All modules
CMVP Validated Module · FIPS 140-3 Security Policy

Chainguard FIPS Provider for OpenSSL

Certificate#5132StandardFIPS 140-3Level1TypeSoftwareEmbodimentMulti-Chip Stand AloneStatusActiveVendorChainguard, Inc.
High review priority  ·  exposes network crypto parser/protocol  ·  OpenSSL upstream has published 38 CVEs since this module's initial validation  ·  last validated 6 months ago. How this is derived →

Certificate

StandardFIPS 140-3
Overall level1
Module typeSoftware
EmbodimentMulti-Chip Stand Alone
StatusActive
Sunset date1/13/2031
CaveatWhen operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs.
VendorChainguard, Inc.

Approved Algorithms (73)

AlgorithmACVP Cert
AES-CBCA6678, A6679, A6680, A6690, A6691, A6700
AES-CBC-CS1A6678, A6679, A6680, A6690, A6691, A6700
AES-CBC-CS2A6678, A6679, A6680, A6690, A6691, A6700
AES-CBC-CS3A6678, A6679, A6680, A6690, A6691, A6700
AES-CCMA6678, A6679, A6680, A6690, A6691, A6700
AES-CFB1A6678, A6679, A6680, A6690, A6691, A6700
AES-CFB128A6678, A6679, A6680, A6690, A6691, A6700
AES-CFB8A6678, A6679, A6680, A6690, A6691, A6700
AES-CMACA6678, A6679, A6680, A6690, A6691, A6700
AES-CTRA6678, A6679, A6680, A6690, A6691, A6700
AES-ECBA6678, A6679, A6680, A6690, A6691, A6700
AES-GCMA6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699
AES-GMACA6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699
AES-KWA6678, A6679, A6680, A6690, A6691, A6700
AES-KWPA6678, A6679, A6680, A6690, A6691, A6700
AES-OFBA6678, A6679, A6680, A6690, A6691, A6700
AES-XTS Testing Revision 2.0A6678, A6679, A6680, A6690, A6691, A6700
Counter DRBGA6675
ECDSA KeyGen (FIPS186-5)A6666, A6668, A6683, A6684, A6685, A6686
ECDSA KeyVer (FIPS186-4)A6666, A6668, A6683, A6684, A6685, A6686
ECDSA KeyVer (FIPS186-5)A6666, A6668, A6683, A6684, A6685, A6686
ECDSA SigGen (FIPS186-5)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689
ECDSA SigVer (FIPS186-4)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689
ECDSA SigVer (FIPS186-5)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689
EDDSA KeyGenA6676
EDDSA KeyVerA6676
EDDSA SigGenA6676
EDDSA SigVerA6676
Hash DRBGA6675
HMAC DRBGA6675
HMAC-SHA-1A6666, A6668, A6683, A6684, A6685, A6686
HMAC-SHA2-224A6666, A6668, A6683, A6684, A6685, A6686
HMAC-SHA2-256A6666, A6667, A6668, A6683, A6684, A6685, A6686
HMAC-SHA2-384A6666, A6668, A6683, A6684, A6685, A6686
HMAC-SHA2-512A6666, A6668, A6683, A6684, A6685, A6686
HMAC-SHA2- 512/224A6666, A6668, A6683, A6684, A6685, A6686
HMAC-SHA2- 512/256A6666, A6668, A6683, A6684, A6685, A6686
HMAC-SHA3-224A6670, A6671, A6687, A6688, A6689
HMAC-SHA3-256A6670, A6671, A6687, A6688, A6689
HMAC-SHA3-384A6670, A6671, A6687, A6688, A6689
HMAC-SHA3-512A6670, A6671, A6687, A6688, A6689
KAS-ECC-SSC Sp800-56Ar3A6666, A6668, A6683, A6684, A6685, A6686
KAS-FFC-SSC Sp800-56Ar3A6674
KAS-IFC-SSCA6668
KDA HKDF SP800- 56Cr2A6673
KDA OneStep SP800-56Cr2A6672
KDA TwoStep SP800-56Cr2A6672
KDF ANS 9.42 (CVL)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689
KDF ANS 9.63 (CVL)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689
KDF KMAC Sp800- 108r1A6677
KDF SP800-108A6677
KDF SSH (CVL)A6666, A6668, A6669, A6683, A6684, A6685, A6686
KTS-IFCA6666, A6668, A6683, A6684, A6685, A6686
PBKDFA6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689
RSA KeyGen (FIPS186-5)A6666, A6668, A6683, A6684, A6685, A6686
RSA SigGen (FIPS186-5)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689
RSA SigVer (FIPS186-4)A6666, A6668, A6683, A6684, A6685, A6686
RSA SigVer (FIPS186-5)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689
SHA-1A6666, A6668, A6683, A6684, A6685, A6686
SHA2-224A6666, A6668, A6683, A6684, A6685, A6686
SHA2-256A6666, A6667, A6668, A6683, A6684, A6685, A6686
SHA2-384A6666, A6668, A6683, A6684, A6685, A6686
SHA2-512A6666, A6668, A6683, A6684, A6685, A6686
SHA2-512/224A6666, A6668, A6683, A6684, A6685, A6686
SHA2-512/256A6666, A6668, A6683, A6684, A6685, A6686
SHA3-224A6670, A6671, A6687, A6688, A6689
SHA3-256A6670, A6671, A6687, A6688, A6689
SHA3-384A6670, A6671, A6687, A6688, A6689
SHA3-512A6670, A6671, A6687, A6688, A6689
SHAKE-128A6670, A6671, A6687, A6688, A6689
SHAKE-256A6670, A6671, A6687, A6688, A6689
TLS v1.2 KDF RFC7627 (CVL)A6666, A6668, A6683, A6684, A6685, A6686
TLS v1.3 KDF (CVL)A6673

Security Levels (Table 1)

Requirement areaLevel
Cryptographic Module Specification2
Cryptographic Module Interfaces3
Roles, Services, and Authentication4
Software/Firmware Security5
Operational Environment6
Self-Tests1
Mitigation of Other Attacks1

Derived Review-Risk Graph (review prompts, not findings)

flowchart LR
  %% Deterministic review-risk graph for Chainguard FIPS Provider for OpenSSL
  %% Review prompts and evidence gaps, NOT vulnerability findings.
  subgraph CMVP["CMVP-disclosed clues"]
    C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>Recovery</i>"]
    C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Encryption with AES<br/>Decryption with AES<br/>Show Status</i>"]
    C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
    C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
  end
  subgraph Inference["Derived inference"]
    I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
    I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
    I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
    I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
  end
  subgraph Risk["Reviewer question"]
    R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
    R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
    R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
    R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
  end
  subgraph Evidence["Evidence needed to close"]
    E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
    E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
    E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
    E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
  end
  C2 --> I2 --> R2 --> E2
  C3 --> I3 --> R3 --> E3
  C5 --> I5 --> R5 --> E5
  C6 --> I6 --> R6 --> E6
  classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
  classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
  classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
  class C2,C3,C5,C6 clue;
  class I2,I3,I5,I6 infer;
  class R2,R3,R5,R6 risk;
  class E2,E3,E5,E6 evidence;
Underlying clues
flowchart LR
  %% Deterministic clue tier for Chainguard FIPS Provider for OpenSSL
  %% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
  subgraph CMVP["CMVP-disclosed clues (deterministic)"]
    C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>Recovery</i><br/>src: text:keyword"]
    C3["[high] Unauthenticated / self-test / status service surface<br/><i>Encryption with AES<br/>Decryption with AES<br/>Show Status</i><br/>src: securityPolicy.services"]
    C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
    C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
  end
  classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
  classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
  classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
  class C2,C5,C6 clueLow;
  class C3 clueHigh;

Security Policy, page by page

Page 1

Chainguard, Inc. Chainguard FIPS Provider for OpenSSL Document Version: 1.1 Last Update: 2025-12-27 Prepared by: atsec information security corporation

4516 Seton Center Pkwy, Suite 250

Austin, TX 78759 www.atsec.com © 2025 Chainguard, Inc., atsec information security.

Page 2

Chainguard FIPS Provider for OpenSSL Table of Contents 1.1 © 2025 Chainguard, Inc., atsec information security.

Page 3

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 4

Chainguard FIPS Provider for OpenSSL List of Tables © 2025 Chainguard, Inc., atsec information security.

Page 5

Chainguard FIPS Provider for OpenSSL List of Figures © 2025 Chainguard, Inc., atsec information security.

Page 6
Security level
NameISO SectionRequirementLevel
11General1
22Cryptographic module specification1
33Cryptographic module interfaces1
44Roles, services, and authentication1
55Software/Firmware security1
66Operational environment1
77Physical securityN/A
88Non-invasive securityN/A
99Sensitive security parameter management1
1010Self-tests1
1111Life-cycle assurance1
1212Mitigation of other attacks1
Overall LevelOverall Level1

Chainguard FIPS Provider for OpenSSL 1.1 Overview The present document is the non-proprietary FIPS 140-3 Security Policy for the Chainguard FIPS Provider for OpenSSL which will also be referred to as “the module” and “the cryptographic module” throughout this document. This Security Policy specifies the security rules under which the module must operate to meet the FIPS 140-3 Level 1 requirements.

1.2 Security Levels
1.3 Additional Information

In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2025 Chainguard, Inc., atsec information security.

Page 7

Chainguard FIPS Provider for OpenSSL

2 Cryptographic Module Specification
2.1 Description

Purpose and Use: The Chainguard FIPS Provider for OpenSSL (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It is a software library that provides a C language application program interface (API) for use by other applications that require cryptographic functionality. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The module consists of one software component, the “FIPS provider” i.e., fips.so (depicted in orange color in Figure 1), that forms the module’s cryptographic boundary which implements the FIPS requirements, and the cryptographic functionality. Components depicted in white color in Figure 1 are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. Tested Operational Environment’s Physical Perimeter (TOEPP): Figure 1 shows the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. Figure 1: Block Diagram

2.2 Tested and Vendor Affirmed Module Version and Identification

Tested Module Identification

Page 8
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C3.4.0-r4N/Afips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488CHMAC-SHA2-256
fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton33.4.0-r4N/Afips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3HMAC-SHA2-256
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7i.metal- 24xl3.4.0-r4Intel Sapphire Rapids Xeon Platinum 8488CNoN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7g.metal3.4.0-r4Amazon Graviton3 AWS Graviton3NoN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7i.metal- 24xl3.4.0-r4Intel Sapphire Rapids Xeon Platinum 8488CYesN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7g.metal3.4.0-r4Amazon Graviton3 AWS Graviton3YesN/A
glibc 2.34+ (Host)glibc 2.34+ (Host)Generic Hardware Platform ELF x86-64-v2+
glibc 2.34+ (Host)glibc 2.34+ (Host)Generic Hardware Platform ELF ARMv8a+
AlmaLinux 9AlmaLinux 9AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
AlmaLinux 9AlmaLinux 9AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
AlmaLinux 10AlmaLinux 10AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C3.4.0-r4N/Afips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488CHMAC-SHA2-256
fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton33.4.0-r4N/Afips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3HMAC-SHA2-256
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7i.metal- 24xl3.4.0-r4Intel Sapphire Rapids Xeon Platinum 8488CNoN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7g.metal3.4.0-r4Amazon Graviton3 AWS Graviton3NoN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7i.metal- 24xl3.4.0-r4Intel Sapphire Rapids Xeon Platinum 8488CYesN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7g.metal3.4.0-r4Amazon Graviton3 AWS Graviton3YesN/A
glibc 2.34+ (Host)glibc 2.34+ (Host)Generic Hardware Platform ELF x86-64-v2+
glibc 2.34+ (Host)glibc 2.34+ (Host)Generic Hardware Platform ELF ARMv8a+
AlmaLinux 9AlmaLinux 9AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
AlmaLinux 9AlmaLinux 9AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
AlmaLinux 10AlmaLinux 10AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Module configuration
NameOperating SystemHardware PlatformFirmware VersionSoftware VersionProcessorPaa PaiHypervisorFeaturesPackageIntegrity Test
fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C3.4.0-r4N/Afips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488CHMAC-SHA2-256
fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton33.4.0-r4N/Afips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3HMAC-SHA2-256
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7i.metal- 24xl3.4.0-r4Intel Sapphire Rapids Xeon Platinum 8488CNoN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7g.metal3.4.0-r4Amazon Graviton3 AWS Graviton3NoN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7i.metal- 24xl3.4.0-r4Intel Sapphire Rapids Xeon Platinum 8488CYesN/A
Chainguard Image 20230214 on Amazon Linux 2023Chainguard Image 20230214 on Amazon Linux 2023EC2 m7g.metal3.4.0-r4Amazon Graviton3 AWS Graviton3YesN/A
glibc 2.34+ (Host)glibc 2.34+ (Host)Generic Hardware Platform ELF x86-64-v2+
glibc 2.34+ (Host)glibc 2.34+ (Host)Generic Hardware Platform ELF ARMv8a+
AlmaLinux 9AlmaLinux 9AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
AlmaLinux 9AlmaLinux 9AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
AlmaLinux 10AlmaLinux 10AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
AlmaLinux 10AlmaLinux 10AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Amazon Linux 2Amazon Linux 2AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Amazon Linux 2Amazon Linux 2AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Amazon Linux 2023Amazon Linux 2023AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Amazon Linux 2023Amazon Linux 2023AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Azure Linux 2Azure Linux 2Azure Esv5-series with Intel Xeon Platinum 8473C, PAA/PAI, under Azure Host Hypervisor
Azure Linux 2Azure Linux 2Azure Dpsv6-series with Azure Cobalt 100, PAA/PAI, under Azure Host Hypervisor
Azure Linux 3Azure Linux 3Azure Esv5-series with Intel Xeon Platinum 8473C, PAA/PAI, under Azure Host Hypervisor
Azure Linux 3Azure Linux 3Azure Dpsv6-series with Azure Cobalt 100, PAA/PAI, under Azure Host Hypervisor
BottlerocketBottlerocketAWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488CC, PAA/PAI
BottlerocketBottlerocketAWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Centos Stream 9Centos Stream 9AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Centos Stream 9Centos Stream 9AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Centos Stream 10Centos Stream 10AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Centos Stream 10Centos Stream 10AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
ChainguardChainguardAWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
ChainguardChainguardAWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Chainguard (Host)Chainguard (Host)AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Chainguard (Host)Chainguard (Host)AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Chainguard (Host)Chainguard (Host)Azure Esv5-series with Intel Xeon Platinum 8473C, PAA/PAI, under Azure Host Hypervisor
Chainguard (Host)Chainguard (Host)Azure Dpsv6-series with Azure Cobalt 100, PAA/PAI, under Azure Host Hypervisor
Chainguard (Host)Chainguard (Host)GCP c3-highcpu-192-metal with Intel Xeon Platinum 8481C, PAA/PAI, under Titanium
Chainguard (Host)Chainguard (Host)GCP c4a with Google Axion, PAA/PAI
Chainguard (Host)Chainguard (Host)Raspberry Pi 5 B Rev 1.0 8GB with Broadcom BCM2712, PAA/PAI
Debian 12 BookwormDebian 12 BookwormAWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Debian 12 BookwormDebian 12 BookwormAWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Debian 13 TrixieDebian 13 TrixieAWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Debian 13 TrixieDebian 13 TrixieAWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Google COSGoogle COSGCP c3-highcpu-192-metal with Intel Xeon Platinum 8481C
Google COSGoogle COSGCP c4a with Google Axion, PAA/PAI, under Titanium
RHEL 9RHEL 9AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
RHEL 9RHEL 9AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
RHEL 10RHEL 10AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
RHEL 10RHEL 10AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
RockyLinux 9RockyLinux 9AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
RockyLinux 9RockyLinux 9AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
RockyLinux 10RockyLinux 10AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
RockyLinux 10RockyLinux 10AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
SUSE Linux Enterprise Server 15 SP6SUSE Linux Enterprise Server 15 SP6AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
SUSE Linux Enterprise Server 15 SP6SUSE Linux Enterprise Server 15 SP6AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
SUSE Linux Enterprise Server 16 Public RCSUSE Linux Enterprise Server 16 Public RCAWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
SUSE Linux Enterprise Server 16 Public RCSUSE Linux Enterprise Server 16 Public RCAWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Ubuntu 20.04Ubuntu 20.04AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Ubuntu 20.04Ubuntu 20.04AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Ubuntu 22.04Ubuntu 22.04AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Ubuntu 22.04Ubuntu 22.04AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI
Ubuntu 24.04Ubuntu 24.04AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI
Ubuntu 24.04Ubuntu 24.04AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI

Chainguard FIPS Provider for OpenSSL N/A N/A Table 2: Tested Module Identification

Page 9

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 10

Chainguard FIPS Provider for OpenSSL Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated SSPs when the module is ported if the specific operational environments are not listed on the validation certificate.

2.3 Excluded Components

There are no components excluded from the requirements of the FIPS 140-3 standard. © 2025 Chainguard, Inc., atsec information security.

Page 11
Service
NameDescriptionIndicatorType
Non-approved modeAutomatically entered whenever a non- approved service is requestedEquivalent to the indicator of the requested service.Non- Approved
Approved algorithm
NameCAVP CertReference
AES-CBCA6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-CBC-CS1A6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-CBC-CS2A6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-CBC-CS3A6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-CCMA6678, A6679, A6680, A6690, A6691, A6700SP 800-38C
AES-CFB1A6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-CFB128A6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-CFB8A6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-CMACA6678, A6679, A6680, A6690, A6691, A6700SP 800-38B
AES-CTRA6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-ECBA6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-GCMA6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699SP 800-38D
AES-GMACA6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699SP 800-38D
AES-KWA6678, A6679, A6680, A6690, A6691, A6700SP 800-38F
AES-KWPA6678, A6679, A6680, A6690, A6691, A6700SP 800-38F
AES-OFBA6678, A6679, A6680, A6690, A6691, A6700SP 800-38A
AES-XTS Testing Revision 2.0A6678, A6679, A6680, A6690, A6691, A6700SP 800-38E
Counter DRBGA6675SP 800-90A Rev. 1
ECDSA KeyGen (FIPS186-5)A6666, A6668, A6683, A6684, A6685, A6686FIPS 186-5
ECDSA KeyVer (FIPS186-4)A6666, A6668, A6683, A6684, A6685, A6686FIPS 186-4
ECDSA KeyVer (FIPS186-5)A6666, A6668, A6683, A6684, A6685, A6686FIPS 186-5
ECDSA SigGen (FIPS186-5)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689FIPS 186-5
ECDSA SigVer (FIPS186-4)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689FIPS 186-4
ECDSA SigVer (FIPS186-5)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689FIPS 186-5
EDDSA KeyGenA6676FIPS 186-5
EDDSA KeyVerA6676FIPS 186-5
EDDSA SigGenA6676FIPS 186-5
EDDSA SigVerA6676FIPS 186-5
Hash DRBGA6675SP 800-90A Rev. 1
HMAC DRBGA6675SP 800-90A Rev. 1
HMAC-SHA-1A6666, A6668, A6683, A6684, A6685, A6686FIPS 198-1
HMAC-SHA2-224A6666, A6668, A6683, A6684, A6685, A6686FIPS 198-1
HMAC-SHA2-256A6666, A6667, A6668, A6683, A6684, A6685, A6686FIPS 198-1
HMAC-SHA2-384A6666, A6668, A6683, A6684, A6685, A6686FIPS 198-1
HMAC-SHA2-512A6666, A6668, A6683, A6684, A6685, A6686FIPS 198-1
HMAC-SHA2- 512/224A6666, A6668, A6683, A6684, A6685, A6686FIPS 198-1
HMAC-SHA2- 512/256A6666, A6668, A6683, A6684, A6685, A6686FIPS 198-1
HMAC-SHA3-224A6670, A6671, A6687, A6688, A6689FIPS 198-1
HMAC-SHA3-256A6670, A6671, A6687, A6688, A6689FIPS 198-1
HMAC-SHA3-384A6670, A6671, A6687, A6688, A6689FIPS 198-1
HMAC-SHA3-512A6670, A6671, A6687, A6688, A6689FIPS 198-1
KAS-ECC-SSC Sp800-56Ar3A6666, A6668, A6683, A6684, A6685, A6686SP 800-56A Rev. 3
KAS-FFC-SSC Sp800-56Ar3A6674SP 800-56A Rev. 3
KAS-IFC-SSCA6668SP 800-56A Rev. 3
KDA HKDF SP800- 56Cr2A6673SP 800-56C Rev. 2
KDA OneStep SP800-56Cr2A6672SP 800-56C Rev. 2
KDA TwoStep SP800-56Cr2A6672SP 800-56C Rev. 2
KDF ANS 9.42 (CVL)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689SP 800-135 Rev. 1
KDF ANS 9.63 (CVL)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689SP 800-135 Rev. 1
KDF KMAC Sp800- 108r1A6677SP 800-108 Rev. 1
KDF SP800-108A6677SP 800-108 Rev. 1
KDF SSH (CVL)A6666, A6668, A6669, A6683, A6684, A6685, A6686SP 800-135 Rev. 1
KMAC-128A6670, A6671, A6687, A6688, A6689SP 800-185
KMAC-256A6670, A6671, A6687, A6688, A6689SP 800-185
KTS-IFCA6666, A6668, A6683, A6684, A6685, A6686SP 800-56B Rev. 2
PBKDFA6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689SP 800-132
RSA KeyGen (FIPS186-5)A6666, A6668, A6683, A6684, A6685, A6686FIPS 186-5
RSA SigGen (FIPS186-5)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689FIPS 186-5
RSA SigVer (FIPS186-4)A6666, A6668, A6683, A6684, A6685, A6686FIPS 186-4
RSA SigVer (FIPS186-5)A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689FIPS 186-5
Safe Primes Key GenerationA6674SP 800-56A Rev. 3
Safe Primes Key VerificationA6674SP 800-56A Rev. 3
SHA-1A6666, A6668, A6683, A6684, A6685, A6686FIPS 180-4
SHA2-224A6666, A6668, A6683, A6684, A6685, A6686FIPS 180-4
SHA2-256A6666, A6667, A6668, A6683, A6684, A6685, A6686FIPS 180-4
SHA2-384A6666, A6668, A6683, A6684, A6685, A6686FIPS 180-4
SHA2-512A6666, A6668, A6683, A6684, A6685, A6686FIPS 180-4
SHA2-512/224A6666, A6668, A6683, A6684, A6685, A6686FIPS 180-4
SHA2-512/256A6666, A6668, A6683, A6684, A6685, A6686FIPS 180-4
SHA3-224A6670, A6671, A6687, A6688, A6689FIPS 202
SHA3-256A6670, A6671, A6687, A6688, A6689FIPS 202
SHA3-384A6670, A6671, A6687, A6688, A6689FIPS 202
SHA3-512A6670, A6671, A6687, A6688, A6689FIPS 202
SHAKE-128A6670, A6671, A6687, A6688, A6689FIPS 202
SHAKE-256A6670, A6671, A6687, A6688, A6689FIPS 202
TLS v1.2 KDF RFC7627 (CVL)A6666, A6668, A6683, A6684, A6685, A6686SP 800-135 Rev. 1
TLS v1.3 KDF (CVL)A6673SP 800-135 Rev. 1

Chainguard FIPS Provider for OpenSSL

2.4 Modes of Operation

Modes List and Description: NonApproved Table 5: Modes List and Description After passing all pre-operational self-test and cryptographic algorithm self-tests executed on start-up, the module Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services

2.5 Algorithms

Approved Algorithms: The table below lists all implemented modes or methods of operation for the approved cryptographic algorithms of the module that are employed for approved services (Approved Services table). © 2025 Chainguard, Inc., atsec information security.

Page 12

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 13

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 14

Chainguard FIPS Provider for OpenSSL Table 6: Approved Algorithms Vendor-Affirmed Algorithms: © 2025 Chainguard, Inc., atsec information security.

Page 15
Service
NameApproved FunctionsProperties
Asymmetric CKGKey Type:Asymmetric Key pairs:RSA; ECDSA; EdDSA; DHN/ASP 800-133r2, section 4, direct DRBG output without XOR
AES-GCM encryption with external IVEncryption
HMAC with key length < 112 bitsMessage Authentication Code
KMAC with key length < 112 bits or tag length < 32 bitsMessage Authentication Code
TLS 1.2 KDF without extended master secret or with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512/256 or SHA-3 functions or with input secret length < 112 bitsKey Derivation Function
KBKDF with input key length < 112 bitsKey Derivation Function
Hash_DRBG or HMAC_DRBG with SHA2-224 or SHA2-384 or SHA2- 512/224 or SHA2-512/256 or SHA-3 functions or KMACDeterministic Random Bit Generation
ECDH with P-192Shared Secret Computation
RSA SigVer with modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive)Digital Signature Verification
RSA SigGen with SHA-1 or X9.31 padding or modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive)Digital Signature Generation
ECDSA SigVer componentDigital Signature Verification
ECDSA SigGen with P-192 or SHA-1; ECDSA SigGen component with P- 192Digital Signature Generation
ECDSA KeyGen with P-192Key Pair Generation
SSH KDF with SHA2-512/224 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bitsKey Derivation Function
TLS 1.3 KDF with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bitsKey Derivation Function
One step KDF, two step KDF, HKDF, ANS X9.42 KDF with input secret length < 112 bitsKey Derivation Function
Service
NameDescriptionApproved FunctionsTypeProperties
Asymmetric CKGKey Type:Asymmetric Key pairs:RSA; ECDSA; EdDSA; DHN/ASP 800-133r2, section 4, direct DRBG output without XOR
AES-GCM encryption with external IVEncryption
HMAC with key length < 112 bitsMessage Authentication Code
KMAC with key length < 112 bits or tag length < 32 bitsMessage Authentication Code
TLS 1.2 KDF without extended master secret or with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512/256 or SHA-3 functions or with input secret length < 112 bitsKey Derivation Function
KBKDF with input key length < 112 bitsKey Derivation Function
Hash_DRBG or HMAC_DRBG with SHA2-224 or SHA2-384 or SHA2- 512/224 or SHA2-512/256 or SHA-3 functions or KMACDeterministic Random Bit Generation
ECDH with P-192Shared Secret Computation
RSA SigVer with modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive)Digital Signature Verification
RSA SigGen with SHA-1 or X9.31 padding or modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive)Digital Signature Generation
ECDSA SigVer componentDigital Signature Verification
ECDSA SigGen with P-192 or SHA-1; ECDSA SigGen component with P- 192Digital Signature Generation
ECDSA KeyGen with P-192Key Pair Generation
SSH KDF with SHA2-512/224 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bitsKey Derivation Function
TLS 1.3 KDF with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bitsKey Derivation Function
One step KDF, two step KDF, HKDF, ANS X9.42 KDF with input secret length < 112 bitsKey Derivation Function
X448Provides 224 bits of security, Key Agreement
X25519Provides 128 bits of security, Key Agreement
ANS X9.63 KDF with SHA-1 or input secret length < 112 bitsKey Derivation Function
RSA OAEP encryption/decryption with 1536-bit modulusAsymmetric encryption/decryption
Encryption with AESSP 800-38A and SP 800-38E; EncryptionAES-CBC: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS2: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS3: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB128: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB8: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CTR: (A6678, A6679, A6680, A6690, A6691,BC-UnAuth

Chainguard FIPS Provider for OpenSSL N/A Table 7: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: © 2025 Chainguard, Inc., atsec information security.

Page 16
Service
NameDescriptionApproved FunctionsType
X448Provides 224 bits of security, Key Agreement
X25519Provides 128 bits of security, Key Agreement
ANS X9.63 KDF with SHA-1 or input secret length < 112 bitsKey Derivation Function
RSA OAEP encryption/decryption with 1536-bit modulusAsymmetric encryption/decryption
Encryption with AESSP 800-38A and SP 800-38E; EncryptionAES-CBC: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS2: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS3: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB128: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB8: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CTR: (A6678, A6679, A6680, A6690, A6691,BC-UnAuth
Decryption with AESSP 800-38A and SP 800-38E; DecryptionAES-CBC: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS2: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS3: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB128: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB8: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CTR: (A6678, A6679, A6680, A6690, A6691,BC-UnAuth
Authenticated Encryption with AESSP 800-38C and SP 800-38D; Authenticated encryptionAES-GCM: (A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699) AES-CCM: (A6678, A6679, A6680, A6690, A6691, A6700) AES-KW: (A6678, A6679, A6680, A6690, A6691, A6700) AES-KWP: (A6678, A6679, A6680, A6690, A6691, A6700)BC-Auth
Authenticated Decryption with AESSP 800-38C and SP 800-38D; Authenticated decryptionAES-GCM: (A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699) AES-CCM: (A6678, A6679, A6680, A6690, A6691,BC-Auth
Message Authentication Code (MAC) Generation with AESSP 800-38B and SP 800-38D; MAC GenerationAES-GMAC: (A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699) AES-CMAC: (A6678, A6679, A6680, A6690, A6691, A6700)MAC
Message Authentication Code (MAC) Generation with HMACFIPS 198-1; MAC GenerationHMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683,MAC

Chainguard FIPS Provider for OpenSSL Table 8: Non-Approved, Not Allowed Algorithms © 2025 Chainguard, Inc., atsec information security.

Page 17

Chainguard FIPS Provider for OpenSSL 2.0: © 2025 Chainguard, Inc., atsec information security.

Page 18

Chainguard FIPS Provider for OpenSSL 2.0: © 2025 Chainguard, Inc., atsec information security.

Page 19

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 20

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 21
Service
NameDescriptionApproved FunctionsType
Message Authentication Code (MAC) Generation with KMACSP 800-185; MAC GenerationKMAC-128: (A6670, A6671, A6687, A6688, A6689) KMAC-256: (A6670, A6671, A6687, A6688, A6689)MAC
Random Number Generation with a DRBGSP 800-90Arev1; Random Number GenerationCounter DRBG: (A6675) Hash DRBG: (A6675) HMAC DRBG: (A6675) AES-ECB: (A6678, A6679, A6680, A6690, A6691, A6700) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683,DRBG
Signature Generation with RSAFIPS 186-5; Signature GenerationRSA SigGen (FIPS186-5): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/256: (A6666, A6668,DigSig-SigGen
Signature Verification with RSAFIPS 186-5; FIPS 186-4; Signature VerificationRSA SigVer (FIPS186-4): (A6666, A6668, A6683, A6684, A6685, A6686) RSA SigVer (FIPS186-5): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683,DigSig-SigVer
Signature Generation with ECDSAFIPS 186-5; Signature GenerationECDSA SigGen (FIPS186-5): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685,DigSig-SigGen
Signature Verification with ECDSAFIPS 186-5; FIPS 186-4; Signature VerificationECDSA SigVer (FIPS186-4): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) ECDSA SigVer (FIPS186-5): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686)DigSig-SigVer
Signature Generation with EdDSAFIPS 186-5; Signature GenerationEDDSA SigGen: (A6676) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHAKE-256: (A6670, A6671, A6687, A6688, A6689)DigSig-SigGen
Signature Verification with EdDSAFIPS 186-5; Signature VerificationEDDSA SigVer: (A6676) SHA2-512: (A6666,DigSig-SigVer
Key Pair Generation with ECDSAFIPS 186-5; Key Pair GenerationECDSA KeyGen (FIPS186-5): (A6666, A6668, A6683, A6684, A6685, A6686)AsymKeyPair- KeyGen
Key Pair Generation with RSAFIPS 186-5; Key Pair GenerationRSA KeyGen (FIPS186-5): (A6666, A6668, A6683, A6684, A6685, A6686)AsymKeyPair- KeyGen
Key Pair Generation with EdDSAFIPS 186-5; Key Pair GenerationEDDSA KeyGen: (A6676) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHAKE-256: (A6670, A6671, A6687, A6688, A6689)AsymKeyPair- KeyGen
Key Pair Generation with Safe PrimesSP 800-56Arev3; Key Pair GenerationSafe Primes Key Generation: (A6674)AsymKeyPair- KeyGen
Key Pair Verification with Safe PrimesSP 800-56Arev3; Key Pair VerificationSafe Primes Key Verification: (A6674)AsymKeyPair- KeyVer
Public Key Verification with ECDSAFIPS 186-5; Key Pair VerificationECDSA KeyVer (FIPS186-4): (A6666, A6668, A6683, A6684, A6685, A6686) ECDSA KeyVer (FIPS186-5): (A6666, A6668, A6683, A6684, A6685, A6686)AsymKeyPair- KeyVer
Public Key Verification with EdDSAFIPS 186-5; Key Pair VerificationEDDSA KeyVer: (A6676)AsymKeyPair- KeyVer
Key Derivation with KBKDFSP 800-108rev1; Key DerivationKDF SP800-108: (A6677) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/256: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA3-224: (A6670, A6671, A6687, A6688, A6689) HMAC-SHA3-256: (A6670, A6671, A6687, A6688, A6689) HMAC-SHA3-384:KBKDF

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 22

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 23

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 24

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 25

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 26

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 27

Chainguard FIPS Provider for OpenSSL AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyVer AsymKeyPairKeyVer © 2025 Chainguard, Inc., atsec information security.

Page 28

Chainguard FIPS Provider for OpenSSL AsymKeyPairKeyVer © 2025 Chainguard, Inc., atsec information security.

Page 29

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 30
Service
NameDescriptionCsps AccessedType
Key Derivation with KDA OneStepSP 800-56Crev2; Key DerivationKDA OneStep SP800-56Cr2: (A6672) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/256: (A6666, A6668, A6683, A6684, A6685, A6686)KAS-56CKDF

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 31

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 32
Service
NameDescriptionApproved FunctionsType
Key Derivation with KDA TwoStepSP 800-56Crev2; Key DerivationKDA TwoStep SP800-56Cr2: (A6672) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683,KAS-56CKDF

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 33

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 34
Service
NameDescriptionApproved FunctionsType
Key Derivation with KDA HKDFSP 800-56Crev2; Key DerivationKDA HKDF SP800- 56Cr2: (A6673) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683, A6684, A6685, A6686)KAS-56CKDF

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 35

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 36
Service
NameDescriptionApproved FunctionsType
Key Derivation with ANS X9.42 KDFSP 800-135rev1; Key DerivationKDF ANS 9.42: (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/224: (A6666, A6668, A6683, A6684,KAS-135KDF
Key Derivation with ANS X9.63 KDFSP 800-135rev1; Key DerivationKDF ANS 9.63: (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/256:KAS-135KDF
Key Derivation with SSH KDFSP 800-135rev1; Key DerivationKDF SSH: (A6666, A6668, A6669, A6683, A6684, A6685, A6686) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686)KAS-135KDF
Key Derivation with TLS 1.2 KDFSP 800-135rev1; Key DerivationTLS v1.2 KDF RFC7627: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666,KAS-135KDF
Key Derivation with TLS 1.3 KDFRFC 8446; Key DerivationTLS v1.3 KDF: (A6673) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686)KAS-135KDF
Key Derivation with PBKDF2SP 800-132; Key DerivationPBKDF: (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512:PBKDF

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 37

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 38

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 39

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 40

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 41
Service
NameDescriptionApproved FunctionsType
Shared Secret ComputationSP 800-56Ar3 KAS- ECC-SSC with P- 224, P-256, P-384, and P-521 (these respectively support strengths of 112, 128, 192, and 256 bits); SP 800- 56Ar3 KAS-FFC- SSC with MODP- 2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192, ffdhe-2048, ffdhe- 3072, ffdhe-4096, ffdhe-6144, ffdhe- 8192 (these respectively support strengths of 112, 128, 152, 176, 200, 112, 128, 152, 176, and 200 bits);KAS-FFC-SSC Sp800-56Ar3: (A6674) KAS-ECC-SSC Sp800-56Ar3: (A6666, A6668, A6683, A6684, A6685, A6686) KAS-IFC-SSC: (A6668)KAS-SSC
Message Digest with SHAFIPS 180-4 and FIPS 202; Message DigestSHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/256: (A6666, A6668, A6683, A6684, A6685, A6686) SHA3-224: (A6670, A6671, A6687, A6688, A6689) SHA3-256: (A6670, A6671, A6687, A6688, A6689) SHA3-384: (A6670, A6671, A6687, A6688, A6689) SHA3-512: (A6670, A6671, A6687, A6688, A6689)SHA
Message Digest with SHAKEFIPS 202; Message DigestSHAKE-128: (A6670, A6671, A6687, A6688,XOF
Key encapsulationSP 800-56Br2; RSA key encapsulationKTS-IFC: (A6666, A6668, A6683, A6684, A6685, A6686)KTS-Encap
Key un- encapsulationSP 800-56Br2; RSA key un- encapsulationKTS-IFC: (A6666, A6668, A6683, A6684, A6685, A6686)KTS-Encap

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 42

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 43

Chainguard FIPS Provider for OpenSSL unencapsulation Table 9: Security Function Implementations

2.7 Algorithm Specific Information
2.7.1 AES XTS

In accordance with FIPS 140-3 IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. As the module does not generate symmetric keys, the check is performed when keys are input into the service APIs. Key_1 and Key_2 shall be generated and/or established independently according to the rules for component symmetric keys from NIST SP 800-133rev2, Section 6.3. In addition, Section 4 of SP 800-38E states that the length of a single data unit encrypted or decrypted with AES XTS shall not exceed 2²⁰ AES blocks, that is 16MB, of data per XTS instance. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.

2.7.2 Key Derivation using SP 800-132 PBKDF2

The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:

Page 44

Chainguard FIPS Provider for OpenSSL

2.7.3 Compliance to SP 800-56Arev3 Assurances

The module offers DH and ECDH shared secret computation services compliant to the SP 800-56ARev3 and meeting IG D.F scenario 2 path (1). To meet the required assurances listed in section 5.6 of SP 800-56Arev3, the module shall be used together with an application that implements the “TLS protocol” and the following steps shall be performed. 1. The entity using the module must use the module's "Key pair generation" service for generating DH/ECDH ephemeral keys. This meets the assurances required by key pair owner defined in the section

5.6.2.1 of SP 800-56ARev3.
  1. As part of the module's shared secret computation (SSC) service, the module internally performs the public key validation on the peer's public key passed in as input to the SSC function. This meets the public key validity assurance required by the sections 5.6.2.2.2 of SP 800-56ARev3.
  2. The module does not support static keys therefore the "assurance of peer's possession of private key" is not applicable.
2.7.4 SHA-3

The module implements the SHA-3 functions as both standalone functions and as part of higher-level algorithms (in compliance with FIPS 140-3 IG C.C). As detailed in Section 2.6 Security Function Implementations with corresponding certificates, the cryptographic algorithms that use SHA-3 functions include RSA signature generation and verification, ECDSA signature generation and verification, EdDSA signature generation and verification, EdDSA key pair generation, KBKDF, KDA HKDF, X9.63 KDF, X9.42 KDF, PBKDF, OneStep KDA, TwoStep KDA, and HMAC. In addition, the implementation of the extendable output functions SHAKE128 and SHAKE256 were verified to have a standalone usage.

2.7.5 Legacy Algorithms

The module utilizes the following legacy algorithms as defined in SP 800-131Arev2:

2.7.6 RSA Signatures

The module’s RSA signature generation and verification implementations were CAVP tested with moduli sizes 2048, 3072, and 4096 bits. These moduli sizes are allowed by FIPS 140-3 IG C.F. The module supports moduli sizes larger than 4096 bits.

2.7.7 RSA Key Generation

The module’s RSA key generation implementation was CAVP tested with moduli sizes 2048, 3072, 4096, 6144, and 8192 bits. These moduli sizes are allowed by FIPS 140-3 IG C.F. The module supports moduli sizes larger than 8192 bits. The number of Miller-Rabin tests is compliant with Table B.1 of FIPS 186-5. © 2025 Chainguard, Inc., atsec information security.

Page 45
CertVendor Name
Number
E191Chainguard, Inc

Chainguard FIPS Provider for OpenSSL

2.7.8 Key Transport and Key Agreement

The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS. The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS.

2.7.9 AES GCM IV

For TLS 1.2 and 1.3, the module offers the AES GCM implementation per Scenario 1 and 5 of the FIPS 140-3 IG C.H respectively. For TLS 1.2 the module is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. For TLS 1.3 defined in RFC8446, the module supports AES GCM cipher suites from Section 3.3.1 of SP800-52r2. The module does not implement the TLS 1.2 or 1.3 protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the module also implements GCM with internal IV generation per Scenario 2 of IG C.H. The internally generated IVs are always 96 bits and are generated using the approved DRBG internal to the module’s boundary. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. The service can be requested by invoking the EVP_EncryptInit_ex2 API function with a nonNULL IV value. When this is the case, the API will set a non-approved service indicator as described in Section 4.3.

2.7.10 Compliance to SP 800-56Br2 Assurances

To comply with the assurances found in Section 6.4 of SP 800-56Br2, the operator must use the module in the context of the TLS or SSH protocols. Additionally, the module’s approved key pair generation service (see Section 4.3) must be used to generate RSA key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the key pair validation of the generated public key. The operator must use the EVP_PKEY_public_check() API to perform partial public key validation of the peer public key, complying with Section 6.4.2.2 of SP 800-56Br2. The operator must also confirm the peer’s possession of private key by using any method specified in Section 6.4.2.3 of SP 800-56Br2.

2.8 RBG and Entropy

Table 10: Entropy Certificates © 2025 Chainguard, Inc., atsec information security.

Page 46
Sensitive security parameter
NameTypeStrengthOperational EnvironmentConditioning Component
Chainguard CPU Time Jitter RNG Entropy SourceNon- Physical256Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3; Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488Cfull entropySHA3-256 (A5446)

Chainguard FIPS Provider for OpenSSL NonPhysical Table 11: Entropy Sources The entropy source is statically compiled into the module and hence it is located within the cryptographic boundary of the module. As per the Public document of entropy certificate E191, the entropy source provides In addition to the DRBG algorithms provided to the operator, the module internally uses two dedicated DRBG instances based on SP 800-90A Rev. 1 to generate seeds for asymmetric key pairs and random numbers for security functions. The following parameters are used:

  1. Private DRBG: AES-256 CTR_DRBG with derivation function. This DRBG is used to generate secret random values (e.g. during asymmetric key pair generation). It can be accessed using RAND_priv_bytes.
  2. Public DRBG: AES-256 CTR_DRBG with derivation function. This DRBG is used to generate general purpose random values that do not need to remain secret (e.g. initialization vectors). It can be accessed using RAND_bytes.
2.9 Key Generation

The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG of type CTR_DRBG, compliant with Section 4 of SP 800-133r2. This method does not use the value V as described in Additional Comment 2 of FIPS 140-3 IG D.H. The following methods are implemented:

Page 47

Chainguard FIPS Provider for OpenSSL

2.10 Key Establishment

The module implements key establishment methods as listed in the Security Function Implementations table in Section 2.6.

2.11 Industry Protocols

The module implements the SSH KDF (CVL) for use in the SSH protocol (RFC 4253 and RFC 6668). GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC

5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements

the TLS 1.2 and TLS 1.3 key derivation functions for use in the TLS protocol. For Diffie-Hellman, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC 7919 (TLS). Note that the module only implements key pair generation, key pair verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (except for the TLS 1.2 KDF (CVL) and

1.3 KDF (CVL)):
Page 48
Ports and interfaces
NamePhysical PortLogical InterfaceData That Passes
N/AN/AData InputAPI Input Parameters
N/AN/AData OutputAPI Output Parameters
N/AN/AControl InputAPI Function Calls
N/AN/AStatus OutputAPI Return Codes, Error Queue

Chainguard FIPS Provider for OpenSSL

3 Cryptographic Module Interfaces
3.1 Ports and Interfaces

N/A N/A N/A N/A Table 12: Ports and Interfaces As a software-only module, the module does not have physical ports. The module does not implement a control © 2025 Chainguard, Inc., atsec information security.

Page 49
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCORoleNone
Message DigestCompu te a messag e digestCrypto OfficerMessage Digest with SHA Message Digest with SHAKEEVP_DigestFinal returns 1Messag eMessage digest
Symmetr ic Encrypti onEncryp t a plainte xtCrypto Officer - AES Key: W,EEncrypti on with AESEVP_EncryptFinal_ex returns 1AES Key, plainte xt, IVCiphert ext
Symmetr ic Decrypti onDecryp t a ciphert extCrypto Officer - AES Key: W,EDecrypti on with AESEVP_DecryptFinal_ex returns 1AES Key, ciphert ext, IVPlaintex t
Authenti cated Symmetr ic Encrypti onEncryp t and authent icate a plainte xtCrypto Officer - AES Key: W,EAuthenti cated Encrypti on with AESGCM: OSSL_CIPHER_PARAM_AEAD_IV_GEN ERATED is 1; CCM: EVP_EncryptFinal_ex returns 1AES Key, plainte xt, IVCiphert ext, MAC tag
Service
NameDescriptionRole AccessCsps AccessedApproved FunctionsIndicatorTypeInputOutput
Crypto OfficerCORoleNone
Message DigestCompu te a messag e digestCrypto OfficerMessage Digest with SHA Message Digest with SHAKEEVP_DigestFinal returns 1Messag eMessage digest
Symmetr ic Encrypti onEncryp t a plainte xtCrypto Officer - AES Key: W,EEncrypti on with AESEVP_EncryptFinal_ex returns 1AES Key, plainte xt, IVCiphert ext
Symmetr ic Decrypti onDecryp t a ciphert extCrypto Officer - AES Key: W,EDecrypti on with AESEVP_DecryptFinal_ex returns 1AES Key, ciphert ext, IVPlaintex t
Authenti cated Symmetr ic Encrypti onEncryp t and authent icate a plainte xtCrypto Officer - AES Key: W,EAuthenti cated Encrypti on with AESGCM: OSSL_CIPHER_PARAM_AEAD_IV_GEN ERATED is 1; CCM: EVP_EncryptFinal_ex returns 1AES Key, plainte xt, IVCiphert ext, MAC tag

Chainguard FIPS Provider for OpenSSL

4 Roles, Services, and Authentication

The module does not implement any authentication methods.

4.2 Roles

Table 13: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module when performing a service. The module does not support multiple concurrent operators.

4.3 Approved Services

s a e t a W,E t a t W,E W,E © 2025 Chainguard, Inc., atsec information security.

Page 50
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutput
Authenti cated Symmetr ic Decrypti onDecryp t and authent icate a ciphert extCrypto Officer - AES Key: W,EAuthenti cated Decrypti on with AESEVP_DecryptFinal_ex returns non- negative valueAES Key, ciphert ext, MAC tag, IVPlaintex t or Failure
AES Message Authenti cation Generati onCompu te a MAC tag using AESCrypto Officer - AES Key: W,EMessage Authenti cation Code (MAC) Generati on with AESEVP_MAC_final returns 1AES Key, messag eMAC tag
HMAC Message Authenti cation Generati onCompu te a MAC tag using HMACCrypto Officer - HMAC Key: W,EMessage Authenti cation Code (MAC) Generati on with HMACOSSL_MAC_PARAM_FIPS_APPROVED _INDICATOR is 1HMAC Key, messag eMAC tag
KMAC Message Authenti cation Generati onCompu te a MAC tag using KMACCrypto Officer - KMAC Key: W,EMessage Authenti cation Code (MAC) Generati on with KMACOSSL_MAC_PARAM_FIPS_APPROVED _INDICATOR is 1KMAC Key, messag eMAC tag
TLS KDF Key Derivatio nTLS key derivati onCrypto Officer - Shared Secret: W,E - TLS Derived Key: G,RKey Derivatio n with TLS 1.2 KDF Key Derivatio n with TLS 1.3 KDFOSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1Shared SecretTLS Derived Key
KBKDF Key Derivatio nDerive a key from a key- derivati on keyCrypto Officer - Key- Derivati on Key: W,E - KBKDF Derived Key: G,RKey Derivatio n with KBKDFOSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1Key- Deriva tion KeyKBKDF Derived Key
ANS X9.42 Key Derivatio nDerive a key from a shared secretCrypto Officer - ANS X9.42 Derived Key: G,R - Shared Secret: W,EKey Derivatio n with ANS X9.42 KDFOSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1Shared SecretANS X9.42 Derived Key
ANS X9.63 Key Derivatio nDerive a key from a shared secretCrypto Officer - Shared Secret: W,E - ANS X9.63 Derived Key: G,RKey Derivatio n with ANS X9.63 KDFOSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1Shared SecretANS X9.63 Derived Key
HKDF Key Derivatio nDerive a key from a shared secretCrypto Officer - Shared Secret: W,E - HKDF Derived Key: G,RKey Derivatio n with KDA HKDFOSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1Shared SecretHKDF Derived key
OneStep KDA Key Derivatio nDerive a key from a shared secretCrypto Officer - Shared Secret: W,E - KDA OneSte p Derived Key: G,RKey Derivatio n with KDA OneStepOSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1Shared SecretKDA OneSte p Derived Key
TwoStep KDA Key Derivatio nDerive a key from a shared secretCrypto Officer - Shared Secret: W,E - KDA TwoSte p Derived Key: G,RKey Derivatio n with KDA TwoStepOSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1Shared SecretKDA TwoSte p Derived Key
SSH KDF key derivatio nDerive a key from a shared secretCrypto Officer - Shared Secret: W,E - SSH KDF Derived Key: G,RKey Derivatio n with SSH KDFOSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1Shared SecretSSH KDF Derived Key
PBKDF Key Derivatio nDerive a key from a passwo rdCrypto Officer - Passwor d: W,E - PBKDF Derived Key: G,RKey Derivatio n with PBKDF2EVP_KDF_derive returns 1Passwo rdPBKDF Derived Key
Random Number Generati onGenera te random numberCrypto Officer - Entropy Input: W,E - DRBG Seed: G,E - DRBG Internal State (V, Key): G,W,E - DRBG Internal State (V, C): G,W,ERandom Number Generati on with a DRBGOSSL_RAND_PARAM_FIPS_APPROVE D_INDICATOR is 1Numbe r of bitsRando m number
Shared Secret Computa tionCompu te a shared secretCrypto Officer - Shared Secret: G,R - DH Private Key: W,E - DH Public Key: W,E - EC Private Key: W,E - EC Public Key: W,E - RSA PrivateShared Secret Computa tionKAS-FFC-SSC: EVP_PKEY_derive returns 1; KAS-ECC-SSC: OSSL_EXCHANGE_PARAM_FIPS_APPR OVED_INDICATOR is 1DH Private Key (owner ), DH Public Key (peer); EC Private Key (owner ), EC Public Key (peer); RSA Private Key (owner ), RSA PublicShared Secret
Key (peer)Key: W,E - RSA Public Key: W,EKey (peer)
RSA Digital Signature Generati onGenera te a digital signatu re with RSACrypto Officer - RSA Private Key: W,ESignature Generati on with RSAOSSL_SIGNATURE_PARAM_FIPS_APP ROVED_INDICATOR is 1 and OSSL_SIGNATURE_PARAM_FIPS_VERI FY_MESSAGE is 1RSA Private Key, messag e, hash algorit hmSignatu re
ECDSA Digital Signature Generati onGenera te a digital signatu re with ECDSACrypto Officer - EC Private Key: W,ESignature Generati on with ECDSAOSSL_SIGNATURE_PARAM_FIPS_APP ROVED_INDICATOR is 1 and OSSL_SIGNATURE_PARAM_FIPS_VERI FY_MESSAGE is 1EC Private Key, messag e, hash algorit hmSignatu re
EdDSA Digital Signature Generati onGenera te a digital signatu re with EdDSACrypto Officer - EdDSA Private Key: W,ESignature Generati on with EdDSAEVP_PKEY_sign returns 1EdDSA Private Key, messag e, hash algorit hmSignatu re
RSA Digital Signature Verificati onVerify a digital signatu re using RSACrypto Officer - RSA Public Key: W,ESignature Verificati on with RSAOSSL_SIGNATURE_PARAM_FIPS_APP ROVED_INDICATOR is 1 and OSSL_SIGNATURE_PARAM_FIPS_VERI FY_MESSAGE is 1RSA Public Key, messag e, signatu re, hash algorit hmPass or Fail
ECDSA Digital SignatureVerify a digital signatuCrypto Officer - EC PublicSignature Verificati on with ECDSAOSSL_SIGNATURE_PARAM_FIPS_APP ROVED_INDICATOR is 1 and OSSL_SIGNATURE_PARAM_FIPS_VERI FY_MESSAGE is 1EC Public Key, messagPass or Fail
Verificati onre using ECDSAKey: W,Ee, signatu re, hash algorit hm
EdDSA Digital Signature Verificati onVerify a digital signatu re using EdDSACrypto Officer - EdDSA Public Key: W,ESignature Verificati on with EdDSAEVP_PKEY_verify returns 1EdDSA Public Key, messag e, signatu re, hash algorit hmPass or Fail
RSA Key Pair Generati onGenera te an RSA key pairCrypto Officer - Module Generat ed RSA Private Key: G,R - Module Generat ed RSA Public Key: G,R - Interme diate Key Generat ion Value: G,E,ZKey Pair Generati on with RSAEVP_PKEY_keygen returns 1Modul us LengthModule Generat ed RSA Private Key, Module Generat ed RSA Public Key
ECDSA Key PairGenera te anCrypto OfficerKey Pair GeneratiOSSL_PKEY_PARAM_FIPS_APPROVED _INDICATOR is 1CurveModule Generat
Generati onEC key pair- Module Generat ed EC Private Key: G,R - Module Generat ed EC Public Key: G,R - Interme diate Key Generat ion Value: G,E,Zon with ECDSAed EC Private Key, Module Generat ed EC Public Key
EdDSA Key Pair Generati onGenera te an EdDSA key pairCrypto Officer - Module Generat ed EdDSA Private Key: G,R - Module Generat ed EdDSA Public Key: G,R - Interme diateKey Pair Generati on with EdDSAEVP_PKEY_keygen returns 1CurveModule Generat ed EdDSA Private Key, Module Generat ed EdDSA Public Key
Key Pair Generati on with Safe PrimesGenera te an DH key pairCrypto Officer - Module Generat ed DH Private Key: G,R - Module Generat ed DH Public Key: G,R - Interme diate Key Generat ion Value: G,E,ZKey Pair Generati on with Safe PrimesEVP_PKEY_keygen returns 1GroupModule Generat ed DH Private Key, Module Generat ed DH Public Key
Public Key Verificati on with ECDSAVerify an EC key pairCrypto Officer - EC Private Key: W,E - EC Public Key: W,EPublic Key Verificati on with ECDSAEVP_PKEY_public_check returns 1EC Private Key, EC Public KeyPass or Fail
Key Pair Verificati on withVerify a DHCrypto Officer - DHKey Pair Verificati on withEVP_PKEY_check or EVP_PKEY_public_check or EVP_PKEY_private_check returns 1DH Private Key,Pass or Fail
Safe Primeskey pairPrivate Key: W,E - DH Public Key: W,ESafe PrimesDH Public Key
Public Key Verificati on with EdDSAVerify an EdDSA key pairCrypto Officer - EdDSA Private Key: W,E - EdDSA Public Key: W,EPublic Key Verificati on with EdDSAEVP_PKEY_public_check returns 1EdDSA Public Key, EdDSA Private KeyPass or Fail
Show VersionReturn the name and version inform ationCrypto OfficerNoneNoneNoneModule name and version
Show StatusReturn the module statusCrypto OfficerNoneNoneNoneModule status
Self-TestPerfor m the CASTs and integrit y testCrypto OfficerDecrypti on with AES Authenti cated Encrypti on with AES Authenti cated Decrypti on withNoneNonePass or Fail of self- tests

Chainguard FIPS Provider for OpenSSL a s t W,E e W,E a e W,E a e W,E n n n W,E G,R © 2025 Chainguard, Inc., atsec information security.

Page 51

Chainguard FIPS Provider for OpenSSL s n keyderivati KeyDeriva n - KeyDerivati W,E G,R n n G,R W,E n n W,E G,R n n W,E G,R © 2025 Chainguard, Inc., atsec information security.

Page 52

Chainguard FIPS Provider for OpenSSL s n p n W,E p G,R n p n W,E p G,R n n W,E G,R n n d: W,E G,R © 2025 Chainguard, Inc., atsec information security.

Page 53

Chainguard FIPS Provider for OpenSSL s m W,E G,E (V, G,W,E (V, C): G,W,E a 1; G,R W,E W,E W,E W,E © 2025 Chainguard, Inc., atsec information security.

Page 54

Chainguard FIPS Provider for OpenSSL s W,E W,E a W,E a W,E a W,E e, W,E © 2025 Chainguard, Inc., atsec information security.

Page 55

Chainguard FIPS Provider for OpenSSL s e, W,E G,R G,R G,E,Z e, W,E © 2025 Chainguard, Inc., atsec information security.

Page 56

Chainguard FIPS Provider for OpenSSL s G,R G,R G,R G,R G,E,Z © 2025 Chainguard, Inc., atsec information security.

Page 57

Chainguard FIPS Provider for OpenSSL s G,E,Z G,R G,R G,E,Z W,E W,E © 2025 Chainguard, Inc., atsec information security.

Page 58

Chainguard FIPS Provider for OpenSSL s W,E W,E selftests W,E W,E © 2025 Chainguard, Inc., atsec information security.

Page 59

Chainguard FIPS Provider for OpenSSL s n n n © 2025 Chainguard, Inc., atsec information security.

Page 60
Service
NameDescriptionRole AccessCsps AccessedIndicatorInputOutput
Zeroizati onZeroize any SSPNoneCrypto Officer - AES Key: Z - HMAC Key: Z - KMACNoneAn SSPNone

Chainguard FIPS Provider for OpenSSL s n n n n n © 2025 Chainguard, Inc., atsec information security.

Page 61

Chainguard FIPS Provider for OpenSSL s - KeyDerivati Z Z d: Z p p © 2025 Chainguard, Inc., atsec information security.

Page 62

Chainguard FIPS Provider for OpenSSL s (V, © 2025 Chainguard, Inc., atsec information security.

Page 63

Chainguard FIPS Provider for OpenSSL s Z © 2025 Chainguard, Inc., atsec information security.

Page 64
Service
NameDescriptionCsps AccessedApproved FunctionsIndicatorInputOutputSecurity Function s
Key encapsul ationEncaps ulate a keyCrypto Officer - RSA Public Key: W,EKey encapsul ationOSSL_ASYM_CIPHER_PARAM_FIPS_A PPROVED_INDICATOR is 1RSA Public Key, Key to encaps ulateEncapsu lated key
Key un- encapsul ationUn- encaps ulate a keyCrypto Officer - RSA Private Key: W,EKey un- encapsul ationOSSL_ASYM_CIPHER_PARAM_FIPS_A PPROVED_INDICATOR is 1RSA Private Key, Key to un- encaps ulateUn- encapsu lated key
AES-GCM with Externally Generated IVEncrypt a plaintextAES-GCM encryption with external IVCrypto Officer
Message Authentication Code Generation with Non- Approved Key Length or Tag LengthCompute a MAC tagHMAC with key length < 112 bits KMAC with key length < 112 bits or tag length < 32 bitsCrypto Officer
Key Derivation with Non- Approved ParametersDerive a keyTLS 1.2 KDF without extended master secret or with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512/256 or SHA-3 functions or with input secret length < 112 bits KBKDF with input key length < 112 bits SSH KDF with SHA2-512/224 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bits TLS 1.3 KDF with SHA-1 or SHA2- 224 or SHA2-512/224 or SHA2-512 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bits One step KDF, two step KDF, HKDF, ANS X9.42 KDF with input secret length < 112 bits ANS X9.63 KDF with SHA-1 or input secret length < 112 bitsCrypto Officer
Random Number GenerationGenerate a random numberHash_DRBG or HMAC_DRBG with SHA2-224 or SHA2-384 or SHA2-512/224 or SHA2-512/256 or SHA-3 functions or KMACCrypto Officer
Shared Secret Computation with Non-Approved ParametersCompute a shared secretECDH with P-192Crypto Officer
Non-approved Digital Signature GenerationGenerate a digital signature on a pre-hashed messageRSA SigGen with SHA-1 or X9.31 padding or modulus length < 2048 bits or PSS salt length > digestCrypto Officer
Non-approved Digital Signature VerificationVerify a digital signature of a pre-hashed messageRSA SigVer with modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive) ECDSA SigVer componentCrypto Officer
ECDSA Key Pair Generation with Non-Approved ParametersGenerate an EC key pairECDSA KeyGen with P-192Crypto Officer
Key ExchangePerform key agreement primitives on behalf of the calling process (does not establish keys into the module)X448 X25519Crypto Officer
Asymmetric Encryption/DecryptionPerform RSA OAEP encryption/decryptionRSA OAEP encryption/decryption with 1536-bit modulusCrypto Officer

Chainguard FIPS Provider for OpenSSL s (V, C): Z W,E Key unencapsul Unencaps unencaps Unencapsu Key unencapsul W,E Table 14: Approved Services The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The Approved Services table defines the services that utilize approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each SSP.

Page 65

Chainguard FIPS Provider for OpenSSL To interact with the module, a calling application must use the EVP API layer provided by OpenSSL. This layer will delegate the request to the FIPS provider, which will in turn perform the requested service. Additionally, this EVP API layer can be used to retrieve the approved service indicator for the module. © 2025 Chainguard, Inc., atsec information security.

Page 66

Chainguard FIPS Provider for OpenSSL Table 15: Non-Approved Services

4.5 External Software/Firmware Loaded

The module does not have the capability of loading software or firmware from an external source. © 2025 Chainguard, Inc., atsec information security.

Page 67

Chainguard FIPS Provider for OpenSSL

5 Software/Firmware Security
5.1 Integrity Techniques

The integrity of the module is verified by comparing a HMAC-SHA2-256 value calculated at runtime with the HMAC-SHA2-256 value embedded in the fips.so file that was computed at build time.

5.2 Initiate on Demand

Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module (i.e., rebooting the system), which will perform (among others) the software integrity tests. © 2025 Chainguard, Inc., atsec information security.

Page 68

Chainguard FIPS Provider for OpenSSL

6 Operational Environment
6.1 Operational Environment Type and Requirements

Type of Operational Environment: Modifiable How Requirements are Satisfied: Any SSPs contained within the module are protected by the process isolation and memory separation mechanisms, and only the module has control over these SSPs. If the operating system is properly installed, it provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.

6.2 Configuration Settings and Restrictions

Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Chainguard, Inc., atsec information security.

Page 69

Chainguard FIPS Provider for OpenSSL

7 Physical Security

The module is comprised of software only, and therefore this section is not applicable. © 2025 Chainguard, Inc., atsec information security.

Page 70

Chainguard FIPS Provider for OpenSSL

8 Non-Invasive Security

The module does not implement any non-invasive security mechanisms. © 2025 Chainguard, Inc., atsec information security.

Page 71
Sensitive security parameter
NameTypeDescription
RAMDynamicTemporary storage for SSPs used by the module as part of service execution. The module does not perform persistent storage of SSPs.
Service
NameTypeFromTo
API Input ParametersPlaintextOperator calling application (TOEPP)Cryptographic ModuleManualElectronic
API Output ParametersPlaintextCryptographic ModuleOperator Calling Application (TOEPP)ManualElectronic
ZeroizationDescriptionRationaleOperator Initiation
Method
Free Cipher HandleZeroizes the SSPs contained within the cipher handleMemory occupied by SSPs is overwritten with zeroes and then it is released, which renders the SSP values irretrievable. The successful completion of the zeroization routine indicates that theBy calling the cipher related zeroization API: EVP_CIPHER_CTX_free() clears and frees symmetric cipher context, EVP_MAC_CTX_free() clears and frees MAC context, EVP_KDF_CTX_free() clears and frees KDF context, EVP_RAND_CTX_free() clears and frees DRBG context, EVP_PKEY_free() clears and frees asymmetric key pair structures

Chainguard FIPS Provider for OpenSSL

9 Sensitive Security Parameters Management
9.1 Storage Areas

Table 16: Storage Areas SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. Table 17: SSP Input-Output Methods operational environment. This corresponds to manual distribution, electronic entry/output (“CM Software to/from App via TOEPP Path”) per FIPS 140-3 IG 9.5.A Table 1. © 2025 Chainguard, Inc., atsec information security.

Page 72
Sensitive security parameter
NameTypeDescriptionStrengthUse
AES KeySymmetric key - CSPUsed for encryption, decryption, and message authentication128, 192, 256 bits - 128, 192, 256 bitsEncryption with AES Decryption with AES Authenticated Encryption with AES Authenticated Decryption with AES Message Authentication Code (MAC) Generation with AES
ZeroizationDescriptionRationaleOperator Initiation
Method
zeroization procedure succeeded.
AutomaticAutomatically zeroized by the module when no longer neededMemory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. The successful completion of the running service indicates that zeroization was completed.N/A
Module ResetDe-allocates the volatile memory used to store SSPsVolatile memory used by the module is overwritten within nanoseconds when power is removed. The successful completion of the module reset indicates that the zeroization procedure succeeded.By unloading and reloading the module

Chainguard FIPS Provider for OpenSSL N/A Table 18: SSP Zeroization Methods All data output is inhibited during zeroization. © 2025 Chainguard, Inc., atsec information security.

Page 73
Sensitive security parameter
NameTypeDescriptionStrengthGenerationUse
HMAC KeySymmetric key - CSPUsed for hash- based message authentication112-524288 bits - 112- 256 bitsMessage Authentication Code (MAC) Generation with HMAC
KMAC KeySymmetric key - CSPUsed for message authentication128-1024 bits - 112- 256 bitsMessage Authentication Code (MAC) Generation with KMAC
Key- Derivation KeySymmetric key - CSPUsed for key derivation112-4096 bits - 112- 256 bitsKey Derivation with KBKDF
Shared SecretShared secret - CSPGenerated by shared secret computation and used for key derivation224-8192 bits - 112- 256 bitsKey Derivation with KDA OneStep Key Derivation with KDA TwoStep Key Derivation with KDA HKDF Key Derivation with ANS X9.42 KDF Key Derivation with ANS X9.63 KDF Key Derivation with SSH KDF Key Derivation with TLS 1.2 KDF Key Derivation with TLS 1.3 KDFShared Secret Computation
PasswordPassword - CSPUsed for password- based key derivationAt least 8 characters - N/AKey Derivation with PBKDF2
PBKDF Derived KeySymmetric key - CSPGenerated by password- based key derivation112-4096 bits - 112- 256 bitsKey Derivation with PBKDF2
KBKDF Derived KeySymmetric key - CSPGenerated by key-based key derivation112-4096 bits - 112- 256 bitsKey Derivation with KBKDF
ANS X9.42 Derived KeySymmetric key - CSPGenerated by ANS X9.42 key derivation128-4096 bits - 112- 256 bitsKey Derivation with ANS X9.42 KDF
ANS X9.63 Derived KeySymmetric key - CSPGenerated by ANS X9.63 key derivation128-4096 bits - 112- 256 bitsKey Derivation with ANS X9.63 KDF
HKDF Derived KeySymmetric key - CSPGenerated by HKDF key derivation224-8192 bits - 112- 256 bitsKey Derivation with KDA HKDF
KDA OneStep Derived KeySymmetric key - CSPGenerated by OneStep KDA key derivation2048 bits - 112-256 bitsKey Derivation with KDA OneStep
KDA TwoStep Derived KeySymmetric key - CSPGenerated by TwoStep KDA key derivation2048 bits - 112-256 bitsKey Derivation with KDA TwoStep
TLS Derived KeySymmetric key - CSPGenerated by TLS KDF key derivation112-1024 bits - 112- 256 bitsKey Derivation with TLS 1.2 KDF Key Derivation with TLS 1.3 KDF
SSH KDF Derived KeySymmetric key - CSPGenerated by SSH KDF key derivation112-256 bits - 112-256 bitsKey Derivation with SSH KDF
Entropy InputEntropy input - CSPUsed for random number generation and seeding a DRBG (compliant with IG D.L)128-384 bits - 128-384 bits of entropyRandom Number Generation with a DRBG
DRBG Internal State (V, Key)Internal state - CSPUsed for random number generation (compliant with IG D.L)Counter DRBG V length: 128 bits; Counter DRBG Key length: 128, 192, 256 bits; HMAC DRBG V length: 160, 256, 512 bits; HMAC DRBG Key length: 160, 256, 512 bits - Counter DRBG: 128, 192, 256 bits; HMAC DRBG: 128, 256 bitsRandom Number Generation with a DRBGRandom Number Generation with a DRBG
DRBG Internal State (V, C)Internal state - CSPUsed for random number generation (compliant with IG D.L)440, 888 bits - 128, 256 bitsRandom Number Generation with a DRBGRandom Number Generation with a DRBG
DRBG SeedSeed - CSPUsed for random number generation (compliant with IG D.L)192-888 bits - 128-256 bitsRandom Number Generation with a DRBGRandom Number Generation with a DRBG

Chainguard FIPS Provider for OpenSSL bits - 112256 bits bits - 112256 bits KeyDerivation bits - 112256 bits bits - 112256 bits passwordbased © 2025 Chainguard, Inc., atsec information security.

Page 74

Chainguard FIPS Provider for OpenSSL passwordbased bits - 112256 bits bits - 112256 bits bits - 112256 bits bits - 112256 bits bits - 112256 bits bits - 112256 bits 1.2 © 2025 Chainguard, Inc., atsec information security.

Page 75

Chainguard FIPS Provider for OpenSSL a (V, V V a a a © 2025 Chainguard, Inc., atsec information security.

Page 76
Sensitive security parameter
NameTypeDescriptionStrengthUse
DH Private KeyPrivate key - CSPUsed for shared secret computation and key pair verificationffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP- 3072, MODP- 4096, MODP- 6144, MODP- 8192 - 112- 200 bitsKey Pair Verification with Safe Primes Shared Secret Computation
DH Public KeyPublic key - PSPUsed for shared secret computation and key pair verificationffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP- 3072, MODP- 4096, MODP- 6144, MODP- 8192 - 112- 200 bitsKey Pair Verification with Safe Primes Shared Secret Computation
EC Private KeyPrivate key - CSPUsed for shared secret computation, digital signature generation, and key pair verificationP-224, P- 256, P-384, P-521 - 112-256 bitsSignature Generation with ECDSA Public Key Verification with ECDSA Shared Secret Computation
EC Public KeyPublic key - PSPUsed for shared secret computation,P-192, P- 224, P-256, P-384, P-Signature Verification with ECDSA

Chainguard FIPS Provider for OpenSSL MODP2048, MODP3072, MODP4096, MODP6144, MODP8192 - 112200 bits MODP2048, MODP3072, MODP4096, MODP6144, MODP8192 - 112200 bits © 2025 Chainguard, Inc., atsec information security.

Page 77
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputStorage DurationRelated SSPs
EdDSA Private KeyPrivate key - CSPUsed for digital signature generation, and key pair verificationEd25519, Ed448 - 128, 224 bitsSignature Generation with EdDSA Public Key Verification with EdDSA
EdDSA Public KeyPublic key - PSPUsed for signature verification, and key pair verificationEd25519, Ed448 - 128, 224 bitsSignature Verification with EdDSA Public Key Verification with EdDSA
RSA Private KeyPrivate key - CSPUsed for signature generation, shared secret computation, and key un- encapsulation2048-16384 bits - 112- 256 bitsSignature Generation with RSA Shared Secret Computation Key un- encapsulation
RSA Public KeyPublic key - PSPUsed for signature verification, shared secret computation, and key encapsulation2048-16384 bits - 112- 256 bitsSignature Verification with RSA Shared Secret Computation Key encapsulation
Module Generated DH Private KeyPrivate key - CSPDH private key generated by the moduleffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP- 3072, MODP- 4096,Key Pair Generation with Safe Primes
Module Generated DH Public KeyPublic key - PSPDH public key generated by the moduleffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP- 3072, MODP- 4096, MODP- 6144, MODP- 8192 - 112- 200 bitsKey Pair Generation with Safe Primes
Module Generated EC Private KeyPrivate key - CSPEC private key generated by the moduleP-224, P- 256, P-384, P-521 - 112-256 bitsKey Pair Generation with ECDSA
Module Generated EC Public KeyPublic key - PSPEC public key generated by the moduleP-224, P- 256, P-384, P-521 - 112-256 bitsKey Pair Generation with ECDSA
Module Generated RSA Private KeyPrivate key - CSPRSA private key generated by the module2048-16384 bits - 112- 256 bitsKey Pair Generation with RSA
Module Generated RSA Public KeyPublic key - PSPRSA public key generated by the module2048-16384 bits - 112- 256 bitsKey Pair Generation with RSA
Intermediate Key Generation ValueIntermediate value - CSPUsed for key pair generation224-16384 bits - 112- 256 bitsKey Pair Generation with ECDSA Key Pair GenerationKey Pair Generation with ECDSA Key Pair
Generation with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primeswith RSA Key Pair Generation with EdDSA Key Pair Generation with Safe PrimesGeneration with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primes
Module Generated EdDSA Private KeyPrivate key - CSPEdDSA private key generated by the moduleEd25519, Ed448 - 128, 224 bitsKey Pair Generation with EdDSA
Module Generated EdDSA Public KeyPublic key - CSPEdDSA public key generated by the moduleEd25519, Ed448 - 128, 224 bitsKey Pair Generation with EdDSA
AES KeyRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
HMAC KeyRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
KMAC KeyRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
Key-Derivation KeyRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is resetKBKDF Derived Key:Derives
Shared SecretRAM:PlaintextFree Cipher HandleAPI Input ParametersUntil cipher handle is freed or module is resetDH Private Key:Generated From DH Public

Chainguard FIPS Provider for OpenSSL bits - 112256 bits unencapsulation bits - 112256 bits MODP2048, MODP3072, MODP4096, © 2025 Chainguard, Inc., atsec information security.

Page 78

Chainguard FIPS Provider for OpenSSL MODP6144, MODP8192 - 112200 bits MODP2048, MODP3072, MODP4096, MODP6144, MODP8192 - 112200 bits bits - 112256 bits bits - 112256 bits bits - 112256 bits © 2025 Chainguard, Inc., atsec information security.

Page 79
Sensitive security parameter
NameTypeDescriptionStrengthStorageZeroizationUseInputStorage DurationRelated SSPs
Generation with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primeswith RSA Key Pair Generation with EdDSA Key Pair Generation with Safe PrimesGeneration with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primes
Module Generated EdDSA Private KeyPrivate key - CSPEdDSA private key generated by the moduleEd25519, Ed448 - 128, 224 bitsKey Pair Generation with EdDSA
Module Generated EdDSA Public KeyPublic key - CSPEdDSA public key generated by the moduleEd25519, Ed448 - 128, 224 bitsKey Pair Generation with EdDSA
AES KeyRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
HMAC KeyRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
KMAC KeyRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
Key-Derivation KeyRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is resetKBKDF Derived Key:Derives
Shared SecretRAM:PlaintextFree Cipher HandleAPI Input ParametersUntil cipher handle is freed or module is resetDH Private Key:Generated From DH Public

Chainguard FIPS Provider for OpenSSL Table 19: SSP Table 1 © 2025 Chainguard, Inc., atsec information security.

Page 80
Sensitive security parameter
NameGenerationStorageZeroizationOutputStorage Duration
PasswordPBKDF Derived Key:DerivesRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
PBKDF Derived KeyPassword:Derived FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
KBKDF Derived KeyKey-Derivation Key:Derived FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
ANS X9.42 Derived KeyShared Secret:Derived FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
ANS X9.63 Derived KeyShared Secret:Derived FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
HKDF Derived KeyShared Secret:Derived FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
KDA OneStep Derived KeyShared Secret:Derived FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
KDA TwoStep Derived KeyShared Secret:Derived FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
TLS Derived KeyShared Secret:Derived FromRAM:PlaintextFree Cipher HandleAPI Output ParametersUntil cipher handle is freed or module is reset
SSH KDF Derived KeyShared Secret:Derived FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
Entropy InputDRBG Seed:GeneratesRAM:PlaintextAutomatic Module ResetUntil the DRBG has completed instantiation or module is reset
DRBG Internal State (V, Key)DRBG Seed:Generated FromRAM:PlaintextFree Cipher Handle Module ResetUntil cipher handle is freed or module is reset
DRBG Internal State (V, C)DRBG Seed:Generated FromRAM:PlaintextFree Cipher Handle Module ResetUntil cipher handle is freed or module is reset
DRBG SeedDRBG Internal State (V, Key):Generates DRBG Internal State (V, C):Generates Entropy Input:Generated FromRAM:PlaintextAutomatic Module ResetUntil the DRBG has completed instantiation or module is reset
DH Private KeyDH Public Key:Paired With Shared Secret:DerivesRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
DH Public KeyDH Private Key:Paired With Shared Secret:DerivesRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
EC Private KeyEC Public Key:Paired With Shared Secret:DerivesRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
EC Public KeyEC Private Key:Paired With Shared Secret:DerivesRAM:PlaintextFree Cipher HandleAPI Input ParametersUntil cipher handle is freed or module is reset
EdDSA Private KeyEdDSA Public Key:Paired WithRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
EdDSA Public KeyEdDSA Private Key:Paired WithRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
RSA Private KeyRSA Public Key:Paired With Shared Secret:DerivesRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
RSA Public KeyRSA Private Key:Paired With Shared Secret:DerivesRAM:PlaintextFree Cipher Handle Module ResetAPI Input ParametersUntil cipher handle is freed or module is reset
Module Generated DH Private KeyModule Generated DH Public Key:Paired With Intermediate Key Generation Value:Generated FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
Module Generated DH Public KeyModule Generated DH Private Key:Paired With Intermediate Key Generation Value:Generated FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
Module Generated EC Private KeyModule Generated EC Public Key:Paired With Intermediate Key Generation Value:Generated FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
Module Generated EC Public KeyModule Generated EC Private Key:Paired With Intermediate Key Generation Value:Generated FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
Module Generated RSA Private KeyModule Generated RSA Public Key:Paired With Intermediate Key Generation Value:Generated FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
Module Generated RSA Public KeyModule Generated RSA Private Key:Paired With Intermediate Key Generation Value:Generated FromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
Intermediate Key Generation ValueModule Generated DH Private Key:Generates Module Generated DH Public Key:Generates Module Generated EC Private Key:Generates Module Generated EC Public Key:Generates Module Generated RSA Private Key:Generates Module Generated RSA Public Key:Generates Module Generated EdDSA Private Key:Generates Module GeneratedRAM:PlaintextAutomaticFrom service invocation to service completion, or until module is reset
Module Generated EdDSA Private KeyModule Generated EdDSA Public Key:Paired With Intermediate Key Generation Value:Generated fromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset
Module Generated EdDSA Public KeyModule Generated EdDSA Private Key:Paired With Intermediate Key Generation Value:Generated fromRAM:PlaintextFree Cipher Handle Module ResetAPI Output ParametersUntil cipher handle is freed or module is reset

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 81

Chainguard FIPS Provider for OpenSSL (V, © 2025 Chainguard, Inc., atsec information security.

Page 82

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 83

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 84

Chainguard FIPS Provider for OpenSSL Table 20: SSP Table 2

9.5 Transitions

The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 Chainguard, Inc., atsec information security.

Page 85
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorTest PropertiesConditions
HMAC- SHA2-256HMAC- SHA2-256Message AuthenticationSW/FW IntegrityIntegrity test for fips.so256-bit keyModule becomes operational and services are available for use
AES-ECBAES-ECBKATCASTSymmetric operationModule becomes operational and services are available for useDecrypt with 128- bit keyTest runs at power-on before the integrity test
AES-GCMAES-GCMKATCASTSymmetric operationModule becomes operational and services are available for useEncrypt and decrypt with 256- bit keyTest runs at power-on before the integrity test
SHA2-512SHA2-512KATCASTMessage digestModule becomes operational and services are available for use3-byte messageTest runs at power-on before the integrity test
SHA3-256SHA3-256KATCASTMessage digestModule becomes operational and services4-byte messageTest runs at power-on before the integrity test
Self test
NameAlgorithm Or TestTest MethodTest TypeDetailsIndicatorTest PropertiesConditions
HMAC- SHA2-256HMAC- SHA2-256Message AuthenticationSW/FW IntegrityIntegrity test for fips.so256-bit keyModule becomes operational and services are available for use
AES-ECBAES-ECBKATCASTSymmetric operationModule becomes operational and services are available for useDecrypt with 128- bit keyTest runs at power-on before the integrity test
AES-GCMAES-GCMKATCASTSymmetric operationModule becomes operational and services are available for useEncrypt and decrypt with 256- bit keyTest runs at power-on before the integrity test
SHA2-512SHA2-512KATCASTMessage digestModule becomes operational and services are available for use3-byte messageTest runs at power-on before the integrity test
SHA3-256SHA3-256KATCASTMessage digestModule becomes operational and services4-byte messageTest runs at power-on before the integrity test
Counter DRBGCounter DRBGKATCASTCompliant with SP 800-90Ar1 including health test per section 11.3Module becomes operational and services are available for use128 bit keys, DF, with PRTest runs at power-on before the integrity test
HMAC DRBGHMAC DRBGKATCASTCompliant with SP 800-90Ar1 including health test per section 11.3Module becomes operational and services are available for useHMAC-SHA-1, with PRTest runs at power-on before the integrity test
KAS-ECC- SSC Sp800- 56Ar3KAS-ECC- SSC Sp800- 56Ar3KATCASTShared secret computationModule becomes operational and services are available for useP-256 curveTest runs at power-on before the integrity test
KAS-FFC- SSC Sp800- 56Ar3KAS-FFC- SSC Sp800- 56Ar3KATCASTShared secret computationModule becomes operational and services are available for useffdhe2048Test runs at power-on before the integrity test
KDF SP800- 108KDF SP800- 108KATCASTKey based key derivationModule becomes operational and services are available for useHMAC-SHA2-256 with 128-bit key; KMAC-128 with 128-bit keyTest runs at power-on before the integrity test
KDA OneStep SP800-56Cr2KDA OneStep SP800-56Cr2KATCASTShared secret key derivationModule becomes operational and services are available for useSHA2-224Test runs at power-on before the integrity test
KDF ANS 9.42KDF ANS 9.42KATCASTIndustry-based ANS X9.42 key derivationModule becomes operationalSHA-1Test runs at power-on

Chainguard FIPS Provider for OpenSSL

10 Self-Tests

While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed. If any of these tests fail, the module transitions to the error state.

10.1 Pre-Operational Self-Tests

HMACSHA2-256 Table 21: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions to the operational state.

10.2 Conditional Self-Tests

© 2025 Chainguard, Inc., atsec information security.

Page 86

Chainguard FIPS Provider for OpenSSL KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 KDF SP800108 © 2025 Chainguard, Inc., atsec information security.

Page 87
Service
NameRole AccessApproved FunctionsTypePropertiesDetails
Module becomes operational and services are available for useTest runs at power-on before the integrity testKDF ANS 9.63CASTSHA2-256KATIndustry-based ANS X9.63 key derivation
Module becomes operational and services are available for useTest runs at power-on before the integrity testTLS v1.2 KDF RFC7627CASTSHA2-256KATIndustry-based TLS v1.2 KDF key derivation
Module becomes operational and services are available for useTest runs at power-on before the integrity testTLS v1.3 KDFCASTSHA2-256KATIndustry-based TLS v1.3 KDF key derivation
Module becomes operational and services are available for useTest runs at power-on before the integrity testPBKDFCASTHMAC-SHA2-256 with 200-bit derived key length, 24- character password, 4096 iterations, 288-bit salt,KATPassword-based key derivation
Module becomes operational and services are available for useTest runs at power-on before the integrity testKDA HKDF SP800-56Cr2CASTSHA2-256KATShared secret key derivation
Module becomes operational and services are available for useTest runs at power-on before the integrity testECDSA SigGen (FIPS186-5)CASTP-224 with SHA2- 256KATDigital signature generation

Chainguard FIPS Provider for OpenSSL 24character © 2025 Chainguard, Inc., atsec information security.

Page 88
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesIndicatorConditions
ECDSA SigVer (FIPS186-5)ECDSA SigVer (FIPS186-5)KATCASTDigital signature verificationP-224 with SHA2- 256Module becomes operational and services are available for useTest runs at power-on before the integrity test
RSA SigGen (FIPS186-5)RSA SigGen (FIPS186-5)KATCASTDigital signature generationPKCS#1 v1.5 with 2048 bit key and SHA2-256Module becomes operational and services are available for useTest runs at power-on before the integrity test
EDDSA SigGen (FIPS186-5)EDDSA SigGen (FIPS186-5)KATCASTDigital signature generationEd25519; Ed4488Module becomes operational and services are available for useTest runs at power-on before the integrity test
RSA SigVer (FIPS186-5)RSA SigVer (FIPS186-5)KATCASTDigital signature verificationPKCS#1 v1.5 with 2048 bit key and SHA2-256Module becomes operational and services are available for useTest runs at power-on before the integrity test
EDDSA SigVer (FIPS186-5)EDDSA SigVer (FIPS186-5)KATCASTDigital signature verificationEd25519; Ed4488Module becomes operational and services are available for useTest runs at power-on before the integrity test
ECDSA KeyGen (FIPS186-5)ECDSA KeyGen (FIPS186-5)PCTPCTSignature generation & verificationSHA2-512Successful key pair generationKey pair generation
EDDSA KeyGen (FIPS186-5)EDDSA KeyGen (FIPS186-5)PCTPCTSignature generation & verificationN/ASuccessful key pair generationKey pair generation
RSA KeyGen (FIPS186-5)RSA KeyGen (FIPS186-5)PCTPCTEncryption & decryptionSection 6.4.1.1 of SP800-56Br2Successful key pair generationKey pair generation
Safe Primes Key GenerationSafe Primes Key GenerationPCTPCTSP 800- 56ARev3, 5.6.2.1.4Section 5.6.2.1.4 of SP800-56Arev3Successful key pair generationKey pair generation
Hash DRBGHash DRBGKATCASTCompliant with SP 800-90Ar1 including health test per section 11.3SHA2-256, with PRModule becomes operational and services are available for useTest runs at power-on before the integrity test
Entropy Source - RCT and APT start-up testEntropy Source - RCT and APT start-up testRCT and APTCASTEntropy source start- up test1024 samples. Repetition count test according to Section 4.4.1 and Adaptive proportion test according to Section 4.4.2 of SP 800-90BModule becomes operational and services are available for useEntropy source initialization
Entropy Source - RCT and APT continuous testEntropy Source - RCT and APT continuous testRCT and APTCASTEntropy source continuous testRepetition count test according to Section 4.4.1 and Adaptive proportion test according to Section 4.4.2 of SP 800-90BEntropy source is operationalContinuously when the entropy source is accessed
HMAC-SHA2-256HMAC-SHA2-256Message AuthenticationSW/FW IntegrityOn demandManually
AES-ECBAES-ECBKATCASTOn DemandManually
AES-GCMAES-GCMKATCASTOn DemandManually
SHA2-512SHA2-512KATCASTOn DemandManually
SHA3-256SHA3-256KATCASTOn DemandManually

Chainguard FIPS Provider for OpenSSL N/A & & & © 2025 Chainguard, Inc., atsec information security.

Page 89
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic MethodDetailsTest PropertiesIndicatorConditions
Safe Primes Key GenerationSafe Primes Key GenerationPCTPCTSP 800- 56ARev3, 5.6.2.1.4Section 5.6.2.1.4 of SP800-56Arev3Successful key pair generationKey pair generation
Hash DRBGHash DRBGKATCASTCompliant with SP 800-90Ar1 including health test per section 11.3SHA2-256, with PRModule becomes operational and services are available for useTest runs at power-on before the integrity test
Entropy Source - RCT and APT start-up testEntropy Source - RCT and APT start-up testRCT and APTCASTEntropy source start- up test1024 samples. Repetition count test according to Section 4.4.1 and Adaptive proportion test according to Section 4.4.2 of SP 800-90BModule becomes operational and services are available for useEntropy source initialization
Entropy Source - RCT and APT continuous testEntropy Source - RCT and APT continuous testRCT and APTCASTEntropy source continuous testRepetition count test according to Section 4.4.1 and Adaptive proportion test according to Section 4.4.2 of SP 800-90BEntropy source is operationalContinuously when the entropy source is accessed
HMAC-SHA2-256HMAC-SHA2-256Message AuthenticationSW/FW IntegrityOn demandManually
AES-ECBAES-ECBKATCASTOn DemandManually
AES-GCMAES-GCMKATCASTOn DemandManually
SHA2-512SHA2-512KATCASTOn DemandManually
SHA3-256SHA3-256KATCASTOn DemandManually
Counter DRBGCounter DRBGKATCASTOn DemandManually
HMAC DRBGHMAC DRBGKATCASTOn DemandManually
KAS-ECC-SSC Sp800-56Ar3KAS-ECC-SSC Sp800-56Ar3KATCASTOn DemandManually
KAS-FFC-SSC Sp800-56Ar3KAS-FFC-SSC Sp800-56Ar3KATCASTOn DemandManually
KDF SP800-108KDF SP800-108KATCASTOn DemandManually
KDA OneStep SP800-56Cr2KDA OneStep SP800-56Cr2KATCASTOn DemandManually
KDF ANS 9.42KDF ANS 9.42KATCASTOn DemandManually
KDF ANS 9.63KDF ANS 9.63KATCASTOn DemandManually
TLS v1.2 KDF RFC7627TLS v1.2 KDF RFC7627KATCASTOn DemandManually
TLS v1.3 KDFTLS v1.3 KDFKATCASTOn DemandManually
PBKDFPBKDFKATCASTOn DemandManually
KDA HKDF SP800- 56Cr2KDA HKDF SP800- 56Cr2KATCASTOn DemandManually
ECDSA SigGen (FIPS186-5)ECDSA SigGen (FIPS186-5)KATCASTOn DemandManually
ECDSA SigVer (FIPS186-5)ECDSA SigVer (FIPS186-5)KATCASTOn DemandManually
RSA SigGen (FIPS186-5)RSA SigGen (FIPS186-5)KATCASTOn DemandManually
EDDSA SigGen (FIPS186-5)EDDSA SigGen (FIPS186-5)KATCASTOn DemandManually
RSA SigVer (FIPS186-5)RSA SigVer (FIPS186-5)KATCASTOn DemandManually
EDDSA SigVer (FIPS186-5)EDDSA SigVer (FIPS186-5)KATCASTOn DemandManually
ECDSA KeyGen (FIPS186-5)ECDSA KeyGen (FIPS186-5)PCTPCTOn DemandManually
EDDSA KeyGen (FIPS186-5)EDDSA KeyGen (FIPS186-5)PCTPCTOn DemandManually
RSA KeyGen (FIPS186-5)RSA KeyGen (FIPS186-5)PCTPCTOn DemandManually

Chainguard FIPS Provider for OpenSSL 80056ARev3, 5.6.2.1.4 Table 22: Conditional Self-Tests

10.3 Periodic Self-Test Information

Table 23: Pre-Operational Periodic Information © 2025 Chainguard, Inc., atsec information security.

Page 90

Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.

Page 91
Self test
NameAlgorithm Or TestTest MethodTest TypePeriodPeriodic Method
Safe Primes Key GenerationSafe Primes Key GenerationPCTPCTOn DemandManually
Hash DRBGHash DRBGKATCASTOn DemandManually
Entropy Source - RCT and APT start- up testEntropy Source - RCT and APT start- up testRCT and APTCASTOn DemandManually
Entropy Source - RCT and APT continuous testEntropy Source - RCT and APT continuous testRCT and APTCASTOn DemandManually
Service
NameDescriptionRole AccessIndicator
Power-up errorAn error occurred during the integrity test or CAST failureSoftware integrity test failure CAST failureModule not loadedRe-initialization of the module
PCT errorAn error occurred during a PCTPCT failureCryptographic functionality is blockedRe-initialization of the module

Chainguard FIPS Provider for OpenSSL Table 24: Conditional Periodic Information

10.4 Error States

Table 25: Error States In any error state, the output interface is inhibited, and the module cannot perform cryptographic operations.

10.5 Operator Initiation of Self-Tests

The software integrity test and cryptographic algorithm self-tests can be invoked on demand by unloading and subsequently re-initializing the module. The PCTs can be invoked on demand by requesting the key pair generation service. © 2025 Chainguard, Inc., atsec information security.

Page 92

Chainguard FIPS Provider for OpenSSL

11 Life-Cycle Assurance

All configuration items are uniquely identified by a compound value consisting of the package apk full version and revision number plus architecture with the git commit SHA1 value.

11.1 Installation, Initialization, and Startup Procedures

No installation, initialization, or startup steps are required as the module is pre-built into the images that the vendor provides.

11.2 Administrator Guidance

To verify that the module is prebuilt into a Chainguard image, the Crypto Officer must review the image specification (e.g. Chainguard Console SBOM tab, SPDX image attestation, apk installed package database, syft output, AWS Inspector) to ensure it contains the package “openssl-fips-provider-3.4.0” version “3.4.0-r4”. The Crypto Officer must verify the name and version of the module. This is done by retrieving the parameters OSSL_PROV_PARAM_NAME and OSSL_PROV_PARAM_BUILDINFO from the module. Since there can be several providers for OpenSSL, and since only the “fips” provider is the module, the Crypto Officer must ensure that the “fips” provider of OpenSSL is queried when retrieving these parameters and when requesting any other services. OSSL_PROV_PARAM_NAME must have the value: “Chainguard FIPS Provider for OpenSSL” OSSL_PROV_PARAM_BUILDINFO must have the value: “3.4.0-r4” The Approved and non-Approved modes of operation are specified in section 2.4. The administrative functions are specified in the Approved Services table. All the logical interfaces are specified in section 3.1. The requirements and restrictions that shall be considered when operating the module in approved mode are specified in section 2.7 and section 6.

11.3 Non-Administrator Guidance

There is no non-administrator guidance.

11.4 End of Life

As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. © 2025 Chainguard, Inc., atsec information security.

Page 93

Chainguard FIPS Provider for OpenSSL

12 Mitigation of Other Attacks
12.1 Attack List

Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:

12.2 Mitigation Effectiveness

RSA, ECDSA, ECDH, and DH employ blinding techniques to further impede timing and power analysis.

12.3 Guidance and Constraints

No configuration is needed to enable the aforementioned countermeasures. © 2025 Chainguard, Inc., atsec information security.

Page 94

Chainguard FIPS Provider for OpenSSL A Glossary and Abbreviations AES Advanced Encryption Standard AESNI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CBC-MAC Cipher Block Chaining Message Authentication Code CCM Counter with Cipher Block Chain-Message Authentication Code CCP Cryptographic Co-Processor CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptographic ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HMAC Keyed-Hash Message Authentication Code IG International Guidance IKE Internet Key Exchange IV Initialization Vector © 2025 Chainguard, Inc., atsec information security.

Page 95

Chainguard FIPS Provider for OpenSSL KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-Based Derivation Function KMAC KECCAK Message Authentication Code KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OEAP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PBKDF2 Password-based Key Derivation Function v2 PCT Pair-wise Consistency Test PKI Public Key Infrastructure PSP Public Security Parameter PSS Probabilistic Signature Scheme RSA Rivest Shamir Adleman RSADP RSA Decryption Primitive RSAEP RSA Encryption Primitive SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm with Keccak SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security TOEPP Tested Operational Environment’s Physical Perimeter XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Chainguard, Inc., atsec information security.

Page 96

Chainguard FIPS Provider for OpenSSL B References ANS X9.42-2001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.63-2001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS 180-4 Secure Hash Standard (SHS) August 2015 https://doi.org/10.6028/NIST.FIPS.180-4 FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://doi.org/10.6028/NIST.FIPS.180-4 FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS 197 Advanced Encryption Standard (AES) November 2001; Updated May 2023 https://doi.org/10.6028/NIST.FIPS.197-upd1 FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) July 2008 https://doi.org/10.6028/NIST.FIPS.198-1 FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://doi.org/10.6028/NIST.FIPS.202 PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt © 2025 Chainguard, Inc., atsec information security.

Page 97

Chainguard FIPS Provider for OpenSSL RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP 800-108r1 Recommendation for Key Derivation Using Pseudorandom Functions August 2022; Updated February 2024 https://doi.org/10.6028/NIST.SP.800-108r1-upd1 SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP 800-140Br1 Cryptographic Module Validation Program (CMVP) Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 © 2025 Chainguard, Inc., atsec information security.

Referenced URLs