
||
|
have successfully run.
|
||
|
|
||
|
=back
|
||
|
|
||
|
This configuration file can be used each time a FIPS module is loaded
|
||
|
in order to pass data to the FIPS modules self tests. The FIPS module always
|
||
|
verifies the modules MAC, but only needs to run the KATS once during install.
|
||
|
|
||
|
=head1 OPTIONS
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item B<-help>
|
||
|
|
||
|
Print a usage message.
|
||
|
|
||
|
=item B<-module filename>
|
||
|
|
||
|
Filename of a fips module to perform an integrity check on.
|
||
|
|
||
|
=item B<-out configfilename>
|
||
|
|
||
|
Filename to output the configuration data to, or standard output by default.
|
||
|
|
||
|
=item B<-in configfilename>
|
||
|
|
||
|
Input filename to load configuration data from. Used with the '-verify' option.
|
||
|
Standard input is used if the filename is '-'.
|
||
|
|
||
|
=item B<-verify>
|
||
|
|
||
|
Verify that the input configuration file contains the correct information
|
||
|
|
||
|
=item B<-provider_name providername>
|
||
|
|
||
|
Name of the provider inside the configuration file.
|
||
|
|
||
|
=item B<-section_name sectionname>
|
||
|
|
||
|
Name of the section inside the configuration file.
|
||
|
|
||
|
=item B<-mac_name name>
|
||
|
|
||
|
Specifies the name of a supported MAC algorithm which will be used.
|
||
|
To see the list of supported MAC's use the command I<list -mac-algorithms>.
|
||
|
The default is "HMAC".
|
||
|
|
||
|
=item B<-macopt nm:v>
|
||
|
|
||
|
Passes options to the MAC algorithm.
|
||
|
A comprehensive list of controls can be found in the EVP_MAC implementation
|
||
|
documentation.
|
||
|
Common control strings used for fipsinstall are:
|
||
|
|
||
|
=over 4
|
||
|
|
||
|
=item B<key:string>
|
||
|
|
||
|
Specifies the MAC key as an alphanumeric string (use if the key contains
|
||
|
printable characters only).
|
||
|
The string length must conform to any restrictions of the MAC algorithm.
|
||
|
A key must be specified for every MAC algorithm.
|
||
|
|
||
|
=item B<hexkey:string>
|
||
|
|
||
|
Specifies the MAC key in hexadecimal form (two hex digits per byte).
|
||
|
The key length must conform to any restrictions of the MAC algorithm.
|
||
|
A key must be specified for every MAC algorithm.
|
||
|
|
||
|
=item B<digest:string>
|
||
|
|
||
|
Used by HMAC as an alphanumeric string (use if the key contains printable
|
||
|
characters only).
|
||
|
The string length must conform to any restrictions of the MAC algorithm.
|
||
|
To see the list of supported digests, use the command I<list -digest-commands>.
|
||
|
|
||
|
=back
|
||
|
|
||
|
=back
|
||
|
|
||
|
=head1 EXAMPLES
|
||
|
|
||
|
Calculate the mac of a FIPS module 'fips.so' and run a FIPS self test
|
||
|
for the module, and save the fips.conf configuration file:
|
||
|
|
||
|
openssl fipsinstall -module ./fips.so -out fips.conf -provider_name fips \
|
||
|
-section_name fipsinstall -mac_name HMAC -macopt digest:SHA256 \
|
||
|
-macopt hexkey:000102030405060708090A0B0C0D0E0F10111213
|
||
|
|
||
|
Verify that the configuration file 'fips.conf' contains the correct info:
|
||
|
|
||
|
openssl fipsinstall -module ./fips.so -in fips.conf -provider_name fips \
|
||
|
-section_name fips_install -mac_name HMAC -macopt digest:SHA256 \
|
||
|
-macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 -verify
|
||
|
|
||
|
=head1 NOTES
|
||
|
|
||
|
The MAC mechanisms that are available will depend on the options
|
||
|
used when building OpenSSL.
|
||
|
The B<list -mac-algorithms> command can be used to list them.
|
||
|
|
||
|
=head1 SEE ALSO
|
||
|
|
||
|
L<fips_config(5)>,
|
||
|
L<EVP_MAC(3)>
|
||
|
|
||
|
=head1 COPYRIGHT
|
||
|
|
||
|
Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
|
||
|
|
||
|
Licensed under the OpenSSL license (the "License"). You may not use
|
||
|
this file except in compliance with the License. You can obtain a copy
|
||
|
in the file LICENSE in the source distribution or at
|
||
|
L<https://www.openssl.org/source/license.html>.
|
||
|
|
||
|
=cut
|