B<openssl fipsinstall>
[B<-help>]
-[B<-in configfilename>]
-[B<-out configfilename>]
-[B<-module modulefilename>]
-[B<-provider_name providername>]
-[B<-section_name sectionname>]
+[B<-in> I<configfilename>]
+[B<-out> I<configfilename>]
+[B<-module> I<modulefilename>]
+[B<-provider_name> I<providername>]
+[B<-section_name> I<sectionname>]
[B<-verify>]
-[B<-mac_name macname>]
-[B<-macopt>]
-
-B<openssl> I<fipsinstall> [B<...>]
+[B<-mac_name> I<macname>]
+[B<-macopt> I<nm>:I<v>]
+[B<-noout>]
+[B<-corrupt_desc> I<selftest_description>]
+[B<-corrupt_type> I<selftest_type>]
=head1 DESCRIPTION
-This utility is used to generate a FIPS module configuration file.
+This command is used to generate a FIPS module configuration file.
The generated configuration file consists of:
=over 4
Print a usage message.
-=item B<-module filename>
+=item B<-module> I<filename>
Filename of a fips module to perform an integrity check on.
-=item B<-out configfilename>
+=item B<-out> I<configfilename>
Filename to output the configuration data to, or standard output by default.
-=item B<-in configfilename>
+=item B<-in> I<configfilename>
Input filename to load configuration data from. Used with the '-verify' option.
Standard input is used if the filename is '-'.
Verify that the input configuration file contains the correct information
-=item B<-provider_name providername>
+=item B<-provider_name> I<providername>
Name of the provider inside the configuration file.
-=item B<-section_name sectionname>
+=item B<-section_name> I<sectionname>
Name of the section inside the configuration file.
-=item B<-mac_name name>
+=item B<-mac_name> I<name>
Specifies the name of a supported MAC algorithm which will be used.
-To see the list of supported MAC's use the command I<list -mac-algorithms>.
-The default is "HMAC".
+To see the list of supported MAC's use the command
+C<openssl list -mac-algorithms>. The default is B<HMAC>.
-=item B<-macopt nm:v>
+=item B<-macopt> I<nm>:I<v>
Passes options to the MAC algorithm.
A comprehensive list of controls can be found in the EVP_MAC implementation
=over 4
-=item B<key:string>
+=item B<key>:I<string>
Specifies the MAC key as an alphanumeric string (use if the key contains
printable characters only).
The string length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<hexkey:string>
+=item B<hexkey>:I<string>
Specifies the MAC key in hexadecimal form (two hex digits per byte).
The key length must conform to any restrictions of the MAC algorithm.
A key must be specified for every MAC algorithm.
-=item B<digest:string>
+=item B<digest>:I<string>
Used by HMAC as an alphanumeric string (use if the key contains printable
characters only).
The string length must conform to any restrictions of the MAC algorithm.
-To see the list of supported digests, use the command I<list -digest-commands>.
+To see the list of supported digests, use the command
+C<openssl list -digest-commands>.
=back
+=item B<-noout>
+
+Disable logging of the self tests.
+
+=item B<-corrupt_desc> I<selftest_description>
+
+=item B<-corrupt_type> I<selftest_type>
+
+The corrupt options can be used to test failure of one or more self test(s) by
+name.
+Either option or both may be used to select the self test(s) to corrupt.
+Refer to the entries for "st-desc" and "st-type" in L<OSSL_PROVIDER-FIPS(7)> for
+values that can be used.
+
=back
=head1 EXAMPLES
-Calculate the mac of a FIPS module 'fips.so' and run a FIPS self test
-for the module, and save the fips.conf configuration file:
+Calculate the mac of a FIPS module F<fips.so> and run a FIPS self test
+for the module, and save the F<fips.conf> configuration file:
openssl fipsinstall -module ./fips.so -out fips.conf -provider_name fips \
-section_name fipsinstall -mac_name HMAC -macopt digest:SHA256 \
-macopt hexkey:000102030405060708090A0B0C0D0E0F10111213
-Verify that the configuration file 'fips.conf' contains the correct info:
+Verify that the configuration file F<fips.conf> contains the correct info:
openssl fipsinstall -module ./fips.so -in fips.conf -provider_name fips \
-section_name fips_install -mac_name HMAC -macopt digest:SHA256 \
-macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 -verify
+Corrupt any self tests which have the description 'SHA1':
+
+ openssl fipsinstall -module ./fips.so -out fips.conf -provider_name fips \
+ -section_name fipsinstall -mac_name HMAC -macopt digest:SHA256 \
+ -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 \
+ -corrupt_desc', 'SHA1'
+
=head1 NOTES
The MAC mechanisms that are available will depend on the options
used when building OpenSSL.
-The B<list -mac-algorithms> command can be used to list them.
+The command C<openssl list -mac-algorithms> command can be used to list them.
=head1 SEE ALSO
L<fips_config(5)>,
+L<OSSL_PROVIDER-FIPS(7)>,
L<EVP_MAC(3)>
=head1 COPYRIGHT
projects / openssl.git / blobdiff