As part of FIPS compliance for one of our project, , we are explicitely loading the FIPS provider programatically along with default provider(enabled by default in conf file) and re-initializing the OpenSSL library. This is because we have few applications which doesnt need to use FIPS provider but only default provider hence we load both.
Along with loading the FIPS provider we also set the fips=yes property using EVP_set_default_property API.
Our goal is that all crypto should go to FIPS provider when FIPS is enabled and we are achieving that with fips=yes set. But at the same time, usage of non-fips compliant algorithms (for eg: PKCS12_parse won't work with FIPS provider. This is just one example) we want those to fallback to Default provider. Ofcourse, we are trying to define local property string to override provider=default/ -fips option and using EVP_XXX_fetch for explicitely loading algo from "Default" provider.
But the FIPS standard would evolve and tomorrow it may stop supporting SHA-1 for eg.,and we have to folllow the same approach of defining local property string. Again it has to go through code changes everywhere wherever SHA-1 is used to explictely load it from Default.
Instead, is there a way we can always fallback to Default provider when it is already loaded and if FIPS provider rejects an algorithm? 1. Basically some priority order for look up of algorithms with each loaded provider?
or is it possible to explictely map a specific algorithms to load always from a specific providers programatically or in the openssl.cnf sections?
As part of FIPS compliance for one of our project, , we are explicitely loading the FIPS provider programatically along with default provider(enabled by default in conf file) and re-initializing the OpenSSL library. This is because we have few applications which doesnt need to use FIPS provider but only default provider hence we load both. Along with loading the FIPS provider we also set the fips=yes property using EVP_set_default_property API.
Our goal is that all crypto should go to FIPS provider when FIPS is enabled and we are achieving that with fips=yes set. But at the same time, usage of non-fips compliant algorithms (for eg: PKCS12_parse won't work with FIPS provider. This is just one example) we want those to fallback to Default provider. Ofcourse, we are trying to define local property string to override provider=default/ -fips option and using EVP_XXX_fetch for explicitely loading algo from "Default" provider.
But the FIPS standard would evolve and tomorrow it may stop supporting SHA-1 for eg.,and we have to folllow the same approach of defining local property string. Again it has to go through code changes everywhere wherever SHA-1 is used to explictely load it from Default.
Instead, is there a way we can always fallback to Default provider when it is already loaded and if FIPS provider rejects an algorithm? 1. Basically some priority order for look up of algorithms with each loaded provider?