Closed pvital closed 1 year ago
Engines are not used when running in FIPS mode. So this does not make much sense for the Engine. The provider has some kind of an FIPS mode, but since the provider itself is not FIPS certified, and also libica can not be FIPS certified once a crypto adapter is used, this all makes not much sense. One should not use the IBMCA engine nor the IBMCA provider if FIPS mode is required.
Would be interesting to enable the openssl/ibmca/libica stack for openssl running in FIPS mode.
The libica has a built time option for FIPS mode. If FIPS mode is built-in, libica will activate FIPS mode if the kernel FIPS flag is set and try to set openssl to FIPS mode. Openssl with active FIPS mode (if triggered by libica or from somewhere else) will only use algorithms that have the corresponding FIPS flags set.
As for ibmca this would require to: