Adding wolfSSL FIPS Ready Docs #117
Conversation
night1rider
force-pushed
the
fips-ready-documentation
branch
from
9aa6de7
to
2e00edf
Compare
night1rider
force-pushed
the
fips-ready-documentation
branch
from
2e00edf
to
420c94c
Compare
wolfSSL-FIPS-Ready/src/section01.md
Outdated
| @@ -0,0 +1,60 @@ | |||
| # wolfSSL FIPS Ready | |||
|
|
|||
| Do you have a project you'll need for a FIPS approved cryptographic library at | |||
There was a problem hiding this comment.
This doesn't quite say what you mean -- you want something like "Do you have a project that will need a FIPS approved cryptographic library".
There was a problem hiding this comment.
Changed to:
"Do you have a project that will need a FIPS approved cryptographic library at a later date, but want to be ready for it now? "
wolfSSL-FIPS-Ready/src/section01.md
Outdated
| Do you have a project you'll need for a FIPS approved cryptographic library at | ||
| a future date and want to be ready for it now? wolfSSL FIPS Ready is exactly | ||
| what you need. It is the wolfSSL Inc FIPS enabled cryptography layer code | ||
| included in the wolfSSL source tree that one can enable and build. You do not |
There was a problem hiding this comment.
Bit of a run-on sentence here -- better something like "It is the cryptography layer from the public wolfSSL source tree, with the FIPS tooling ready to enable and build."
There was a problem hiding this comment.
Changed to:
"wolfSSL FIPS Ready includes the cyrptography layer from the public wolfSSL source tree, along with the FIPS tooling enabled for a FIPS Ready build."
There was a problem hiding this comment.
Whoops, spelling. LGTM otherwise.
There was a problem hiding this comment.
Fixed spelling of "cyrptography " to "cryptography "
wolfSSL-FIPS-Ready/src/section01.md
Outdated
| included in the wolfSSL source tree that one can enable and build. You do not | ||
| get a FIPS certificate, you are not FIPS approved, but you will be Ready to go | ||
| through the FIPS process when the time comes. FIPS Ready means that you have | ||
| included the FIPS code into your build and that you are operating according to |
There was a problem hiding this comment.
Need to be careful and specific here: "FIPS Ready means that you have included the FIPS tooling into your build, and are accessing the cryptography according to the FIPS requirements for applications."
There was a problem hiding this comment.
Changed to:
"FIPS Ready means that the FIPS tooling is included in the build, and is accessing the cryptography according to the FIPS requirements for applications."
There was a problem hiding this comment.
The point is that the application is guaranteed to be accessing the crypto per FIPS reqs. Your phrasing says that the tooling is accessing the crypto per FIPS reqs, which goes without saying.
There was a problem hiding this comment.
Changes A few things based on our discussions and my misunderstanding of fips-ready.
Change initial sentence to:
"FIPS Ready allows application developers to assure that they have correctly integrated the necessary FIPS setup, and are correctly using the API and underlying protocols, providing for a seamless transition to the full FIPS certified wolfSSL library for an application."
Along with adding this to the bottom of section 1.1:
"The FIPS boundary provides confirmation about multiple aspects of your application. The processing
of private key access that will assure proper unlocking and relocking of keys according to the FIPS
specification. The assurance that no FIPS-forbidden modes or key sizes are being used, along with
proper entropy source setup. FIPS Ready also helps discover conflicts with outside sub-system integration your application needs, for example determining if other applications or devices on a network support your new FIPS Ready cipher suites for communication between each other"
wolfSSL-FIPS-Ready/src/section01.md
Outdated
| algorithm self-tests (CAST) that came with FIPS 140-3. When the time comes, | ||
| you can get your operating environment tested and added to the wolfSSL Inc | ||
| FIPS 140-3 certificate for wolfCrypt or submit for a brand new FIPS 140-3 cert | ||
| from scratch and all the coding work will have been done. |
There was a problem hiding this comment.
Need a little more run-on sentence cleanup, something like: "When the time comes, we will shepherd your operating environment through testing, and get it added to the existing wolfCrypt FIPS 140-3 certificate. In some situations, a new FIPS 140-3 certificate will be required, and we will work with you through the testing and certification process. In both scenarios, FIPS Ready assures that your application will be fully functional with wolfCrypt as certified."
There was a problem hiding this comment.
Changed to:
"When the time comes, we will shepherd your operating environment through testing and add it to the wolfCrypt FIPS 140-3 certificate. In special situations, a new FIPS 140-3 certificate will be required, but we are ready to provide guidance through the testing and certification process. In both scenarios, FIPS Ready assures that your application will be fully functional with wolfCrypt as certified."
wolfSSL-FIPS-Ready/src/section02.md
Outdated
| ## Configure the build. | ||
|
|
||
| ``` | ||
| $ ./configure --enable-fips=ready[a] |
There was a problem hiding this comment.
I've never seen this "[a]" before -- it doesn't work. It's just --enable-fips=ready.
There was a problem hiding this comment.
This was a Copy paste mistake, [a] refers to a footnote on the original webpage. I couldn't find a good way to create a footnote that would work for both the pdf version and html so I decided to include it in section.
New text for section 2.2:
$ ./configure --enable-fips=ready CFLAGS="-DNO_STRICT_ECDSA_LEN"
This configure with the -DNO_STRICT_ECDSA_LEN CFLAG set should be considered, the strict len check causes issues with vector tests, however it is not known how it will work out with normal SSL/TLS and crypto operations.
There was a problem hiding this comment.
We'll put this before a wider audience to see if we can frame it better. It's not the sort of complicated caveat we want to put in front of customers unless absolutely necessary.
There was a problem hiding this comment.
Due to internal discussion for the moment the footnote has been removed due to being potentially irrelevant to the current FIPS Ready
night1rider
force-pushed
the
fips-ready-documentation
branch
2 times, most recently
from
c3de592
to
40122bf
Compare
night1rider
force-pushed
the
fips-ready-documentation
branch
from
40122bf
to
46d9303
Compare
Adding wolfssl fips ready guide documentation based on: https://www.wolfssl.com/docs/fips-ready-user-guide/