diff options
| author | NIIBE Yutaka <gniibe@fsij.org> | 2023-03-24 13:12:56 +0900 |
|---|---|---|
| committer | NIIBE Yutaka <gniibe@fsij.org> | 2023-03-24 13:12:56 +0900 |
| commit | 1c916b8c99ea0e30f1d81d606fd63b0c45657186 (patch) | |
| tree | ba0be58906c74290c1f5952c1305276cfe74c175 /doc/gcrypt.texi | |
| parent | 0af15f1fa0ca277fba17b365519f710b41a5b78f (diff) | |
| download | libgcrypt-1c916b8c99ea0e30f1d81d606fd63b0c45657186.tar.gz | |
fips: More elaborate way of getting FIPS pk flags indicators.
* src/fips.c (_gcry_fips_indicator_pk_flags): List more allowed string
in the S-expression.
* doc/gcrypt.texi: Add document for the FIPS service indicator
GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS with example.
--
GnuPG-bug-id: 6417
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Diffstat (limited to 'doc/gcrypt.texi')
| -rw-r--r-- | doc/gcrypt.texi | 42 |
1 files changed, 39 insertions, 3 deletions
diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 750b6718..752f64d6 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -1007,9 +1007,45 @@ FIPS 140-3 certification. If the algorithm is approved, this function returns @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char * -Check if the given public key operation flag is approved under the current -FIPS 140-3 certification. If the flag is approved, this function returns -@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. +Check if the given public key operation flag or s-expression object name is +approved under the current FIPS 140-3 certification. If the flag is +approved, this function returns @code{GPG_ERR_NO_ERROR}. + +Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + +For compound s-expression objects, if the object name is allowed, the user +is responsible to check also the internal members. For example: + +@example + gcry_sexp_t s_sig = NULL; + gcry_md_hd_t hd = NULL; + gcry_sexp_t s_sk = NULL; + const char *data_tmpl = "(data(flags pss)(hash %s %b)(salt-length 1:0))"; + + if (err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, "gcry_md_open") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_MD, GCRY_MD_SHA512) && + err = gcry_md_open (&hd, GCRY_MD_SHA512, 0)) + @{ + printf ("gcry_md_open failed: %s", gpg_strerror (err)); + return; + @} + gcry_md_write (hd, buffer, buflen); + + /* initialize the key in s_sk */ + + if (err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION, "gcry_pk_hash_sign") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "data") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "flags") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "pss") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "hash") && + err = gcry_control(GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS, "salt-length") + err = gcry_pk_hash_sign (&s_sig, data_tmpl, s_sk, hd, NULL)) + @{ + printf ("gcry_pk_hash_sign failed: %s", gpg_strerror (err)); + return; + @} + /* ok */ +@end example @end table |