14 [B<-module> I<modulefilename>]
60 This command is used to generate a FIPS module configuration file.
61 This configuration file can be used each time a FIPS module is loaded
62 in order to pass data to the FIPS module self tests. The FIPS module always
70 =item - A MAC of the FIPS module file.
80 By default if a continuous test (e.g a key pair test) fails then the FIPS module
83 The default value of '1' will cause the fips module error state to be entered.
84 If the value is '0' then the module error state will not be entered.
87 the operation if the module error state is not entered.
109 =item B<-module> I<filename>
111 Filename of the FIPS module to perform an integrity check on.
112 The path provided in the filename is used to load the module when it is
189 Configure the module so that it is strictly FIPS compliant rather
197 Configure the module to not enter an error state if a conditional self test
202 Configure the module to not perform run-time security checks as described above.
209 Configure the module to enable a run-time Extended Master Secret (EMS) check
215 Configure the module to not allow short MAC outputs.
220 Configure the module to not allow small keys sizes when using HMAC.
225 Configure the module to not allow small keys sizes when using KMAC.
230 Configure the module to not allow truncated digests to be used with Hash and
235 Configure the module to enforce signature algorithms to use digests that are
240 Configure the module to enable a run-time digest check when deriving a key by
246 Configure the module to enable a run-time digest check when deriving a key by
252 Configure the module to enable a run-time digest check when deriving a key by
258 Configure the module to enable a run-time digest check when deriving a key by
264 Configure the module to enable a run-time digest check when deriving a key by
270 Configure the module to enable a run-time digest check when deriving a key by
276 Configure the module to not allow DSA signing (DSA signature verification is
281 Configure the module to not allow Triple-DES encryption.
287 Configure the module to not allow PKCS#1 version 1.5 padding to be used with
293 Configure the module to enable a run-time salt length check when generating or
299 Configure the module to not allow X9.31 padding to be used when signing with
304 Configure the module to enable a run-time short key-derivation key check when
310 Configure the module to enable a run-time short key-derivation key check when
316 Configure the module to enable a run-time short key-derivation key check when
322 Configure the module to enable a run-time short key-derivation key check when
328 Configure the module to enable a run-time short key-derivation key check when
334 Configure the module to enable a run-time short key-derivation key check when
340 Configure the module to enable a run-time short key-derivation key check when
346 Configure the module to enable a run-time short key-derivation key check when
352 Configure the module to not perform run-time lower bound check for PBKDF2.
357 Configure the module to enable a run-time check that ECDH uses the EC curves
365 the self tests KATS will run each time the module is loaded. This option could be
410 If the base configuration file is set up to autoload the fips module, then the
411 fips module will be loaded and self tested BEFORE the fipsinstall application
424 Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
425 for the module, and save the F<fips.cnf> configuration file:
427  openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips
431  openssl fipsinstall -module ./fips.so -in fips.cnf  -provider_name fips -verify
435  openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \
438 Validate that the fips module can be loaded from a base configuration file:

Last Index update Mon Nov 25 14:07:27 UTC 2024

Dedicated to & Maintained by Room-11