{"id":20148183,"url":"https://github.com/chainguard-dev/openssl-fips-test","last_synced_at":"2025-07-27T16:05:04.498Z","repository":{"id":188579029,"uuid":"679008046","full_name":"chainguard-dev/openssl-fips-test","owner":"chainguard-dev","description":"Test that OpenSSL is configured to be FIPS-compliant","archived":false,"fork":false,"pushed_at":"2025-04-28T19:32:00.000Z","size":41,"stargazers_count":24,"open_issues_count":1,"forks_count":8,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-28T20:34:13.008Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-15T22:40:09.000Z","updated_at":"2025-04-28T19:32:04.000Z","dependencies_parsed_at":"2024-11-16T04:01:54.732Z","dependency_job_id":null,"html_url":"https://github.com/chainguard-dev/openssl-fips-test","commit_stats":null,"previous_names":["chainguard-dev/openssl-fips-test"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/chainguard-dev/openssl-fips-test","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fopenssl-fips-test","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fopenssl-fips-test/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fopenssl-fips-test/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fopenssl-fips-test/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/openssl-fips-test/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fopenssl-fips-test/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267383376,"owners_count":24078567,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-27T02:00:11.917Z","response_time":82,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T22:35:02.360Z","updated_at":"2025-07-27T16:05:04.115Z","avatar_url":"https://github.com/chainguard-dev.png","language":"C","readme":"# openssl-fips-test\n\nA simple tool for validating whether or not OpenSSL is properly configured\nto use its FIPS module.\n\n## Caveats\n\nThis tool can only detect whether or not OpenSSL is properly configured:\napplications and languages must be built to make use of libcrypto in order\nfor the OpenSSL FIPS configuration to actually be useful.\n\nThis tool does not validate whether any other element in an overall\ndelivered configuration is, or is not, FIPS 140-2/140-3 compliant.  It\nonly tests whether OpenSSL is properly configured and making use of the\nFIPS module correctly.\n\n## Usage\n\nOn Wolfi, simply install the `openssl-fips-test` package and run it.\n\nOn other systems, run `make` and `make install` as usual with whatever\nescalation tool you normally use.  You must have the OpenSSL development\nheaders installed in order to build this tool, as well as a C compiler.\n\n## About this tool\n\nPrior to loading any providers, a callback is added to capture output of KAT\n(known answer tests) selftests.\n\nIt then loads default OpenSSL library contects, and verifies that a FIPS\nprovider is loaded. And checks that by default FIPS variants of algorithms are\nused.\n\nIt also retrieves FIPS module information and returns CMVP search URL where one\nshould be able to find applicable certificates.\n\n## Example output\n\nUncertified systems will typically report this:\n\n```\nChecking OpenSSL lifecycle assurance.\n*** Running check: FIPS module is available...\n    Running check: FIPS module is available... failed.\n*** Running check: EVP_default_properties_is_fips_enabled returns true... failed.\n*** Running check: verify unapproved cryptographic routines are not available by default (e.g. MD5)... failed.\n```\n\nExample of systems using OpenSSL Project CMVP certificate:\n\n```\n# ./openssl-fips-test\nChecking OpenSSL lifecycle assurance.\n*** Running check: FIPS module is available...\n    HMAC : (Module_Integrity) : Pass\n    SHA1 : (KAT_Digest) : Pass\n    SHA2 : (KAT_Digest) : Pass\n    SHA3 : (KAT_Digest) : Pass\n    TDES : (KAT_Cipher) : Pass\n    AES_GCM : (KAT_Cipher) : Pass\n    AES_ECB_Decrypt : (KAT_Cipher) : Pass\n    RSA : (KAT_Signature) :     RNG : (Continuous_RNG_Test) : Pass\nPass\n    ECDSA : (PCT_Signature) : Pass\n    DSA : (PCT_Signature) : Pass\n    TLS13_KDF_EXTRACT : (KAT_KDF) : Pass\n    TLS13_KDF_EXPAND : (KAT_KDF) : Pass\n    TLS12_PRF : (KAT_KDF) : Pass\n    PBKDF2 : (KAT_KDF) : Pass\n    SSHKDF : (KAT_KDF) : Pass\n    KBKDF : (KAT_KDF) : Pass\n    HKDF : (KAT_KDF) : Pass\n    SSKDF : (KAT_KDF) : Pass\n    X963KDF : (KAT_KDF) : Pass\n    X942KDF : (KAT_KDF) : Pass\n    HASH : (DRBG) : Pass\n    CTR : (DRBG) : Pass\n    HMAC : (DRBG) : Pass\n    DH : (KAT_KA) : Pass\n    ECDH : (KAT_KA) : Pass\n    RSA_Encrypt : (KAT_AsymmetricCipher) : Pass\n    RSA_Decrypt : (KAT_AsymmetricCipher) : Pass\n    RSA_Decrypt : (KAT_AsymmetricCipher) : Pass\n    Running check: FIPS module is available... passed.\n*** Running check: EVP_default_properties_is_fips_enabled returns true... passed.\n*** Running check: verify unapproved cryptographic routines are not available by default (e.g. MD5)... passed.\n\nLifecycle assurance satisfied.\nModule details:\n\tname:     \tOpenSSL FIPS Provider\n\tversion:  \t3.0.9\n\tbuild:    \t3.0.9\n\nLocate applicable CMVP certificates at\n    https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced\u0026ModuleName=OpenSSL\u0026CertificateStatus=Active\u0026ValidationYear=0\u0026SoftwareVersions=3.0.9\n```\n\nExample output on Ubuntu Pro FIPS instance:\n\n```\n./openssl-fips-test\nChecking OpenSSL lifecycle assurance.\n*** Running check: FIPS module is available...\n    SHA1 : (KAT_Digest) : Pass\n    SHA2 : (KAT_Digest) : Pass\n    SHA3 : (KAT_Digest) : Pass\n    AES_GCM : (KAT_Cipher) : Pass\n    AES_ECB_Decrypt : (KAT_Cipher) : Pass\n    RSA : (KAT_Signature) :     RNG : (Continuous_RNG_Test) : Pass\n    RNG : (Continuous_RNG_Test) : Pass\n    RNG : (Continuous_RNG_Test) : Pass\nPass\n    ECDSA : (KAT_Signature) : Pass\n    ECDSA : (KAT_Signature) : Pass\n    TLS13_KDF_EXTRACT : (KAT_KDF) : Pass\n    TLS13_KDF_EXPAND : (KAT_KDF) : Pass\n    TLS12_PRF : (KAT_KDF) : Pass\n    PBKDF2 : (KAT_KDF) : Pass\n    SSHKDF : (KAT_KDF) : Pass\n    KBKDF : (KAT_KDF) : Pass\n    HKDF : (KAT_KDF) : Pass\n    SSKDF : (KAT_KDF) : Pass\n    X963KDF : (KAT_KDF) : Pass\n    X942KDF : (KAT_KDF) : Pass\n    HASH : (DRBG) : Pass\n    CTR : (DRBG) : Pass\n    HMAC : (DRBG) : Pass\n    DH : (KAT_KA) : Pass\n    ECDH : (KAT_KA) : Pass\n    HMAC : (Module_Integrity) : Pass\n    Running check: FIPS module is available... passed.\n*** Running check: EVP_default_properties_is_fips_enabled returns true... passed.\n*** Running check: verify unapproved cryptographic routines are not available by default (e.g. MD5)... passed.\n\nLifecycle assurance satisfied.\nModule details:\n\tname:     \tUbuntu 22.04 OpenSSL Cryptographic Module\n\tversion:  \t3.0.5-0ubuntu0.1+Fips2.1\n\tbuild:    \t3.0.5-0ubuntu0.1+Fips2.1\n\nLocate applicable CMVP certificates at\n    https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced\u0026ModuleName=OpenSSL\u0026CertificateStatus=Active\u0026ValidationYear=0\u0026SoftwareVersions=3.0.5\n```\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fopenssl-fips-test","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fopenssl-fips-test","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fopenssl-fips-test/lists"}