Conversation
This coveres DH, EC, RSA and SLH-DSA.
paulidale
added
branch: master
|
Backport failure is expected |
github-actions
bot
added
the
severity: fips change
|
I don't have any problem with the change, but I think we should wait until the new ig is published before we move forward. I see the updated comment announcement, but the ig doc seems to have been published the.n withdrawn on the nist site |
|
Looks good. We just need to wait for the official publication of the IGs. |
|
IG document seems to have been published: Showing a publication date of September 2, 2025, so thats good. However, the note in the announcements here: which states: Doesn't seem to be reflected in the actual IG document. Additional comment 1 in the I.G for 10.3.A states: The last sentence seems to be exactly the opposite of what the announcement said was going to be in this publication. So I'm not sure where that leaves us. |
|
I don't think we've got a problem. The quoted paragraph talks about generated keys which an imported one is not, so the bit you are worried about doesn't apply. The errant sentence that included imported keys is gone and is replaced by:
It looks like NIST swapped the test on import with test before export and we're safe on that front because we test on key generation and there is no other way we can get a key apart from import. |
nhorman
left a comment
nhorman
left a comment
There was a problem hiding this comment.
ok, based on @paulidale reference of the new language in the I.G., I'm ok with this, though, just to ask the question, what about the trivial case of import-then-export - i.e. if a user runs:
openssl pkey -in public_key.pem -pubin -outform DER -out public_key.der
In that case we import a key, and then immediately export it again (I think) without a PCT in between.
nhorman
added
approval: done
|
When the key is imported, it has already been exported (and therefore tested) so there is no need to test it again. |
|
ok, that makes sense. |
t-j-h
left a comment
t-j-h
left a comment
There was a problem hiding this comment.
Thanks @paulidale for the rapid PR to address this.
|
24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually. |
nhorman
added
approval: ready to merge
This coveres DH, EC, RSA and SLH-DSA. Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28447)
Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28447)
This coveres DH, EC, RSA and SLH-DSA. Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28447) (cherry picked from commit 7f7f758)
Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28447) (cherry picked from commit c25db4f)
|
merged to master, 3.5 and 3.6, thank you! |
This coveres DH, EC, RSA and SLH-DSA. Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28447) (cherry picked from commit 7f7f758)
Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tim Hudson <[email protected]> Reviewed-by: Shane Lontis <[email protected]> (Merged from #28447) (cherry picked from commit c25db4f)
CHANGES.md: * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
CHANGES.md: * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
CHANGES.md: * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
CHANGES.md: * #28398 * #28411 * #28447 * #28449 NEWS.md: * #28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #28521)
CHANGES.md: * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
CHANGES.md: * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
CHANGES.md: * openssl#28198 * openssl#28398 * openssl#28411 * openssl#28447 * openssl#28449 NEWS.md: * openssl#28447 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]>
CHANGES.md: * #28198 * #28398 * #28411 * #28447 * #28449 NEWS.md: * #28447 Release: Yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from #28558)
CHANGES.md: * #28398 * #28411 * #28447 * #28449 NEWS.md: * #28447 Release: yes Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #28547)
This news-worthy change has been removed in [1]. [1] openssl#28447 Signed-off-by: Eugene Syromiatnikov <[email protected]>
This news-worthy change has been removed in [1]. [1] #28447 Signed-off-by: Eugene Syromiatnikov <[email protected]> Reviewed-by: Neil Horman <[email protected]> Reviewed-by: Paul Dale <[email protected]> (Merged from #28586)
5 participants
These are no longer required by NIST as part of a FIPS 140-3 validation.
For discussion see #28326.