| Standard | FIPS 140-3 |
|---|---|
| Overall level | 1 |
| Module type | Software |
| Embodiment | Multi-Chip Stand Alone |
| Status | Active |
| Sunset date | 1/13/2031 |
| Caveat | When operated in approved mode. No assurance of minimum security of SSPs (e.g., keys, bit strings) that are externally loaded, or of SSPs established with externally loaded SSPs. |
| Vendor | Chainguard, Inc. |
| Algorithm | ACVP Cert |
|---|---|
| AES-CBC | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CBC-CS1 | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CBC-CS2 | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CBC-CS3 | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CCM | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CFB1 | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CFB128 | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CFB8 | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CMAC | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-CTR | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-ECB | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-GCM | A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699 |
| AES-GMAC | A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699 |
| AES-KW | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-KWP | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-OFB | A6678, A6679, A6680, A6690, A6691, A6700 |
| AES-XTS Testing Revision 2.0 | A6678, A6679, A6680, A6690, A6691, A6700 |
| Counter DRBG | A6675 |
| ECDSA KeyGen (FIPS186-5) | A6666, A6668, A6683, A6684, A6685, A6686 |
| ECDSA KeyVer (FIPS186-4) | A6666, A6668, A6683, A6684, A6685, A6686 |
| ECDSA KeyVer (FIPS186-5) | A6666, A6668, A6683, A6684, A6685, A6686 |
| ECDSA SigGen (FIPS186-5) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 |
| ECDSA SigVer (FIPS186-4) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 |
| ECDSA SigVer (FIPS186-5) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 |
| EDDSA KeyGen | A6676 |
| EDDSA KeyVer | A6676 |
| EDDSA SigGen | A6676 |
| EDDSA SigVer | A6676 |
| Hash DRBG | A6675 |
| HMAC DRBG | A6675 |
| HMAC-SHA-1 | A6666, A6668, A6683, A6684, A6685, A6686 |
| HMAC-SHA2-224 | A6666, A6668, A6683, A6684, A6685, A6686 |
| HMAC-SHA2-256 | A6666, A6667, A6668, A6683, A6684, A6685, A6686 |
| HMAC-SHA2-384 | A6666, A6668, A6683, A6684, A6685, A6686 |
| HMAC-SHA2-512 | A6666, A6668, A6683, A6684, A6685, A6686 |
| HMAC-SHA2- 512/224 | A6666, A6668, A6683, A6684, A6685, A6686 |
| HMAC-SHA2- 512/256 | A6666, A6668, A6683, A6684, A6685, A6686 |
| HMAC-SHA3-224 | A6670, A6671, A6687, A6688, A6689 |
| HMAC-SHA3-256 | A6670, A6671, A6687, A6688, A6689 |
| HMAC-SHA3-384 | A6670, A6671, A6687, A6688, A6689 |
| HMAC-SHA3-512 | A6670, A6671, A6687, A6688, A6689 |
| KAS-ECC-SSC Sp800-56Ar3 | A6666, A6668, A6683, A6684, A6685, A6686 |
| KAS-FFC-SSC Sp800-56Ar3 | A6674 |
| KAS-IFC-SSC | A6668 |
| KDA HKDF SP800- 56Cr2 | A6673 |
| KDA OneStep SP800-56Cr2 | A6672 |
| KDA TwoStep SP800-56Cr2 | A6672 |
| KDF ANS 9.42 (CVL) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 |
| KDF ANS 9.63 (CVL) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 |
| KDF KMAC Sp800- 108r1 | A6677 |
| KDF SP800-108 | A6677 |
| KDF SSH (CVL) | A6666, A6668, A6669, A6683, A6684, A6685, A6686 |
| KTS-IFC | A6666, A6668, A6683, A6684, A6685, A6686 |
| PBKDF | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 |
| RSA KeyGen (FIPS186-5) | A6666, A6668, A6683, A6684, A6685, A6686 |
| RSA SigGen (FIPS186-5) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 |
| RSA SigVer (FIPS186-4) | A6666, A6668, A6683, A6684, A6685, A6686 |
| RSA SigVer (FIPS186-5) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 |
| SHA-1 | A6666, A6668, A6683, A6684, A6685, A6686 |
| SHA2-224 | A6666, A6668, A6683, A6684, A6685, A6686 |
| SHA2-256 | A6666, A6667, A6668, A6683, A6684, A6685, A6686 |
| SHA2-384 | A6666, A6668, A6683, A6684, A6685, A6686 |
| SHA2-512 | A6666, A6668, A6683, A6684, A6685, A6686 |
| SHA2-512/224 | A6666, A6668, A6683, A6684, A6685, A6686 |
| SHA2-512/256 | A6666, A6668, A6683, A6684, A6685, A6686 |
| SHA3-224 | A6670, A6671, A6687, A6688, A6689 |
| SHA3-256 | A6670, A6671, A6687, A6688, A6689 |
| SHA3-384 | A6670, A6671, A6687, A6688, A6689 |
| SHA3-512 | A6670, A6671, A6687, A6688, A6689 |
| SHAKE-128 | A6670, A6671, A6687, A6688, A6689 |
| SHAKE-256 | A6670, A6671, A6687, A6688, A6689 |
| TLS v1.2 KDF RFC7627 (CVL) | A6666, A6668, A6683, A6684, A6685, A6686 |
| TLS v1.3 KDF (CVL) | A6673 |
| Requirement area | Level |
|---|---|
| Cryptographic Module Specification | 2 |
| Cryptographic Module Interfaces | 3 |
| Roles, Services, and Authentication | 4 |
| Software/Firmware Security | 5 |
| Operational Environment | 6 |
| Self-Tests | 1 |
| Mitigation of Other Attacks | 1 |
flowchart LR
%% Deterministic review-risk graph for Chainguard FIPS Provider for OpenSSL
%% Review prompts and evidence gaps, NOT vulnerability findings.
subgraph CMVP["CMVP-disclosed clues"]
C2["[low] Firmware update / recovery<br/>/ rollback (referenced in<br/>text)<br/><i>Update<br/>Recovery</i>"]
C3["[high] Unauthenticated /<br/>self-test / status service<br/>surface<br/><i>Encryption with AES<br/>Decryption with AES<br/>Show Status</i>"]
C5["[low] Protocol / secure-channel<br/>references (may be KDF<br/>names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i>"]
C6["[low] Operating system / runtime<br/>referenced (boundary<br/>membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i>"]
end
subgraph Inference["Derived inference"]
I2["Possible only, trusted<br/>code is reachable through<br/>update and recovery paths."]
I3["Some services may process<br/>input before, or without,<br/>operator authentication."]
I5["Possible only, a protocol<br/>is referenced, but whether<br/>it is a live channel or<br/>only a KDF/algorithm name<br/>is unconfirmed."]
I6["Possible only, a<br/>runtime/OS is referenced,<br/>but its membership in the<br/>cryptographic boundary is<br/>not established."]
end
subgraph Risk["Reviewer question"]
R2["Are update images<br/>authenticated before<br/>parsing, and are<br/>downgrade/rollback paths<br/>constrained?"]
R3["Can unauthenticated<br/>services leak state,<br/>consume resources, or<br/>transition security state?"]
R5["If a live TLS/SSH/IKE<br/>channel exists, could<br/>library CVEs apply, or is<br/>this only a<br/>KDF/documentation name?"]
R6["If the OS/runtime is<br/>in-boundary, could its<br/>CVEs be hidden by<br/>firmware-only versioning?"]
end
subgraph Evidence["Evidence needed to close"]
E2["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>update image format ·<br/>signature-before-parse<br/>proof · anti-rollback /<br/>downgrade policy"]
E3["pre-auth reachability<br/>matrix · rate limits and<br/>output redaction ·<br/>abuse-case tests"]
E5["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>library identity and<br/>version ·<br/>certificate-validation<br/>behaviour · protocol-CVE<br/>disposition"]
E6["confirm the disclosure<br/>itself (keyword hit,<br/>context unverified) ·<br/>runtime identity and<br/>config · kernel/runtime<br/>hardening profile ·<br/>patch/backport manifest"]
end
C2 --> I2 --> R2 --> E2
C3 --> I3 --> R3 --> E3
C5 --> I5 --> R5 --> E5
C6 --> I6 --> R6 --> E6
classDef clue fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef infer fill:#fff7e6,stroke:#b98500,color:#6b4e00;
classDef risk fill:#fbe9e9,stroke:#b02a2a,color:#7a1f1f;
classDef evidence fill:#e6f4ea,stroke:#1e7d34,color:#14532d;
class C2,C3,C5,C6 clue;
class I2,I3,I5,I6 infer;
class R2,R3,R5,R6 risk;
class E2,E3,E5,E6 evidence;flowchart LR
%% Deterministic clue tier for Chainguard FIPS Provider for OpenSSL
%% confidence: high = structured record field; medium = structured but soft; low (dashed) = bare keyword hit, context unverified
subgraph CMVP["CMVP-disclosed clues (deterministic)"]
C2["[low] Firmware update / recovery / rollback (referenced in text)<br/><i>Update<br/>Recovery</i><br/>src: text:keyword"]
C3["[high] Unauthenticated / self-test / status service surface<br/><i>Encryption with AES<br/>Decryption with AES<br/>Show Status</i><br/>src: securityPolicy.services"]
C5["[low] Protocol / secure-channel references (may be KDF names, not a live channel)<br/><i>TLS<br/>SSH<br/>HTTPS</i><br/>src: text:keyword"]
C6["[low] Operating system / runtime referenced (boundary membership not asserted)<br/><i>operating system<br/>linux<br/>kernel</i><br/>src: text:keyword"]
end
classDef clueHigh fill:#eef3f9,stroke:#2f6fb0,stroke-width:2px,color:#1f3a5f;
classDef clueMedium fill:#eef3f9,stroke:#6f7f91,color:#1f3a5f;
classDef clueLow fill:#f7f7f7,stroke:#999,stroke-dasharray:4 4,color:#444;
class C2,C5,C6 clueLow;
class C3 clueHigh;Chainguard, Inc. Chainguard FIPS Provider for OpenSSL Document Version: 1.1 Last Update: 2025-12-27 Prepared by: atsec information security corporation
Austin, TX 78759 www.atsec.com © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL Table of Contents 1.1 © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL List of Tables © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL List of Figures © 2025 Chainguard, Inc., atsec information security.
| Name | ISO Section | Requirement | Level |
|---|---|---|---|
| 1 | 1 | General | 1 |
| 2 | 2 | Cryptographic module specification | 1 |
| 3 | 3 | Cryptographic module interfaces | 1 |
| 4 | 4 | Roles, services, and authentication | 1 |
| 5 | 5 | Software/Firmware security | 1 |
| 6 | 6 | Operational environment | 1 |
| 7 | 7 | Physical security | N/A |
| 8 | 8 | Non-invasive security | N/A |
| 9 | 9 | Sensitive security parameter management | 1 |
| 10 | 10 | Self-tests | 1 |
| 11 | 11 | Life-cycle assurance | 1 |
| 12 | 12 | Mitigation of other attacks | 1 |
| Overall Level | Overall Level | 1 |
Chainguard FIPS Provider for OpenSSL 1.1 Overview The present document is the non-proprietary FIPS 140-3 Security Policy for the Chainguard FIPS Provider for OpenSSL which will also be referred to as “the module” and “the cryptographic module” throughout this document. This Security Policy specifies the security rules under which the module must operate to meet the FIPS 140-3 Level 1 requirements.
In preparing the Security Policy document, the laboratory formatted the vendor-supplied documentation for consolidation without altering the technical statements therein contained. The further refining of the Security Policy document was conducted iteratively throughout the conformance testing, wherein the Security Policy was submitted to the vendor, who would then edit, modify, and add technical contents. The vendor would also supply additional documentation, which the laboratory formatted into the existing Security Policy, and resubmitted to the vendor for their final editing. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL
Purpose and Use: The Chainguard FIPS Provider for OpenSSL (hereafter referred to as “the module”) is defined as a software module in a multi-chip standalone embodiment. It is a software library that provides a C language application program interface (API) for use by other applications that require cryptographic functionality. Module Type: Software Module Embodiment: MultiChipStand Module Characteristics: Cryptographic Boundary: The module consists of one software component, the “FIPS provider” i.e., fips.so (depicted in orange color in Figure 1), that forms the module’s cryptographic boundary which implements the FIPS requirements, and the cryptographic functionality. Components depicted in white color in Figure 1 are only included in the diagram for informational purposes. They are not included in the cryptographic boundary (and therefore not part of the module’s validation). For example, the kernel is responsible for managing system calls issued by the module itself, as well as other applications using the module for cryptographic services. Tested Operational Environment’s Physical Perimeter (TOEPP): Figure 1 shows the physical perimeter of the operational environment (a general-purpose computer on which the module is installed) is indicated by a purple dashed line. Figure 1: Block Diagram
Tested Module Identification
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C | 3.4.0-r4 | N/A | fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C | HMAC-SHA2-256 | ||||||
| fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3 | 3.4.0-r4 | N/A | fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3 | HMAC-SHA2-256 | ||||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7i.metal- 24xl | 3.4.0-r4 | Intel Sapphire Rapids Xeon Platinum 8488C | No | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7g.metal | 3.4.0-r4 | Amazon Graviton3 AWS Graviton3 | No | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7i.metal- 24xl | 3.4.0-r4 | Intel Sapphire Rapids Xeon Platinum 8488C | Yes | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7g.metal | 3.4.0-r4 | Amazon Graviton3 AWS Graviton3 | Yes | N/A | ||||
| glibc 2.34+ (Host) | glibc 2.34+ (Host) | Generic Hardware Platform ELF x86-64-v2+ | ||||||||
| glibc 2.34+ (Host) | glibc 2.34+ (Host) | Generic Hardware Platform ELF ARMv8a+ | ||||||||
| AlmaLinux 9 | AlmaLinux 9 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| AlmaLinux 9 | AlmaLinux 9 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| AlmaLinux 10 | AlmaLinux 10 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C | 3.4.0-r4 | N/A | fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C | HMAC-SHA2-256 | ||||||
| fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3 | 3.4.0-r4 | N/A | fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3 | HMAC-SHA2-256 | ||||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7i.metal- 24xl | 3.4.0-r4 | Intel Sapphire Rapids Xeon Platinum 8488C | No | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7g.metal | 3.4.0-r4 | Amazon Graviton3 AWS Graviton3 | No | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7i.metal- 24xl | 3.4.0-r4 | Intel Sapphire Rapids Xeon Platinum 8488C | Yes | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7g.metal | 3.4.0-r4 | Amazon Graviton3 AWS Graviton3 | Yes | N/A | ||||
| glibc 2.34+ (Host) | glibc 2.34+ (Host) | Generic Hardware Platform ELF x86-64-v2+ | ||||||||
| glibc 2.34+ (Host) | glibc 2.34+ (Host) | Generic Hardware Platform ELF ARMv8a+ | ||||||||
| AlmaLinux 9 | AlmaLinux 9 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| AlmaLinux 9 | AlmaLinux 9 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| AlmaLinux 10 | AlmaLinux 10 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI |
| Name | Operating System | Hardware Platform | Firmware Version | Software Version | Processor | Paa Pai | Hypervisor | Features | Package | Integrity Test |
|---|---|---|---|---|---|---|---|---|---|---|
| fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C | 3.4.0-r4 | N/A | fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C | HMAC-SHA2-256 | ||||||
| fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3 | 3.4.0-r4 | N/A | fips.so on Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3 | HMAC-SHA2-256 | ||||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7i.metal- 24xl | 3.4.0-r4 | Intel Sapphire Rapids Xeon Platinum 8488C | No | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7g.metal | 3.4.0-r4 | Amazon Graviton3 AWS Graviton3 | No | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7i.metal- 24xl | 3.4.0-r4 | Intel Sapphire Rapids Xeon Platinum 8488C | Yes | N/A | ||||
| Chainguard Image 20230214 on Amazon Linux 2023 | Chainguard Image 20230214 on Amazon Linux 2023 | EC2 m7g.metal | 3.4.0-r4 | Amazon Graviton3 AWS Graviton3 | Yes | N/A | ||||
| glibc 2.34+ (Host) | glibc 2.34+ (Host) | Generic Hardware Platform ELF x86-64-v2+ | ||||||||
| glibc 2.34+ (Host) | glibc 2.34+ (Host) | Generic Hardware Platform ELF ARMv8a+ | ||||||||
| AlmaLinux 9 | AlmaLinux 9 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| AlmaLinux 9 | AlmaLinux 9 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| AlmaLinux 10 | AlmaLinux 10 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| AlmaLinux 10 | AlmaLinux 10 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Amazon Linux 2 | Amazon Linux 2 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Amazon Linux 2 | Amazon Linux 2 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Amazon Linux 2023 | Amazon Linux 2023 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Amazon Linux 2023 | Amazon Linux 2023 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Azure Linux 2 | Azure Linux 2 | Azure Esv5-series with Intel Xeon Platinum 8473C, PAA/PAI, under Azure Host Hypervisor | ||||||||
| Azure Linux 2 | Azure Linux 2 | Azure Dpsv6-series with Azure Cobalt 100, PAA/PAI, under Azure Host Hypervisor | ||||||||
| Azure Linux 3 | Azure Linux 3 | Azure Esv5-series with Intel Xeon Platinum 8473C, PAA/PAI, under Azure Host Hypervisor | ||||||||
| Azure Linux 3 | Azure Linux 3 | Azure Dpsv6-series with Azure Cobalt 100, PAA/PAI, under Azure Host Hypervisor | ||||||||
| Bottlerocket | Bottlerocket | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488CC, PAA/PAI | ||||||||
| Bottlerocket | Bottlerocket | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Centos Stream 9 | Centos Stream 9 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Centos Stream 9 | Centos Stream 9 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Centos Stream 10 | Centos Stream 10 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Centos Stream 10 | Centos Stream 10 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Chainguard | Chainguard | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Chainguard | Chainguard | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Chainguard (Host) | Chainguard (Host) | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Chainguard (Host) | Chainguard (Host) | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Chainguard (Host) | Chainguard (Host) | Azure Esv5-series with Intel Xeon Platinum 8473C, PAA/PAI, under Azure Host Hypervisor | ||||||||
| Chainguard (Host) | Chainguard (Host) | Azure Dpsv6-series with Azure Cobalt 100, PAA/PAI, under Azure Host Hypervisor | ||||||||
| Chainguard (Host) | Chainguard (Host) | GCP c3-highcpu-192-metal with Intel Xeon Platinum 8481C, PAA/PAI, under Titanium | ||||||||
| Chainguard (Host) | Chainguard (Host) | GCP c4a with Google Axion, PAA/PAI | ||||||||
| Chainguard (Host) | Chainguard (Host) | Raspberry Pi 5 B Rev 1.0 8GB with Broadcom BCM2712, PAA/PAI | ||||||||
| Debian 12 Bookworm | Debian 12 Bookworm | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Debian 12 Bookworm | Debian 12 Bookworm | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Debian 13 Trixie | Debian 13 Trixie | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Debian 13 Trixie | Debian 13 Trixie | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Google COS | Google COS | GCP c3-highcpu-192-metal with Intel Xeon Platinum 8481C | ||||||||
| Google COS | Google COS | GCP c4a with Google Axion, PAA/PAI, under Titanium | ||||||||
| RHEL 9 | RHEL 9 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| RHEL 9 | RHEL 9 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| RHEL 10 | RHEL 10 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| RHEL 10 | RHEL 10 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| RockyLinux 9 | RockyLinux 9 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| RockyLinux 9 | RockyLinux 9 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| RockyLinux 10 | RockyLinux 10 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| RockyLinux 10 | RockyLinux 10 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| SUSE Linux Enterprise Server 15 SP6 | SUSE Linux Enterprise Server 15 SP6 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| SUSE Linux Enterprise Server 15 SP6 | SUSE Linux Enterprise Server 15 SP6 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| SUSE Linux Enterprise Server 16 Public RC | SUSE Linux Enterprise Server 16 Public RC | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| SUSE Linux Enterprise Server 16 Public RC | SUSE Linux Enterprise Server 16 Public RC | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Ubuntu 20.04 | Ubuntu 20.04 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Ubuntu 20.04 | Ubuntu 20.04 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Ubuntu 22.04 | Ubuntu 22.04 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Ubuntu 22.04 | Ubuntu 22.04 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI | ||||||||
| Ubuntu 24.04 | Ubuntu 24.04 | AWS EC2 m7i.metal-24x with Intel Xeon Platinum 8488C, PAA/PAI | ||||||||
| Ubuntu 24.04 | Ubuntu 24.04 | AWS EC2 m7g.metal with AWS Graviton3, PAA/PAI |
Chainguard FIPS Provider for OpenSSL N/A N/A Table 2: Tested Module Identification
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL Table 4: Vendor-Affirmed Operational Environments - Software, Firmware, Hybrid Note: The CMVP makes no statement as to the correct operation of the module or the security strengths of the generated SSPs when the module is ported if the specific operational environments are not listed on the validation certificate.
There are no components excluded from the requirements of the FIPS 140-3 standard. © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Indicator | Type |
|---|---|---|---|
| Non-approved mode | Automatically entered whenever a non- approved service is requested | Equivalent to the indicator of the requested service. | Non- Approved |
| Name | CAVP Cert | Reference |
|---|---|---|
| AES-CBC | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-CBC-CS1 | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-CBC-CS2 | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-CBC-CS3 | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-CCM | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38C |
| AES-CFB1 | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-CFB128 | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-CFB8 | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-CMAC | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38B |
| AES-CTR | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-ECB | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-GCM | A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699 | SP 800-38D |
| AES-GMAC | A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699 | SP 800-38D |
| AES-KW | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38F |
| AES-KWP | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38F |
| AES-OFB | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38A |
| AES-XTS Testing Revision 2.0 | A6678, A6679, A6680, A6690, A6691, A6700 | SP 800-38E |
| Counter DRBG | A6675 | SP 800-90A Rev. 1 |
| ECDSA KeyGen (FIPS186-5) | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 186-5 |
| ECDSA KeyVer (FIPS186-4) | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 186-4 |
| ECDSA KeyVer (FIPS186-5) | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 186-5 |
| ECDSA SigGen (FIPS186-5) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 | FIPS 186-5 |
| ECDSA SigVer (FIPS186-4) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 | FIPS 186-4 |
| ECDSA SigVer (FIPS186-5) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 | FIPS 186-5 |
| EDDSA KeyGen | A6676 | FIPS 186-5 |
| EDDSA KeyVer | A6676 | FIPS 186-5 |
| EDDSA SigGen | A6676 | FIPS 186-5 |
| EDDSA SigVer | A6676 | FIPS 186-5 |
| Hash DRBG | A6675 | SP 800-90A Rev. 1 |
| HMAC DRBG | A6675 | SP 800-90A Rev. 1 |
| HMAC-SHA-1 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 198-1 |
| HMAC-SHA2-224 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 198-1 |
| HMAC-SHA2-256 | A6666, A6667, A6668, A6683, A6684, A6685, A6686 | FIPS 198-1 |
| HMAC-SHA2-384 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 198-1 |
| HMAC-SHA2-512 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 198-1 |
| HMAC-SHA2- 512/224 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 198-1 |
| HMAC-SHA2- 512/256 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 198-1 |
| HMAC-SHA3-224 | A6670, A6671, A6687, A6688, A6689 | FIPS 198-1 |
| HMAC-SHA3-256 | A6670, A6671, A6687, A6688, A6689 | FIPS 198-1 |
| HMAC-SHA3-384 | A6670, A6671, A6687, A6688, A6689 | FIPS 198-1 |
| HMAC-SHA3-512 | A6670, A6671, A6687, A6688, A6689 | FIPS 198-1 |
| KAS-ECC-SSC Sp800-56Ar3 | A6666, A6668, A6683, A6684, A6685, A6686 | SP 800-56A Rev. 3 |
| KAS-FFC-SSC Sp800-56Ar3 | A6674 | SP 800-56A Rev. 3 |
| KAS-IFC-SSC | A6668 | SP 800-56A Rev. 3 |
| KDA HKDF SP800- 56Cr2 | A6673 | SP 800-56C Rev. 2 |
| KDA OneStep SP800-56Cr2 | A6672 | SP 800-56C Rev. 2 |
| KDA TwoStep SP800-56Cr2 | A6672 | SP 800-56C Rev. 2 |
| KDF ANS 9.42 (CVL) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 | SP 800-135 Rev. 1 |
| KDF ANS 9.63 (CVL) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 | SP 800-135 Rev. 1 |
| KDF KMAC Sp800- 108r1 | A6677 | SP 800-108 Rev. 1 |
| KDF SP800-108 | A6677 | SP 800-108 Rev. 1 |
| KDF SSH (CVL) | A6666, A6668, A6669, A6683, A6684, A6685, A6686 | SP 800-135 Rev. 1 |
| KMAC-128 | A6670, A6671, A6687, A6688, A6689 | SP 800-185 |
| KMAC-256 | A6670, A6671, A6687, A6688, A6689 | SP 800-185 |
| KTS-IFC | A6666, A6668, A6683, A6684, A6685, A6686 | SP 800-56B Rev. 2 |
| PBKDF | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 | SP 800-132 |
| RSA KeyGen (FIPS186-5) | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 186-5 |
| RSA SigGen (FIPS186-5) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 | FIPS 186-5 |
| RSA SigVer (FIPS186-4) | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 186-4 |
| RSA SigVer (FIPS186-5) | A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689 | FIPS 186-5 |
| Safe Primes Key Generation | A6674 | SP 800-56A Rev. 3 |
| Safe Primes Key Verification | A6674 | SP 800-56A Rev. 3 |
| SHA-1 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 180-4 |
| SHA2-224 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 180-4 |
| SHA2-256 | A6666, A6667, A6668, A6683, A6684, A6685, A6686 | FIPS 180-4 |
| SHA2-384 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 180-4 |
| SHA2-512 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 180-4 |
| SHA2-512/224 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 180-4 |
| SHA2-512/256 | A6666, A6668, A6683, A6684, A6685, A6686 | FIPS 180-4 |
| SHA3-224 | A6670, A6671, A6687, A6688, A6689 | FIPS 202 |
| SHA3-256 | A6670, A6671, A6687, A6688, A6689 | FIPS 202 |
| SHA3-384 | A6670, A6671, A6687, A6688, A6689 | FIPS 202 |
| SHA3-512 | A6670, A6671, A6687, A6688, A6689 | FIPS 202 |
| SHAKE-128 | A6670, A6671, A6687, A6688, A6689 | FIPS 202 |
| SHAKE-256 | A6670, A6671, A6687, A6688, A6689 | FIPS 202 |
| TLS v1.2 KDF RFC7627 (CVL) | A6666, A6668, A6683, A6684, A6685, A6686 | SP 800-135 Rev. 1 |
| TLS v1.3 KDF (CVL) | A6673 | SP 800-135 Rev. 1 |
Chainguard FIPS Provider for OpenSSL
Modes List and Description: NonApproved Table 5: Modes List and Description After passing all pre-operational self-test and cryptographic algorithm self-tests executed on start-up, the module Mode Change Instructions and Status: The module automatically switches between the approved and non-approved modes depending on the services
Approved Algorithms: The table below lists all implemented modes or methods of operation for the approved cryptographic algorithms of the module that are employed for approved services (Approved Services table). © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL Table 6: Approved Algorithms Vendor-Affirmed Algorithms: © 2025 Chainguard, Inc., atsec information security.
| Name | Approved Functions | Properties | ||
|---|---|---|---|---|
| Asymmetric CKG | Key Type:Asymmetric Key pairs:RSA; ECDSA; EdDSA; DH | N/A | SP 800-133r2, section 4, direct DRBG output without XOR | |
| AES-GCM encryption with external IV | Encryption | |||
| HMAC with key length < 112 bits | Message Authentication Code | |||
| KMAC with key length < 112 bits or tag length < 32 bits | Message Authentication Code | |||
| TLS 1.2 KDF without extended master secret or with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512/256 or SHA-3 functions or with input secret length < 112 bits | Key Derivation Function | |||
| KBKDF with input key length < 112 bits | Key Derivation Function | |||
| Hash_DRBG or HMAC_DRBG with SHA2-224 or SHA2-384 or SHA2- 512/224 or SHA2-512/256 or SHA-3 functions or KMAC | Deterministic Random Bit Generation | |||
| ECDH with P-192 | Shared Secret Computation | |||
| RSA SigVer with modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive) | Digital Signature Verification | |||
| RSA SigGen with SHA-1 or X9.31 padding or modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive) | Digital Signature Generation | |||
| ECDSA SigVer component | Digital Signature Verification | |||
| ECDSA SigGen with P-192 or SHA-1; ECDSA SigGen component with P- 192 | Digital Signature Generation | |||
| ECDSA KeyGen with P-192 | Key Pair Generation | |||
| SSH KDF with SHA2-512/224 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bits | Key Derivation Function | |||
| TLS 1.3 KDF with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bits | Key Derivation Function | |||
| One step KDF, two step KDF, HKDF, ANS X9.42 KDF with input secret length < 112 bits | Key Derivation Function |
| Name | Description | Approved Functions | Type | Properties | ||
|---|---|---|---|---|---|---|
| Asymmetric CKG | Key Type:Asymmetric Key pairs:RSA; ECDSA; EdDSA; DH | N/A | SP 800-133r2, section 4, direct DRBG output without XOR | |||
| AES-GCM encryption with external IV | Encryption | |||||
| HMAC with key length < 112 bits | Message Authentication Code | |||||
| KMAC with key length < 112 bits or tag length < 32 bits | Message Authentication Code | |||||
| TLS 1.2 KDF without extended master secret or with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512/256 or SHA-3 functions or with input secret length < 112 bits | Key Derivation Function | |||||
| KBKDF with input key length < 112 bits | Key Derivation Function | |||||
| Hash_DRBG or HMAC_DRBG with SHA2-224 or SHA2-384 or SHA2- 512/224 or SHA2-512/256 or SHA-3 functions or KMAC | Deterministic Random Bit Generation | |||||
| ECDH with P-192 | Shared Secret Computation | |||||
| RSA SigVer with modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive) | Digital Signature Verification | |||||
| RSA SigGen with SHA-1 or X9.31 padding or modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive) | Digital Signature Generation | |||||
| ECDSA SigVer component | Digital Signature Verification | |||||
| ECDSA SigGen with P-192 or SHA-1; ECDSA SigGen component with P- 192 | Digital Signature Generation | |||||
| ECDSA KeyGen with P-192 | Key Pair Generation | |||||
| SSH KDF with SHA2-512/224 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bits | Key Derivation Function | |||||
| TLS 1.3 KDF with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bits | Key Derivation Function | |||||
| One step KDF, two step KDF, HKDF, ANS X9.42 KDF with input secret length < 112 bits | Key Derivation Function | |||||
| X448 | Provides 224 bits of security, Key Agreement | |||||
| X25519 | Provides 128 bits of security, Key Agreement | |||||
| ANS X9.63 KDF with SHA-1 or input secret length < 112 bits | Key Derivation Function | |||||
| RSA OAEP encryption/decryption with 1536-bit modulus | Asymmetric encryption/decryption | |||||
| Encryption with AES | SP 800-38A and SP 800-38E; Encryption | AES-CBC: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS2: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS3: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB128: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB8: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CTR: (A6678, A6679, A6680, A6690, A6691, | BC-UnAuth |
Chainguard FIPS Provider for OpenSSL N/A Table 7: Vendor-Affirmed Algorithms Non-Approved, Allowed Algorithms: N/A for this module. Non-Approved, Allowed Algorithms with No Security Claimed: N/A for this module. Non-Approved, Not Allowed Algorithms: © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| X448 | Provides 224 bits of security, Key Agreement | ||
| X25519 | Provides 128 bits of security, Key Agreement | ||
| ANS X9.63 KDF with SHA-1 or input secret length < 112 bits | Key Derivation Function | ||
| RSA OAEP encryption/decryption with 1536-bit modulus | Asymmetric encryption/decryption | ||
| Encryption with AES | SP 800-38A and SP 800-38E; Encryption | AES-CBC: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS2: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS3: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB128: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB8: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CTR: (A6678, A6679, A6680, A6690, A6691, | BC-UnAuth |
| Decryption with AES | SP 800-38A and SP 800-38E; Decryption | AES-CBC: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS2: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CBC-CS3: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB1: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB128: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CFB8: (A6678, A6679, A6680, A6690, A6691, A6700) AES-CTR: (A6678, A6679, A6680, A6690, A6691, | BC-UnAuth |
| Authenticated Encryption with AES | SP 800-38C and SP 800-38D; Authenticated encryption | AES-GCM: (A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699) AES-CCM: (A6678, A6679, A6680, A6690, A6691, A6700) AES-KW: (A6678, A6679, A6680, A6690, A6691, A6700) AES-KWP: (A6678, A6679, A6680, A6690, A6691, A6700) | BC-Auth |
| Authenticated Decryption with AES | SP 800-38C and SP 800-38D; Authenticated decryption | AES-GCM: (A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699) AES-CCM: (A6678, A6679, A6680, A6690, A6691, | BC-Auth |
| Message Authentication Code (MAC) Generation with AES | SP 800-38B and SP 800-38D; MAC Generation | AES-GMAC: (A6662, A6663, A6664, A6665, A6681, A6682, A6692, A6693, A6694, A6695, A6696, A6697, A6698, A6699) AES-CMAC: (A6678, A6679, A6680, A6690, A6691, A6700) | MAC |
| Message Authentication Code (MAC) Generation with HMAC | FIPS 198-1; MAC Generation | HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683, | MAC |
Chainguard FIPS Provider for OpenSSL Table 8: Non-Approved, Not Allowed Algorithms © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL 2.0: © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL 2.0: © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Message Authentication Code (MAC) Generation with KMAC | SP 800-185; MAC Generation | KMAC-128: (A6670, A6671, A6687, A6688, A6689) KMAC-256: (A6670, A6671, A6687, A6688, A6689) | MAC |
| Random Number Generation with a DRBG | SP 800-90Arev1; Random Number Generation | Counter DRBG: (A6675) Hash DRBG: (A6675) HMAC DRBG: (A6675) AES-ECB: (A6678, A6679, A6680, A6690, A6691, A6700) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, | DRBG |
| Signature Generation with RSA | FIPS 186-5; Signature Generation | RSA SigGen (FIPS186-5): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/256: (A6666, A6668, | DigSig-SigGen |
| Signature Verification with RSA | FIPS 186-5; FIPS 186-4; Signature Verification | RSA SigVer (FIPS186-4): (A6666, A6668, A6683, A6684, A6685, A6686) RSA SigVer (FIPS186-5): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, | DigSig-SigVer |
| Signature Generation with ECDSA | FIPS 186-5; Signature Generation | ECDSA SigGen (FIPS186-5): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, | DigSig-SigGen |
| Signature Verification with ECDSA | FIPS 186-5; FIPS 186-4; Signature Verification | ECDSA SigVer (FIPS186-4): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) ECDSA SigVer (FIPS186-5): (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) | DigSig-SigVer |
| Signature Generation with EdDSA | FIPS 186-5; Signature Generation | EDDSA SigGen: (A6676) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHAKE-256: (A6670, A6671, A6687, A6688, A6689) | DigSig-SigGen |
| Signature Verification with EdDSA | FIPS 186-5; Signature Verification | EDDSA SigVer: (A6676) SHA2-512: (A6666, | DigSig-SigVer |
| Key Pair Generation with ECDSA | FIPS 186-5; Key Pair Generation | ECDSA KeyGen (FIPS186-5): (A6666, A6668, A6683, A6684, A6685, A6686) | AsymKeyPair- KeyGen |
| Key Pair Generation with RSA | FIPS 186-5; Key Pair Generation | RSA KeyGen (FIPS186-5): (A6666, A6668, A6683, A6684, A6685, A6686) | AsymKeyPair- KeyGen |
| Key Pair Generation with EdDSA | FIPS 186-5; Key Pair Generation | EDDSA KeyGen: (A6676) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHAKE-256: (A6670, A6671, A6687, A6688, A6689) | AsymKeyPair- KeyGen |
| Key Pair Generation with Safe Primes | SP 800-56Arev3; Key Pair Generation | Safe Primes Key Generation: (A6674) | AsymKeyPair- KeyGen |
| Key Pair Verification with Safe Primes | SP 800-56Arev3; Key Pair Verification | Safe Primes Key Verification: (A6674) | AsymKeyPair- KeyVer |
| Public Key Verification with ECDSA | FIPS 186-5; Key Pair Verification | ECDSA KeyVer (FIPS186-4): (A6666, A6668, A6683, A6684, A6685, A6686) ECDSA KeyVer (FIPS186-5): (A6666, A6668, A6683, A6684, A6685, A6686) | AsymKeyPair- KeyVer |
| Public Key Verification with EdDSA | FIPS 186-5; Key Pair Verification | EDDSA KeyVer: (A6676) | AsymKeyPair- KeyVer |
| Key Derivation with KBKDF | SP 800-108rev1; Key Derivation | KDF SP800-108: (A6677) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/256: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA3-224: (A6670, A6671, A6687, A6688, A6689) HMAC-SHA3-256: (A6670, A6671, A6687, A6688, A6689) HMAC-SHA3-384: | KBKDF |
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyGen AsymKeyPairKeyVer AsymKeyPairKeyVer © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL AsymKeyPairKeyVer © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Csps Accessed | Type |
|---|---|---|---|
| Key Derivation with KDA OneStep | SP 800-56Crev2; Key Derivation | KDA OneStep SP800-56Cr2: (A6672) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/256: (A6666, A6668, A6683, A6684, A6685, A6686) | KAS-56CKDF |
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Key Derivation with KDA TwoStep | SP 800-56Crev2; Key Derivation | KDA TwoStep SP800-56Cr2: (A6672) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683, | KAS-56CKDF |
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Key Derivation with KDA HKDF | SP 800-56Crev2; Key Derivation | KDA HKDF SP800- 56Cr2: (A6673) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2- 512/224: (A6666, A6668, A6683, A6684, A6685, A6686) | KAS-56CKDF |
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Key Derivation with ANS X9.42 KDF | SP 800-135rev1; Key Derivation | KDF ANS 9.42: (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/224: (A6666, A6668, A6683, A6684, | KAS-135KDF |
| Key Derivation with ANS X9.63 KDF | SP 800-135rev1; Key Derivation | KDF ANS 9.63: (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/256: | KAS-135KDF |
| Key Derivation with SSH KDF | SP 800-135rev1; Key Derivation | KDF SSH: (A6666, A6668, A6669, A6683, A6684, A6685, A6686) SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) | KAS-135KDF |
| Key Derivation with TLS 1.2 KDF | SP 800-135rev1; Key Derivation | TLS v1.2 KDF RFC7627: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, | KAS-135KDF |
| Key Derivation with TLS 1.3 KDF | RFC 8446; Key Derivation | TLS v1.3 KDF: (A6673) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) | KAS-135KDF |
| Key Derivation with PBKDF2 | SP 800-132; Key Derivation | PBKDF: (A6666, A6668, A6670, A6671, A6683, A6684, A6685, A6686, A6687, A6688, A6689) HMAC-SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) HMAC-SHA2-512: | PBKDF |
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Approved Functions | Type |
|---|---|---|---|
| Shared Secret Computation | SP 800-56Ar3 KAS- ECC-SSC with P- 224, P-256, P-384, and P-521 (these respectively support strengths of 112, 128, 192, and 256 bits); SP 800- 56Ar3 KAS-FFC- SSC with MODP- 2048, MODP-3072, MODP-4096, MODP-6144, MODP-8192, ffdhe-2048, ffdhe- 3072, ffdhe-4096, ffdhe-6144, ffdhe- 8192 (these respectively support strengths of 112, 128, 152, 176, 200, 112, 128, 152, 176, and 200 bits); | KAS-FFC-SSC Sp800-56Ar3: (A6674) KAS-ECC-SSC Sp800-56Ar3: (A6666, A6668, A6683, A6684, A6685, A6686) KAS-IFC-SSC: (A6668) | KAS-SSC |
| Message Digest with SHA | FIPS 180-4 and FIPS 202; Message Digest | SHA-1: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-256: (A6666, A6667, A6668, A6683, A6684, A6685, A6686) SHA2-384: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/224: (A6666, A6668, A6683, A6684, A6685, A6686) SHA2-512/256: (A6666, A6668, A6683, A6684, A6685, A6686) SHA3-224: (A6670, A6671, A6687, A6688, A6689) SHA3-256: (A6670, A6671, A6687, A6688, A6689) SHA3-384: (A6670, A6671, A6687, A6688, A6689) SHA3-512: (A6670, A6671, A6687, A6688, A6689) | SHA |
| Message Digest with SHAKE | FIPS 202; Message Digest | SHAKE-128: (A6670, A6671, A6687, A6688, | XOF |
| Key encapsulation | SP 800-56Br2; RSA key encapsulation | KTS-IFC: (A6666, A6668, A6683, A6684, A6685, A6686) | KTS-Encap |
| Key un- encapsulation | SP 800-56Br2; RSA key un- encapsulation | KTS-IFC: (A6666, A6668, A6683, A6684, A6685, A6686) | KTS-Encap |
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL unencapsulation Table 9: Security Function Implementations
In accordance with FIPS 140-3 IG C.I, the module implements a check that ensures, before performing any cryptographic operation, that the two AES keys used in AES XTS mode are not identical. As the module does not generate symmetric keys, the check is performed when keys are input into the service APIs. Key_1 and Key_2 shall be generated and/or established independently according to the rules for component symmetric keys from NIST SP 800-133rev2, Section 6.3. In addition, Section 4 of SP 800-38E states that the length of a single data unit encrypted or decrypted with AES XTS shall not exceed 2²⁰ AES blocks, that is 16MB, of data per XTS instance. The XTS mode shall only be used for the cryptographic protection of data on storage devices. It shall not be used for other purposes, such as the encryption of data in transit.
The module provides password-based key derivation (PBKDF2), compliant with SP 800-132. The module supports option 1a from Section 5.4 of SP 800-132, in which the Master Key (MK) or a segment of it is used directly as the Data Protection Key (DPK). In accordance with SP 800-132 and FIPS 140-3 IG D.N, the following requirements shall be met:
Chainguard FIPS Provider for OpenSSL
The module offers DH and ECDH shared secret computation services compliant to the SP 800-56ARev3 and meeting IG D.F scenario 2 path (1). To meet the required assurances listed in section 5.6 of SP 800-56Arev3, the module shall be used together with an application that implements the “TLS protocol” and the following steps shall be performed. 1. The entity using the module must use the module's "Key pair generation" service for generating DH/ECDH ephemeral keys. This meets the assurances required by key pair owner defined in the section
The module implements the SHA-3 functions as both standalone functions and as part of higher-level algorithms (in compliance with FIPS 140-3 IG C.C). As detailed in Section 2.6 Security Function Implementations with corresponding certificates, the cryptographic algorithms that use SHA-3 functions include RSA signature generation and verification, ECDSA signature generation and verification, EdDSA signature generation and verification, EdDSA key pair generation, KBKDF, KDA HKDF, X9.63 KDF, X9.42 KDF, PBKDF, OneStep KDA, TwoStep KDA, and HMAC. In addition, the implementation of the extendable output functions SHAKE128 and SHAKE256 were verified to have a standalone usage.
The module utilizes the following legacy algorithms as defined in SP 800-131Arev2:
The module’s RSA signature generation and verification implementations were CAVP tested with moduli sizes 2048, 3072, and 4096 bits. These moduli sizes are allowed by FIPS 140-3 IG C.F. The module supports moduli sizes larger than 4096 bits.
The module’s RSA key generation implementation was CAVP tested with moduli sizes 2048, 3072, 4096, 6144, and 8192 bits. These moduli sizes are allowed by FIPS 140-3 IG C.F. The module supports moduli sizes larger than 8192 bits. The number of Miller-Rabin tests is compliant with Table B.1 of FIPS 186-5. © 2025 Chainguard, Inc., atsec information security.
| Cert | Vendor Name | |
|---|---|---|
| Number | ||
| E191 | Chainguard, Inc |
Chainguard FIPS Provider for OpenSSL
The module does not establish SSPs using an approved key transport scheme (KTS). However, it does offer approved authenticated algorithms that can be used by an external operator/application as part of an approved KTS. The module does not establish SSPs using an approved key agreement scheme (KAS). However, it does offer some or all of the underlying KAS cryptographic functionality to be used by an external operator/application as part of an approved KAS.
For TLS 1.2 and 1.3, the module offers the AES GCM implementation per Scenario 1 and 5 of the FIPS 140-3 IG C.H respectively. For TLS 1.2 the module is compliant with SP 800-52r2 Section 3.3.1 and the mechanism for IV generation is compliant with RFC 5288 and 8446. For TLS 1.3 defined in RFC8446, the module supports AES GCM cipher suites from Section 3.3.1 of SP800-52r2. The module does not implement the TLS 1.2 or 1.3 protocol. The module’s implementation of AES GCM is used together with an application that runs outside the module’s cryptographic boundary. The design of the TLS protocol implicitly ensures that the counter (the nonce_explicit part of the IV) does not exhaust the maximum number of possible values for a given session key. In the event the module’s power is lost and restored, the consuming application must ensure that a new key for use with the AES GCM key encryption or decryption under this scenario shall be established. Alternatively, the module also implements GCM with internal IV generation per Scenario 2 of IG C.H. The internally generated IVs are always 96 bits and are generated using the approved DRBG internal to the module’s boundary. The module also provides a non-approved AES GCM encryption service which accepts arbitrary external IVs from the operator. The service can be requested by invoking the EVP_EncryptInit_ex2 API function with a nonNULL IV value. When this is the case, the API will set a non-approved service indicator as described in Section 4.3.
To comply with the assurances found in Section 6.4 of SP 800-56Br2, the operator must use the module in the context of the TLS or SSH protocols. Additionally, the module’s approved key pair generation service (see Section 4.3) must be used to generate RSA key pairs, or the key pairs must be obtained from another FIPS-validated module. As part of this service, the module will internally perform the key pair validation of the generated public key. The operator must use the EVP_PKEY_public_check() API to perform partial public key validation of the peer public key, complying with Section 6.4.2.2 of SP 800-56Br2. The operator must also confirm the peer’s possession of private key by using any method specified in Section 6.4.2.3 of SP 800-56Br2.
Table 10: Entropy Certificates © 2025 Chainguard, Inc., atsec information security.
| Name | Type | Strength | Operational Environment | Conditioning Component | |
|---|---|---|---|---|---|
| Chainguard CPU Time Jitter RNG Entropy Source | Non- Physical | 256 | Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7g.metal on Amazon Graviton3 AWS Graviton3; Chainguard Image 20230214 on Amazon Linux 2023 on EC2 m7i.metal-24xl on Intel Sapphire Rapids Xeon Platinum 8488C | full entropy | SHA3-256 (A5446) |
Chainguard FIPS Provider for OpenSSL NonPhysical Table 11: Entropy Sources The entropy source is statically compiled into the module and hence it is located within the cryptographic boundary of the module. As per the Public document of entropy certificate E191, the entropy source provides In addition to the DRBG algorithms provided to the operator, the module internally uses two dedicated DRBG instances based on SP 800-90A Rev. 1 to generate seeds for asymmetric key pairs and random numbers for security functions. The following parameters are used:
The module implements Cryptographic Key Generation (CKG, vendor affirmed), compliant with SP 800-133r2. When random values are required, they are obtained from the SP 800-90Ar1 approved DRBG of type CTR_DRBG, compliant with Section 4 of SP 800-133r2. This method does not use the value V as described in Additional Comment 2 of FIPS 140-3 IG D.H. The following methods are implemented:
Chainguard FIPS Provider for OpenSSL
The module implements key establishment methods as listed in the Security Function Implementations table in Section 2.6.
The module implements the SSH KDF (CVL) for use in the SSH protocol (RFC 4253 and RFC 6668). GCM with internal IV generation in the approved mode is compliant with versions 1.2 and 1.3 of the TLS protocol (RFC
5288 and 8446) and shall only be used in conjunction with the TLS protocol. Additionally, the module implements
the TLS 1.2 and TLS 1.3 key derivation functions for use in the TLS protocol. For Diffie-Hellman, the module supports the use of the safe primes defined in RFC 3526 (IKE) and RFC 7919 (TLS). Note that the module only implements key pair generation, key pair verification, and shared secret computation. No other part of the IKE or TLS protocols is implemented (except for the TLS 1.2 KDF (CVL) and
| Name | Physical Port | Logical Interface | Data That Passes |
|---|---|---|---|
| N/A | N/A | Data Input | API Input Parameters |
| N/A | N/A | Data Output | API Output Parameters |
| N/A | N/A | Control Input | API Function Calls |
| N/A | N/A | Status Output | API Return Codes, Error Queue |
Chainguard FIPS Provider for OpenSSL
N/A N/A N/A N/A Table 12: Ports and Interfaces As a software-only module, the module does not have physical ports. The module does not implement a control © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | None | ||||||
| Message Digest | Compu te a messag e digest | Crypto Officer | Message Digest with SHA Message Digest with SHAKE | EVP_DigestFinal returns 1 | Messag e | Message digest | |||
| Symmetr ic Encrypti on | Encryp t a plainte xt | Crypto Officer - AES Key: W,E | Encrypti on with AES | EVP_EncryptFinal_ex returns 1 | AES Key, plainte xt, IV | Ciphert ext | |||
| Symmetr ic Decrypti on | Decryp t a ciphert ext | Crypto Officer - AES Key: W,E | Decrypti on with AES | EVP_DecryptFinal_ex returns 1 | AES Key, ciphert ext, IV | Plaintex t | |||
| Authenti cated Symmetr ic Encrypti on | Encryp t and authent icate a plainte xt | Crypto Officer - AES Key: W,E | Authenti cated Encrypti on with AES | GCM: OSSL_CIPHER_PARAM_AEAD_IV_GEN ERATED is 1; CCM: EVP_EncryptFinal_ex returns 1 | AES Key, plainte xt, IV | Ciphert ext, MAC tag |
| Name | Description | Role Access | Csps Accessed | Approved Functions | Indicator | Type | Input | Output | |
|---|---|---|---|---|---|---|---|---|---|
| Crypto Officer | CO | Role | None | ||||||
| Message Digest | Compu te a messag e digest | Crypto Officer | Message Digest with SHA Message Digest with SHAKE | EVP_DigestFinal returns 1 | Messag e | Message digest | |||
| Symmetr ic Encrypti on | Encryp t a plainte xt | Crypto Officer - AES Key: W,E | Encrypti on with AES | EVP_EncryptFinal_ex returns 1 | AES Key, plainte xt, IV | Ciphert ext | |||
| Symmetr ic Decrypti on | Decryp t a ciphert ext | Crypto Officer - AES Key: W,E | Decrypti on with AES | EVP_DecryptFinal_ex returns 1 | AES Key, ciphert ext, IV | Plaintex t | |||
| Authenti cated Symmetr ic Encrypti on | Encryp t and authent icate a plainte xt | Crypto Officer - AES Key: W,E | Authenti cated Encrypti on with AES | GCM: OSSL_CIPHER_PARAM_AEAD_IV_GEN ERATED is 1; CCM: EVP_EncryptFinal_ex returns 1 | AES Key, plainte xt, IV | Ciphert ext, MAC tag |
Chainguard FIPS Provider for OpenSSL
The module does not implement any authentication methods.
Table 13: Roles The module supports the Crypto Officer role only. This sole role is implicitly and always assumed by the operator of the module when performing a service. The module does not support multiple concurrent operators.
s a e t a W,E t a t W,E W,E © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Authenti cated Symmetr ic Decrypti on | Decryp t and authent icate a ciphert ext | Crypto Officer - AES Key: W,E | Authenti cated Decrypti on with AES | EVP_DecryptFinal_ex returns non- negative value | AES Key, ciphert ext, MAC tag, IV | Plaintex t or Failure |
| AES Message Authenti cation Generati on | Compu te a MAC tag using AES | Crypto Officer - AES Key: W,E | Message Authenti cation Code (MAC) Generati on with AES | EVP_MAC_final returns 1 | AES Key, messag e | MAC tag |
| HMAC Message Authenti cation Generati on | Compu te a MAC tag using HMAC | Crypto Officer - HMAC Key: W,E | Message Authenti cation Code (MAC) Generati on with HMAC | OSSL_MAC_PARAM_FIPS_APPROVED _INDICATOR is 1 | HMAC Key, messag e | MAC tag |
| KMAC Message Authenti cation Generati on | Compu te a MAC tag using KMAC | Crypto Officer - KMAC Key: W,E | Message Authenti cation Code (MAC) Generati on with KMAC | OSSL_MAC_PARAM_FIPS_APPROVED _INDICATOR is 1 | KMAC Key, messag e | MAC tag |
| TLS KDF Key Derivatio n | TLS key derivati on | Crypto Officer - Shared Secret: W,E - TLS Derived Key: G,R | Key Derivatio n with TLS 1.2 KDF Key Derivatio n with TLS 1.3 KDF | OSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1 | Shared Secret | TLS Derived Key |
| KBKDF Key Derivatio n | Derive a key from a key- derivati on key | Crypto Officer - Key- Derivati on Key: W,E - KBKDF Derived Key: G,R | Key Derivatio n with KBKDF | OSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1 | Key- Deriva tion Key | KBKDF Derived Key |
| ANS X9.42 Key Derivatio n | Derive a key from a shared secret | Crypto Officer - ANS X9.42 Derived Key: G,R - Shared Secret: W,E | Key Derivatio n with ANS X9.42 KDF | OSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1 | Shared Secret | ANS X9.42 Derived Key |
| ANS X9.63 Key Derivatio n | Derive a key from a shared secret | Crypto Officer - Shared Secret: W,E - ANS X9.63 Derived Key: G,R | Key Derivatio n with ANS X9.63 KDF | OSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1 | Shared Secret | ANS X9.63 Derived Key |
| HKDF Key Derivatio n | Derive a key from a shared secret | Crypto Officer - Shared Secret: W,E - HKDF Derived Key: G,R | Key Derivatio n with KDA HKDF | OSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1 | Shared Secret | HKDF Derived key |
| OneStep KDA Key Derivatio n | Derive a key from a shared secret | Crypto Officer - Shared Secret: W,E - KDA OneSte p Derived Key: G,R | Key Derivatio n with KDA OneStep | OSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1 | Shared Secret | KDA OneSte p Derived Key |
| TwoStep KDA Key Derivatio n | Derive a key from a shared secret | Crypto Officer - Shared Secret: W,E - KDA TwoSte p Derived Key: G,R | Key Derivatio n with KDA TwoStep | OSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1 | Shared Secret | KDA TwoSte p Derived Key |
| SSH KDF key derivatio n | Derive a key from a shared secret | Crypto Officer - Shared Secret: W,E - SSH KDF Derived Key: G,R | Key Derivatio n with SSH KDF | OSSL_KDF_PARAM_FIPS_APPROVED_ INDICATOR is 1 | Shared Secret | SSH KDF Derived Key |
| PBKDF Key Derivatio n | Derive a key from a passwo rd | Crypto Officer - Passwor d: W,E - PBKDF Derived Key: G,R | Key Derivatio n with PBKDF2 | EVP_KDF_derive returns 1 | Passwo rd | PBKDF Derived Key |
| Random Number Generati on | Genera te random number | Crypto Officer - Entropy Input: W,E - DRBG Seed: G,E - DRBG Internal State (V, Key): G,W,E - DRBG Internal State (V, C): G,W,E | Random Number Generati on with a DRBG | OSSL_RAND_PARAM_FIPS_APPROVE D_INDICATOR is 1 | Numbe r of bits | Rando m number |
| Shared Secret Computa tion | Compu te a shared secret | Crypto Officer - Shared Secret: G,R - DH Private Key: W,E - DH Public Key: W,E - EC Private Key: W,E - EC Public Key: W,E - RSA Private | Shared Secret Computa tion | KAS-FFC-SSC: EVP_PKEY_derive returns 1; KAS-ECC-SSC: OSSL_EXCHANGE_PARAM_FIPS_APPR OVED_INDICATOR is 1 | DH Private Key (owner ), DH Public Key (peer); EC Private Key (owner ), EC Public Key (peer); RSA Private Key (owner ), RSA Public | Shared Secret |
| Key (peer) | Key: W,E - RSA Public Key: W,E | Key (peer) | ||||
| RSA Digital Signature Generati on | Genera te a digital signatu re with RSA | Crypto Officer - RSA Private Key: W,E | Signature Generati on with RSA | OSSL_SIGNATURE_PARAM_FIPS_APP ROVED_INDICATOR is 1 and OSSL_SIGNATURE_PARAM_FIPS_VERI FY_MESSAGE is 1 | RSA Private Key, messag e, hash algorit hm | Signatu re |
| ECDSA Digital Signature Generati on | Genera te a digital signatu re with ECDSA | Crypto Officer - EC Private Key: W,E | Signature Generati on with ECDSA | OSSL_SIGNATURE_PARAM_FIPS_APP ROVED_INDICATOR is 1 and OSSL_SIGNATURE_PARAM_FIPS_VERI FY_MESSAGE is 1 | EC Private Key, messag e, hash algorit hm | Signatu re |
| EdDSA Digital Signature Generati on | Genera te a digital signatu re with EdDSA | Crypto Officer - EdDSA Private Key: W,E | Signature Generati on with EdDSA | EVP_PKEY_sign returns 1 | EdDSA Private Key, messag e, hash algorit hm | Signatu re |
| RSA Digital Signature Verificati on | Verify a digital signatu re using RSA | Crypto Officer - RSA Public Key: W,E | Signature Verificati on with RSA | OSSL_SIGNATURE_PARAM_FIPS_APP ROVED_INDICATOR is 1 and OSSL_SIGNATURE_PARAM_FIPS_VERI FY_MESSAGE is 1 | RSA Public Key, messag e, signatu re, hash algorit hm | Pass or Fail |
| ECDSA Digital Signature | Verify a digital signatu | Crypto Officer - EC Public | Signature Verificati on with ECDSA | OSSL_SIGNATURE_PARAM_FIPS_APP ROVED_INDICATOR is 1 and OSSL_SIGNATURE_PARAM_FIPS_VERI FY_MESSAGE is 1 | EC Public Key, messag | Pass or Fail |
| Verificati on | re using ECDSA | Key: W,E | e, signatu re, hash algorit hm | |||
| EdDSA Digital Signature Verificati on | Verify a digital signatu re using EdDSA | Crypto Officer - EdDSA Public Key: W,E | Signature Verificati on with EdDSA | EVP_PKEY_verify returns 1 | EdDSA Public Key, messag e, signatu re, hash algorit hm | Pass or Fail |
| RSA Key Pair Generati on | Genera te an RSA key pair | Crypto Officer - Module Generat ed RSA Private Key: G,R - Module Generat ed RSA Public Key: G,R - Interme diate Key Generat ion Value: G,E,Z | Key Pair Generati on with RSA | EVP_PKEY_keygen returns 1 | Modul us Length | Module Generat ed RSA Private Key, Module Generat ed RSA Public Key |
| ECDSA Key Pair | Genera te an | Crypto Officer | Key Pair Generati | OSSL_PKEY_PARAM_FIPS_APPROVED _INDICATOR is 1 | Curve | Module Generat |
| Generati on | EC key pair | - Module Generat ed EC Private Key: G,R - Module Generat ed EC Public Key: G,R - Interme diate Key Generat ion Value: G,E,Z | on with ECDSA | ed EC Private Key, Module Generat ed EC Public Key | ||
| EdDSA Key Pair Generati on | Genera te an EdDSA key pair | Crypto Officer - Module Generat ed EdDSA Private Key: G,R - Module Generat ed EdDSA Public Key: G,R - Interme diate | Key Pair Generati on with EdDSA | EVP_PKEY_keygen returns 1 | Curve | Module Generat ed EdDSA Private Key, Module Generat ed EdDSA Public Key |
| Key Pair Generati on with Safe Primes | Genera te an DH key pair | Crypto Officer - Module Generat ed DH Private Key: G,R - Module Generat ed DH Public Key: G,R - Interme diate Key Generat ion Value: G,E,Z | Key Pair Generati on with Safe Primes | EVP_PKEY_keygen returns 1 | Group | Module Generat ed DH Private Key, Module Generat ed DH Public Key |
| Public Key Verificati on with ECDSA | Verify an EC key pair | Crypto Officer - EC Private Key: W,E - EC Public Key: W,E | Public Key Verificati on with ECDSA | EVP_PKEY_public_check returns 1 | EC Private Key, EC Public Key | Pass or Fail |
| Key Pair Verificati on with | Verify a DH | Crypto Officer - DH | Key Pair Verificati on with | EVP_PKEY_check or EVP_PKEY_public_check or EVP_PKEY_private_check returns 1 | DH Private Key, | Pass or Fail |
| Safe Primes | key pair | Private Key: W,E - DH Public Key: W,E | Safe Primes | DH Public Key | ||
| Public Key Verificati on with EdDSA | Verify an EdDSA key pair | Crypto Officer - EdDSA Private Key: W,E - EdDSA Public Key: W,E | Public Key Verificati on with EdDSA | EVP_PKEY_public_check returns 1 | EdDSA Public Key, EdDSA Private Key | Pass or Fail |
| Show Version | Return the name and version inform ation | Crypto Officer | None | None | None | Module name and version |
| Show Status | Return the module status | Crypto Officer | None | None | None | Module status |
| Self-Test | Perfor m the CASTs and integrit y test | Crypto Officer | Decrypti on with AES Authenti cated Encrypti on with AES Authenti cated Decrypti on with | None | None | Pass or Fail of self- tests |
Chainguard FIPS Provider for OpenSSL a s t W,E e W,E a e W,E a e W,E n n n W,E G,R © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s n keyderivati KeyDeriva n - KeyDerivati W,E G,R n n G,R W,E n n W,E G,R n n W,E G,R © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s n p n W,E p G,R n p n W,E p G,R n n W,E G,R n n d: W,E G,R © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s m W,E G,E (V, G,W,E (V, C): G,W,E a 1; G,R W,E W,E W,E W,E © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s W,E W,E a W,E a W,E a W,E e, W,E © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s e, W,E G,R G,R G,E,Z e, W,E © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s G,R G,R G,R G,R G,E,Z © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s G,E,Z G,R G,R G,E,Z W,E W,E © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s W,E W,E selftests W,E W,E © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s n n n © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Role Access | Csps Accessed | Indicator | Input | Output |
|---|---|---|---|---|---|---|
| Zeroizati on | Zeroize any SSP | None | Crypto Officer - AES Key: Z - HMAC Key: Z - KMAC | None | An SSP | None |
Chainguard FIPS Provider for OpenSSL s n n n n n © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s - KeyDerivati Z Z d: Z p p © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s (V, © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL s Z © 2025 Chainguard, Inc., atsec information security.
| Name | Description | Csps Accessed | Approved Functions | Indicator | Input | Output | Security Function s |
|---|---|---|---|---|---|---|---|
| Key encapsul ation | Encaps ulate a key | Crypto Officer - RSA Public Key: W,E | Key encapsul ation | OSSL_ASYM_CIPHER_PARAM_FIPS_A PPROVED_INDICATOR is 1 | RSA Public Key, Key to encaps ulate | Encapsu lated key | |
| Key un- encapsul ation | Un- encaps ulate a key | Crypto Officer - RSA Private Key: W,E | Key un- encapsul ation | OSSL_ASYM_CIPHER_PARAM_FIPS_A PPROVED_INDICATOR is 1 | RSA Private Key, Key to un- encaps ulate | Un- encapsu lated key | |
| AES-GCM with Externally Generated IV | Encrypt a plaintext | AES-GCM encryption with external IV | Crypto Officer | ||||
| Message Authentication Code Generation with Non- Approved Key Length or Tag Length | Compute a MAC tag | HMAC with key length < 112 bits KMAC with key length < 112 bits or tag length < 32 bits | Crypto Officer | ||||
| Key Derivation with Non- Approved Parameters | Derive a key | TLS 1.2 KDF without extended master secret or with SHA-1 or SHA2-224 or SHA2-512/224 or SHA2-512/256 or SHA-3 functions or with input secret length < 112 bits KBKDF with input key length < 112 bits SSH KDF with SHA2-512/224 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bits TLS 1.3 KDF with SHA-1 or SHA2- 224 or SHA2-512/224 or SHA2-512 or SHA2-512/256 or SHA-3 functions or input secret length < 112 bits One step KDF, two step KDF, HKDF, ANS X9.42 KDF with input secret length < 112 bits ANS X9.63 KDF with SHA-1 or input secret length < 112 bits | Crypto Officer | ||||
| Random Number Generation | Generate a random number | Hash_DRBG or HMAC_DRBG with SHA2-224 or SHA2-384 or SHA2-512/224 or SHA2-512/256 or SHA-3 functions or KMAC | Crypto Officer | ||||
| Shared Secret Computation with Non-Approved Parameters | Compute a shared secret | ECDH with P-192 | Crypto Officer | ||||
| Non-approved Digital Signature Generation | Generate a digital signature on a pre-hashed message | RSA SigGen with SHA-1 or X9.31 padding or modulus length < 2048 bits or PSS salt length > digest | Crypto Officer | ||||
| Non-approved Digital Signature Verification | Verify a digital signature of a pre-hashed message | RSA SigVer with modulus length < 2048 bits or PSS salt length > digest length or without hashing (primitive) ECDSA SigVer component | Crypto Officer | ||||
| ECDSA Key Pair Generation with Non-Approved Parameters | Generate an EC key pair | ECDSA KeyGen with P-192 | Crypto Officer | ||||
| Key Exchange | Perform key agreement primitives on behalf of the calling process (does not establish keys into the module) | X448 X25519 | Crypto Officer | ||||
| Asymmetric Encryption/Decryption | Perform RSA OAEP encryption/decryption | RSA OAEP encryption/decryption with 1536-bit modulus | Crypto Officer |
Chainguard FIPS Provider for OpenSSL s (V, C): Z W,E Key unencapsul Unencaps unencaps Unencapsu Key unencapsul W,E Table 14: Approved Services The module provides services to operators that assume the available role. All services are described in detail in the API documentation (manual pages). The Approved Services table defines the services that utilize approved security functions in this module. For the respective tables, the convention below applies when specifying the access permissions (types) that the service has for each SSP.
Chainguard FIPS Provider for OpenSSL To interact with the module, a calling application must use the EVP API layer provided by OpenSSL. This layer will delegate the request to the FIPS provider, which will in turn perform the requested service. Additionally, this EVP API layer can be used to retrieve the approved service indicator for the module. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL Table 15: Non-Approved Services
The module does not have the capability of loading software or firmware from an external source. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL
The integrity of the module is verified by comparing a HMAC-SHA2-256 value calculated at runtime with the HMAC-SHA2-256 value embedded in the fips.so file that was computed at build time.
Integrity tests are performed as part of the pre-operational self-tests, which are executed when the module is initialized. The integrity tests can be invoked on demand by unloading and subsequently re-initializing the module (i.e., rebooting the system), which will perform (among others) the software integrity tests. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL
Type of Operational Environment: Modifiable How Requirements are Satisfied: Any SSPs contained within the module are protected by the process isolation and memory separation mechanisms, and only the module has control over these SSPs. If the operating system is properly installed, it provides process isolation and memory protection mechanisms that ensure appropriate separation for memory access among the processes on the system. Each process has control over its own data and uncontrolled access to the data of other processes is prevented.
Instrumentation tools like the ptrace system call, gdb and strace, userspace live patching, as well as other tracing mechanisms offered by the Linux environment such as ftrace or systemtap, shall not be used in the operational environment. The use of any of these tools implies that the cryptographic module is running in a non-validated operational environment. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL
The module is comprised of software only, and therefore this section is not applicable. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL
The module does not implement any non-invasive security mechanisms. © 2025 Chainguard, Inc., atsec information security.
| Name | Type | Description |
|---|---|---|
| RAM | Dynamic | Temporary storage for SSPs used by the module as part of service execution. The module does not perform persistent storage of SSPs. |
| Name | Type | From | To | ||
|---|---|---|---|---|---|
| API Input Parameters | Plaintext | Operator calling application (TOEPP) | Cryptographic Module | Manual | Electronic |
| API Output Parameters | Plaintext | Cryptographic Module | Operator Calling Application (TOEPP) | Manual | Electronic |
| Zeroization | Description | Rationale | Operator Initiation | |
|---|---|---|---|---|
| Method | ||||
| Free Cipher Handle | Zeroizes the SSPs contained within the cipher handle | Memory occupied by SSPs is overwritten with zeroes and then it is released, which renders the SSP values irretrievable. The successful completion of the zeroization routine indicates that the | By calling the cipher related zeroization API: EVP_CIPHER_CTX_free() clears and frees symmetric cipher context, EVP_MAC_CTX_free() clears and frees MAC context, EVP_KDF_CTX_free() clears and frees KDF context, EVP_RAND_CTX_free() clears and frees DRBG context, EVP_PKEY_free() clears and frees asymmetric key pair structures |
Chainguard FIPS Provider for OpenSSL
Table 16: Storage Areas SSPs are provided to the module by the calling process and are destroyed when released by the appropriate zeroization function calls. Table 17: SSP Input-Output Methods operational environment. This corresponds to manual distribution, electronic entry/output (“CM Software to/from App via TOEPP Path”) per FIPS 140-3 IG 9.5.A Table 1. © 2025 Chainguard, Inc., atsec information security.
| Name | Type | Description | Strength | Use |
|---|---|---|---|---|
| AES Key | Symmetric key - CSP | Used for encryption, decryption, and message authentication | 128, 192, 256 bits - 128, 192, 256 bits | Encryption with AES Decryption with AES Authenticated Encryption with AES Authenticated Decryption with AES Message Authentication Code (MAC) Generation with AES |
| Zeroization | Description | Rationale | Operator Initiation | |
|---|---|---|---|---|
| Method | ||||
| zeroization procedure succeeded. | ||||
| Automatic | Automatically zeroized by the module when no longer needed | Memory occupied by SSPs is overwritten with zeroes, which renders the SSP values irretrievable. The successful completion of the running service indicates that zeroization was completed. | N/A | |
| Module Reset | De-allocates the volatile memory used to store SSPs | Volatile memory used by the module is overwritten within nanoseconds when power is removed. The successful completion of the module reset indicates that the zeroization procedure succeeded. | By unloading and reloading the module |
Chainguard FIPS Provider for OpenSSL N/A Table 18: SSP Zeroization Methods All data output is inhibited during zeroization. © 2025 Chainguard, Inc., atsec information security.
| Name | Type | Description | Strength | Generation | Use | |
|---|---|---|---|---|---|---|
| HMAC Key | Symmetric key - CSP | Used for hash- based message authentication | 112-524288 bits - 112- 256 bits | Message Authentication Code (MAC) Generation with HMAC | ||
| KMAC Key | Symmetric key - CSP | Used for message authentication | 128-1024 bits - 112- 256 bits | Message Authentication Code (MAC) Generation with KMAC | ||
| Key- Derivation Key | Symmetric key - CSP | Used for key derivation | 112-4096 bits - 112- 256 bits | Key Derivation with KBKDF | ||
| Shared Secret | Shared secret - CSP | Generated by shared secret computation and used for key derivation | 224-8192 bits - 112- 256 bits | Key Derivation with KDA OneStep Key Derivation with KDA TwoStep Key Derivation with KDA HKDF Key Derivation with ANS X9.42 KDF Key Derivation with ANS X9.63 KDF Key Derivation with SSH KDF Key Derivation with TLS 1.2 KDF Key Derivation with TLS 1.3 KDF | Shared Secret Computation | |
| Password | Password - CSP | Used for password- based key derivation | At least 8 characters - N/A | Key Derivation with PBKDF2 | ||
| PBKDF Derived Key | Symmetric key - CSP | Generated by password- based key derivation | 112-4096 bits - 112- 256 bits | Key Derivation with PBKDF2 | ||
| KBKDF Derived Key | Symmetric key - CSP | Generated by key-based key derivation | 112-4096 bits - 112- 256 bits | Key Derivation with KBKDF | ||
| ANS X9.42 Derived Key | Symmetric key - CSP | Generated by ANS X9.42 key derivation | 128-4096 bits - 112- 256 bits | Key Derivation with ANS X9.42 KDF | ||
| ANS X9.63 Derived Key | Symmetric key - CSP | Generated by ANS X9.63 key derivation | 128-4096 bits - 112- 256 bits | Key Derivation with ANS X9.63 KDF | ||
| HKDF Derived Key | Symmetric key - CSP | Generated by HKDF key derivation | 224-8192 bits - 112- 256 bits | Key Derivation with KDA HKDF | ||
| KDA OneStep Derived Key | Symmetric key - CSP | Generated by OneStep KDA key derivation | 2048 bits - 112-256 bits | Key Derivation with KDA OneStep | ||
| KDA TwoStep Derived Key | Symmetric key - CSP | Generated by TwoStep KDA key derivation | 2048 bits - 112-256 bits | Key Derivation with KDA TwoStep | ||
| TLS Derived Key | Symmetric key - CSP | Generated by TLS KDF key derivation | 112-1024 bits - 112- 256 bits | Key Derivation with TLS 1.2 KDF Key Derivation with TLS 1.3 KDF | ||
| SSH KDF Derived Key | Symmetric key - CSP | Generated by SSH KDF key derivation | 112-256 bits - 112-256 bits | Key Derivation with SSH KDF | ||
| Entropy Input | Entropy input - CSP | Used for random number generation and seeding a DRBG (compliant with IG D.L) | 128-384 bits - 128-384 bits of entropy | Random Number Generation with a DRBG | ||
| DRBG Internal State (V, Key) | Internal state - CSP | Used for random number generation (compliant with IG D.L) | Counter DRBG V length: 128 bits; Counter DRBG Key length: 128, 192, 256 bits; HMAC DRBG V length: 160, 256, 512 bits; HMAC DRBG Key length: 160, 256, 512 bits - Counter DRBG: 128, 192, 256 bits; HMAC DRBG: 128, 256 bits | Random Number Generation with a DRBG | Random Number Generation with a DRBG | |
| DRBG Internal State (V, C) | Internal state - CSP | Used for random number generation (compliant with IG D.L) | 440, 888 bits - 128, 256 bits | Random Number Generation with a DRBG | Random Number Generation with a DRBG | |
| DRBG Seed | Seed - CSP | Used for random number generation (compliant with IG D.L) | 192-888 bits - 128-256 bits | Random Number Generation with a DRBG | Random Number Generation with a DRBG |
Chainguard FIPS Provider for OpenSSL bits - 112256 bits bits - 112256 bits KeyDerivation bits - 112256 bits bits - 112256 bits passwordbased © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL passwordbased bits - 112256 bits bits - 112256 bits bits - 112256 bits bits - 112256 bits bits - 112256 bits bits - 112256 bits 1.2 © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL a (V, V V a a a © 2025 Chainguard, Inc., atsec information security.
| Name | Type | Description | Strength | Use |
|---|---|---|---|---|
| DH Private Key | Private key - CSP | Used for shared secret computation and key pair verification | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP- 3072, MODP- 4096, MODP- 6144, MODP- 8192 - 112- 200 bits | Key Pair Verification with Safe Primes Shared Secret Computation |
| DH Public Key | Public key - PSP | Used for shared secret computation and key pair verification | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP- 3072, MODP- 4096, MODP- 6144, MODP- 8192 - 112- 200 bits | Key Pair Verification with Safe Primes Shared Secret Computation |
| EC Private Key | Private key - CSP | Used for shared secret computation, digital signature generation, and key pair verification | P-224, P- 256, P-384, P-521 - 112-256 bits | Signature Generation with ECDSA Public Key Verification with ECDSA Shared Secret Computation |
| EC Public Key | Public key - PSP | Used for shared secret computation, | P-192, P- 224, P-256, P-384, P- | Signature Verification with ECDSA |
Chainguard FIPS Provider for OpenSSL MODP2048, MODP3072, MODP4096, MODP6144, MODP8192 - 112200 bits MODP2048, MODP3072, MODP4096, MODP6144, MODP8192 - 112200 bits © 2025 Chainguard, Inc., atsec information security.
| Name | Type | Description | Strength | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs | |
|---|---|---|---|---|---|---|---|---|---|---|
| EdDSA Private Key | Private key - CSP | Used for digital signature generation, and key pair verification | Ed25519, Ed448 - 128, 224 bits | Signature Generation with EdDSA Public Key Verification with EdDSA | ||||||
| EdDSA Public Key | Public key - PSP | Used for signature verification, and key pair verification | Ed25519, Ed448 - 128, 224 bits | Signature Verification with EdDSA Public Key Verification with EdDSA | ||||||
| RSA Private Key | Private key - CSP | Used for signature generation, shared secret computation, and key un- encapsulation | 2048-16384 bits - 112- 256 bits | Signature Generation with RSA Shared Secret Computation Key un- encapsulation | ||||||
| RSA Public Key | Public key - PSP | Used for signature verification, shared secret computation, and key encapsulation | 2048-16384 bits - 112- 256 bits | Signature Verification with RSA Shared Secret Computation Key encapsulation | ||||||
| Module Generated DH Private Key | Private key - CSP | DH private key generated by the module | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP- 3072, MODP- 4096, | Key Pair Generation with Safe Primes | ||||||
| Module Generated DH Public Key | Public key - PSP | DH public key generated by the module | ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192, MODP- 2048, MODP- 3072, MODP- 4096, MODP- 6144, MODP- 8192 - 112- 200 bits | Key Pair Generation with Safe Primes | ||||||
| Module Generated EC Private Key | Private key - CSP | EC private key generated by the module | P-224, P- 256, P-384, P-521 - 112-256 bits | Key Pair Generation with ECDSA | ||||||
| Module Generated EC Public Key | Public key - PSP | EC public key generated by the module | P-224, P- 256, P-384, P-521 - 112-256 bits | Key Pair Generation with ECDSA | ||||||
| Module Generated RSA Private Key | Private key - CSP | RSA private key generated by the module | 2048-16384 bits - 112- 256 bits | Key Pair Generation with RSA | ||||||
| Module Generated RSA Public Key | Public key - PSP | RSA public key generated by the module | 2048-16384 bits - 112- 256 bits | Key Pair Generation with RSA | ||||||
| Intermediate Key Generation Value | Intermediate value - CSP | Used for key pair generation | 224-16384 bits - 112- 256 bits | Key Pair Generation with ECDSA Key Pair Generation | Key Pair Generation with ECDSA Key Pair | |||||
| Generation with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primes | with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primes | Generation with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primes | ||||||||
| Module Generated EdDSA Private Key | Private key - CSP | EdDSA private key generated by the module | Ed25519, Ed448 - 128, 224 bits | Key Pair Generation with EdDSA | ||||||
| Module Generated EdDSA Public Key | Public key - CSP | EdDSA public key generated by the module | Ed25519, Ed448 - 128, 224 bits | Key Pair Generation with EdDSA | ||||||
| AES Key | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset | ||||||
| HMAC Key | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset | ||||||
| KMAC Key | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset | ||||||
| Key-Derivation Key | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset | KBKDF Derived Key:Derives | |||||
| Shared Secret | RAM:Plaintext | Free Cipher Handle | API Input Parameters | Until cipher handle is freed or module is reset | DH Private Key:Generated From DH Public |
Chainguard FIPS Provider for OpenSSL bits - 112256 bits unencapsulation bits - 112256 bits MODP2048, MODP3072, MODP4096, © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL MODP6144, MODP8192 - 112200 bits MODP2048, MODP3072, MODP4096, MODP6144, MODP8192 - 112200 bits bits - 112256 bits bits - 112256 bits bits - 112256 bits © 2025 Chainguard, Inc., atsec information security.
| Name | Type | Description | Strength | Storage | Zeroization | Use | Input | Storage Duration | Related SSPs | |
|---|---|---|---|---|---|---|---|---|---|---|
| Generation with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primes | with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primes | Generation with RSA Key Pair Generation with EdDSA Key Pair Generation with Safe Primes | ||||||||
| Module Generated EdDSA Private Key | Private key - CSP | EdDSA private key generated by the module | Ed25519, Ed448 - 128, 224 bits | Key Pair Generation with EdDSA | ||||||
| Module Generated EdDSA Public Key | Public key - CSP | EdDSA public key generated by the module | Ed25519, Ed448 - 128, 224 bits | Key Pair Generation with EdDSA | ||||||
| AES Key | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset | ||||||
| HMAC Key | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset | ||||||
| KMAC Key | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset | ||||||
| Key-Derivation Key | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset | KBKDF Derived Key:Derives | |||||
| Shared Secret | RAM:Plaintext | Free Cipher Handle | API Input Parameters | Until cipher handle is freed or module is reset | DH Private Key:Generated From DH Public |
Chainguard FIPS Provider for OpenSSL Table 19: SSP Table 1 © 2025 Chainguard, Inc., atsec information security.
| Name | Generation | Storage | Zeroization | Output | Storage Duration |
|---|---|---|---|---|---|
| Password | PBKDF Derived Key:Derives | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset |
| PBKDF Derived Key | Password:Derived From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| KBKDF Derived Key | Key-Derivation Key:Derived From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| ANS X9.42 Derived Key | Shared Secret:Derived From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| ANS X9.63 Derived Key | Shared Secret:Derived From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| HKDF Derived Key | Shared Secret:Derived From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| KDA OneStep Derived Key | Shared Secret:Derived From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| KDA TwoStep Derived Key | Shared Secret:Derived From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| TLS Derived Key | Shared Secret:Derived From | RAM:Plaintext | Free Cipher Handle | API Output Parameters | Until cipher handle is freed or module is reset |
| SSH KDF Derived Key | Shared Secret:Derived From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| Entropy Input | DRBG Seed:Generates | RAM:Plaintext | Automatic Module Reset | Until the DRBG has completed instantiation or module is reset | |
| DRBG Internal State (V, Key) | DRBG Seed:Generated From | RAM:Plaintext | Free Cipher Handle Module Reset | Until cipher handle is freed or module is reset | |
| DRBG Internal State (V, C) | DRBG Seed:Generated From | RAM:Plaintext | Free Cipher Handle Module Reset | Until cipher handle is freed or module is reset | |
| DRBG Seed | DRBG Internal State (V, Key):Generates DRBG Internal State (V, C):Generates Entropy Input:Generated From | RAM:Plaintext | Automatic Module Reset | Until the DRBG has completed instantiation or module is reset | |
| DH Private Key | DH Public Key:Paired With Shared Secret:Derives | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset |
| DH Public Key | DH Private Key:Paired With Shared Secret:Derives | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset |
| EC Private Key | EC Public Key:Paired With Shared Secret:Derives | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset |
| EC Public Key | EC Private Key:Paired With Shared Secret:Derives | RAM:Plaintext | Free Cipher Handle | API Input Parameters | Until cipher handle is freed or module is reset |
| EdDSA Private Key | EdDSA Public Key:Paired With | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset |
| EdDSA Public Key | EdDSA Private Key:Paired With | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset |
| RSA Private Key | RSA Public Key:Paired With Shared Secret:Derives | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset |
| RSA Public Key | RSA Private Key:Paired With Shared Secret:Derives | RAM:Plaintext | Free Cipher Handle Module Reset | API Input Parameters | Until cipher handle is freed or module is reset |
| Module Generated DH Private Key | Module Generated DH Public Key:Paired With Intermediate Key Generation Value:Generated From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| Module Generated DH Public Key | Module Generated DH Private Key:Paired With Intermediate Key Generation Value:Generated From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| Module Generated EC Private Key | Module Generated EC Public Key:Paired With Intermediate Key Generation Value:Generated From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| Module Generated EC Public Key | Module Generated EC Private Key:Paired With Intermediate Key Generation Value:Generated From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| Module Generated RSA Private Key | Module Generated RSA Public Key:Paired With Intermediate Key Generation Value:Generated From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| Module Generated RSA Public Key | Module Generated RSA Private Key:Paired With Intermediate Key Generation Value:Generated From | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| Intermediate Key Generation Value | Module Generated DH Private Key:Generates Module Generated DH Public Key:Generates Module Generated EC Private Key:Generates Module Generated EC Public Key:Generates Module Generated RSA Private Key:Generates Module Generated RSA Public Key:Generates Module Generated EdDSA Private Key:Generates Module Generated | RAM:Plaintext | Automatic | From service invocation to service completion, or until module is reset | |
| Module Generated EdDSA Private Key | Module Generated EdDSA Public Key:Paired With Intermediate Key Generation Value:Generated from | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
| Module Generated EdDSA Public Key | Module Generated EdDSA Private Key:Paired With Intermediate Key Generation Value:Generated from | RAM:Plaintext | Free Cipher Handle Module Reset | API Output Parameters | Until cipher handle is freed or module is reset |
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL (V, © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL Table 20: SSP Table 2
The SHA-1 algorithm as implemented by the module will be non-approved for all purposes, starting January 1, 2031. © 2025 Chainguard, Inc., atsec information security.
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Test Properties | Conditions | |
|---|---|---|---|---|---|---|---|---|
| HMAC- SHA2-256 | HMAC- SHA2-256 | Message Authentication | SW/FW Integrity | Integrity test for fips.so | 256-bit key | Module becomes operational and services are available for use | ||
| AES-ECB | AES-ECB | KAT | CAST | Symmetric operation | Module becomes operational and services are available for use | Decrypt with 128- bit key | Test runs at power-on before the integrity test | |
| AES-GCM | AES-GCM | KAT | CAST | Symmetric operation | Module becomes operational and services are available for use | Encrypt and decrypt with 256- bit key | Test runs at power-on before the integrity test | |
| SHA2-512 | SHA2-512 | KAT | CAST | Message digest | Module becomes operational and services are available for use | 3-byte message | Test runs at power-on before the integrity test | |
| SHA3-256 | SHA3-256 | KAT | CAST | Message digest | Module becomes operational and services | 4-byte message | Test runs at power-on before the integrity test |
| Name | Algorithm Or Test | Test Method | Test Type | Details | Indicator | Test Properties | Conditions | |
|---|---|---|---|---|---|---|---|---|
| HMAC- SHA2-256 | HMAC- SHA2-256 | Message Authentication | SW/FW Integrity | Integrity test for fips.so | 256-bit key | Module becomes operational and services are available for use | ||
| AES-ECB | AES-ECB | KAT | CAST | Symmetric operation | Module becomes operational and services are available for use | Decrypt with 128- bit key | Test runs at power-on before the integrity test | |
| AES-GCM | AES-GCM | KAT | CAST | Symmetric operation | Module becomes operational and services are available for use | Encrypt and decrypt with 256- bit key | Test runs at power-on before the integrity test | |
| SHA2-512 | SHA2-512 | KAT | CAST | Message digest | Module becomes operational and services are available for use | 3-byte message | Test runs at power-on before the integrity test | |
| SHA3-256 | SHA3-256 | KAT | CAST | Message digest | Module becomes operational and services | 4-byte message | Test runs at power-on before the integrity test | |
| Counter DRBG | Counter DRBG | KAT | CAST | Compliant with SP 800-90Ar1 including health test per section 11.3 | Module becomes operational and services are available for use | 128 bit keys, DF, with PR | Test runs at power-on before the integrity test | |
| HMAC DRBG | HMAC DRBG | KAT | CAST | Compliant with SP 800-90Ar1 including health test per section 11.3 | Module becomes operational and services are available for use | HMAC-SHA-1, with PR | Test runs at power-on before the integrity test | |
| KAS-ECC- SSC Sp800- 56Ar3 | KAS-ECC- SSC Sp800- 56Ar3 | KAT | CAST | Shared secret computation | Module becomes operational and services are available for use | P-256 curve | Test runs at power-on before the integrity test | |
| KAS-FFC- SSC Sp800- 56Ar3 | KAS-FFC- SSC Sp800- 56Ar3 | KAT | CAST | Shared secret computation | Module becomes operational and services are available for use | ffdhe2048 | Test runs at power-on before the integrity test | |
| KDF SP800- 108 | KDF SP800- 108 | KAT | CAST | Key based key derivation | Module becomes operational and services are available for use | HMAC-SHA2-256 with 128-bit key; KMAC-128 with 128-bit key | Test runs at power-on before the integrity test | |
| KDA OneStep SP800-56Cr2 | KDA OneStep SP800-56Cr2 | KAT | CAST | Shared secret key derivation | Module becomes operational and services are available for use | SHA2-224 | Test runs at power-on before the integrity test | |
| KDF ANS 9.42 | KDF ANS 9.42 | KAT | CAST | Industry-based ANS X9.42 key derivation | Module becomes operational | SHA-1 | Test runs at power-on |
Chainguard FIPS Provider for OpenSSL
While the module is executing the self-tests, services are not available, and data output (via the data output interface) is inhibited until the tests are successfully completed. The module does not return control to the calling application until the tests are completed. If any of these tests fail, the module transitions to the error state.
HMACSHA2-256 Table 21: Pre-Operational Self-Tests The pre-operational software integrity tests are performed automatically when the module is powered on, before the module transitions to the operational state.
© 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL KAS-ECCSSC Sp80056Ar3 KAS-FFCSSC Sp80056Ar3 KDF SP800108 © 2025 Chainguard, Inc., atsec information security.
| Name | Role Access | Approved Functions | Type | Properties | Details | |
|---|---|---|---|---|---|---|
| Module becomes operational and services are available for use | Test runs at power-on before the integrity test | KDF ANS 9.63 | CAST | SHA2-256 | KAT | Industry-based ANS X9.63 key derivation |
| Module becomes operational and services are available for use | Test runs at power-on before the integrity test | TLS v1.2 KDF RFC7627 | CAST | SHA2-256 | KAT | Industry-based TLS v1.2 KDF key derivation |
| Module becomes operational and services are available for use | Test runs at power-on before the integrity test | TLS v1.3 KDF | CAST | SHA2-256 | KAT | Industry-based TLS v1.3 KDF key derivation |
| Module becomes operational and services are available for use | Test runs at power-on before the integrity test | PBKDF | CAST | HMAC-SHA2-256 with 200-bit derived key length, 24- character password, 4096 iterations, 288-bit salt, | KAT | Password-based key derivation |
| Module becomes operational and services are available for use | Test runs at power-on before the integrity test | KDA HKDF SP800-56Cr2 | CAST | SHA2-256 | KAT | Shared secret key derivation |
| Module becomes operational and services are available for use | Test runs at power-on before the integrity test | ECDSA SigGen (FIPS186-5) | CAST | P-224 with SHA2- 256 | KAT | Digital signature generation |
Chainguard FIPS Provider for OpenSSL 24character © 2025 Chainguard, Inc., atsec information security.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Test Properties | Indicator | Conditions |
|---|---|---|---|---|---|---|---|---|---|
| ECDSA SigVer (FIPS186-5) | ECDSA SigVer (FIPS186-5) | KAT | CAST | Digital signature verification | P-224 with SHA2- 256 | Module becomes operational and services are available for use | Test runs at power-on before the integrity test | ||
| RSA SigGen (FIPS186-5) | RSA SigGen (FIPS186-5) | KAT | CAST | Digital signature generation | PKCS#1 v1.5 with 2048 bit key and SHA2-256 | Module becomes operational and services are available for use | Test runs at power-on before the integrity test | ||
| EDDSA SigGen (FIPS186-5) | EDDSA SigGen (FIPS186-5) | KAT | CAST | Digital signature generation | Ed25519; Ed4488 | Module becomes operational and services are available for use | Test runs at power-on before the integrity test | ||
| RSA SigVer (FIPS186-5) | RSA SigVer (FIPS186-5) | KAT | CAST | Digital signature verification | PKCS#1 v1.5 with 2048 bit key and SHA2-256 | Module becomes operational and services are available for use | Test runs at power-on before the integrity test | ||
| EDDSA SigVer (FIPS186-5) | EDDSA SigVer (FIPS186-5) | KAT | CAST | Digital signature verification | Ed25519; Ed4488 | Module becomes operational and services are available for use | Test runs at power-on before the integrity test | ||
| ECDSA KeyGen (FIPS186-5) | ECDSA KeyGen (FIPS186-5) | PCT | PCT | Signature generation & verification | SHA2-512 | Successful key pair generation | Key pair generation | ||
| EDDSA KeyGen (FIPS186-5) | EDDSA KeyGen (FIPS186-5) | PCT | PCT | Signature generation & verification | N/A | Successful key pair generation | Key pair generation | ||
| RSA KeyGen (FIPS186-5) | RSA KeyGen (FIPS186-5) | PCT | PCT | Encryption & decryption | Section 6.4.1.1 of SP800-56Br2 | Successful key pair generation | Key pair generation | ||
| Safe Primes Key Generation | Safe Primes Key Generation | PCT | PCT | SP 800- 56ARev3, 5.6.2.1.4 | Section 5.6.2.1.4 of SP800-56Arev3 | Successful key pair generation | Key pair generation | ||
| Hash DRBG | Hash DRBG | KAT | CAST | Compliant with SP 800-90Ar1 including health test per section 11.3 | SHA2-256, with PR | Module becomes operational and services are available for use | Test runs at power-on before the integrity test | ||
| Entropy Source - RCT and APT start-up test | Entropy Source - RCT and APT start-up test | RCT and APT | CAST | Entropy source start- up test | 1024 samples. Repetition count test according to Section 4.4.1 and Adaptive proportion test according to Section 4.4.2 of SP 800-90B | Module becomes operational and services are available for use | Entropy source initialization | ||
| Entropy Source - RCT and APT continuous test | Entropy Source - RCT and APT continuous test | RCT and APT | CAST | Entropy source continuous test | Repetition count test according to Section 4.4.1 and Adaptive proportion test according to Section 4.4.2 of SP 800-90B | Entropy source is operational | Continuously when the entropy source is accessed | ||
| HMAC-SHA2-256 | HMAC-SHA2-256 | Message Authentication | SW/FW Integrity | On demand | Manually | ||||
| AES-ECB | AES-ECB | KAT | CAST | On Demand | Manually | ||||
| AES-GCM | AES-GCM | KAT | CAST | On Demand | Manually | ||||
| SHA2-512 | SHA2-512 | KAT | CAST | On Demand | Manually | ||||
| SHA3-256 | SHA3-256 | KAT | CAST | On Demand | Manually |
Chainguard FIPS Provider for OpenSSL N/A & & & © 2025 Chainguard, Inc., atsec information security.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method | Details | Test Properties | Indicator | Conditions |
|---|---|---|---|---|---|---|---|---|---|
| Safe Primes Key Generation | Safe Primes Key Generation | PCT | PCT | SP 800- 56ARev3, 5.6.2.1.4 | Section 5.6.2.1.4 of SP800-56Arev3 | Successful key pair generation | Key pair generation | ||
| Hash DRBG | Hash DRBG | KAT | CAST | Compliant with SP 800-90Ar1 including health test per section 11.3 | SHA2-256, with PR | Module becomes operational and services are available for use | Test runs at power-on before the integrity test | ||
| Entropy Source - RCT and APT start-up test | Entropy Source - RCT and APT start-up test | RCT and APT | CAST | Entropy source start- up test | 1024 samples. Repetition count test according to Section 4.4.1 and Adaptive proportion test according to Section 4.4.2 of SP 800-90B | Module becomes operational and services are available for use | Entropy source initialization | ||
| Entropy Source - RCT and APT continuous test | Entropy Source - RCT and APT continuous test | RCT and APT | CAST | Entropy source continuous test | Repetition count test according to Section 4.4.1 and Adaptive proportion test according to Section 4.4.2 of SP 800-90B | Entropy source is operational | Continuously when the entropy source is accessed | ||
| HMAC-SHA2-256 | HMAC-SHA2-256 | Message Authentication | SW/FW Integrity | On demand | Manually | ||||
| AES-ECB | AES-ECB | KAT | CAST | On Demand | Manually | ||||
| AES-GCM | AES-GCM | KAT | CAST | On Demand | Manually | ||||
| SHA2-512 | SHA2-512 | KAT | CAST | On Demand | Manually | ||||
| SHA3-256 | SHA3-256 | KAT | CAST | On Demand | Manually | ||||
| Counter DRBG | Counter DRBG | KAT | CAST | On Demand | Manually | ||||
| HMAC DRBG | HMAC DRBG | KAT | CAST | On Demand | Manually | ||||
| KAS-ECC-SSC Sp800-56Ar3 | KAS-ECC-SSC Sp800-56Ar3 | KAT | CAST | On Demand | Manually | ||||
| KAS-FFC-SSC Sp800-56Ar3 | KAS-FFC-SSC Sp800-56Ar3 | KAT | CAST | On Demand | Manually | ||||
| KDF SP800-108 | KDF SP800-108 | KAT | CAST | On Demand | Manually | ||||
| KDA OneStep SP800-56Cr2 | KDA OneStep SP800-56Cr2 | KAT | CAST | On Demand | Manually | ||||
| KDF ANS 9.42 | KDF ANS 9.42 | KAT | CAST | On Demand | Manually | ||||
| KDF ANS 9.63 | KDF ANS 9.63 | KAT | CAST | On Demand | Manually | ||||
| TLS v1.2 KDF RFC7627 | TLS v1.2 KDF RFC7627 | KAT | CAST | On Demand | Manually | ||||
| TLS v1.3 KDF | TLS v1.3 KDF | KAT | CAST | On Demand | Manually | ||||
| PBKDF | PBKDF | KAT | CAST | On Demand | Manually | ||||
| KDA HKDF SP800- 56Cr2 | KDA HKDF SP800- 56Cr2 | KAT | CAST | On Demand | Manually | ||||
| ECDSA SigGen (FIPS186-5) | ECDSA SigGen (FIPS186-5) | KAT | CAST | On Demand | Manually | ||||
| ECDSA SigVer (FIPS186-5) | ECDSA SigVer (FIPS186-5) | KAT | CAST | On Demand | Manually | ||||
| RSA SigGen (FIPS186-5) | RSA SigGen (FIPS186-5) | KAT | CAST | On Demand | Manually | ||||
| EDDSA SigGen (FIPS186-5) | EDDSA SigGen (FIPS186-5) | KAT | CAST | On Demand | Manually | ||||
| RSA SigVer (FIPS186-5) | RSA SigVer (FIPS186-5) | KAT | CAST | On Demand | Manually | ||||
| EDDSA SigVer (FIPS186-5) | EDDSA SigVer (FIPS186-5) | KAT | CAST | On Demand | Manually | ||||
| ECDSA KeyGen (FIPS186-5) | ECDSA KeyGen (FIPS186-5) | PCT | PCT | On Demand | Manually | ||||
| EDDSA KeyGen (FIPS186-5) | EDDSA KeyGen (FIPS186-5) | PCT | PCT | On Demand | Manually | ||||
| RSA KeyGen (FIPS186-5) | RSA KeyGen (FIPS186-5) | PCT | PCT | On Demand | Manually |
Chainguard FIPS Provider for OpenSSL 80056ARev3, 5.6.2.1.4 Table 22: Conditional Self-Tests
Table 23: Pre-Operational Periodic Information © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL © 2025 Chainguard, Inc., atsec information security.
| Name | Algorithm Or Test | Test Method | Test Type | Period | Periodic Method |
|---|---|---|---|---|---|
| Safe Primes Key Generation | Safe Primes Key Generation | PCT | PCT | On Demand | Manually |
| Hash DRBG | Hash DRBG | KAT | CAST | On Demand | Manually |
| Entropy Source - RCT and APT start- up test | Entropy Source - RCT and APT start- up test | RCT and APT | CAST | On Demand | Manually |
| Entropy Source - RCT and APT continuous test | Entropy Source - RCT and APT continuous test | RCT and APT | CAST | On Demand | Manually |
| Name | Description | Role Access | Indicator | |
|---|---|---|---|---|
| Power-up error | An error occurred during the integrity test or CAST failure | Software integrity test failure CAST failure | Module not loaded | Re-initialization of the module |
| PCT error | An error occurred during a PCT | PCT failure | Cryptographic functionality is blocked | Re-initialization of the module |
Chainguard FIPS Provider for OpenSSL Table 24: Conditional Periodic Information
Table 25: Error States In any error state, the output interface is inhibited, and the module cannot perform cryptographic operations.
The software integrity test and cryptographic algorithm self-tests can be invoked on demand by unloading and subsequently re-initializing the module. The PCTs can be invoked on demand by requesting the key pair generation service. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL
All configuration items are uniquely identified by a compound value consisting of the package apk full version and revision number plus architecture with the git commit SHA1 value.
No installation, initialization, or startup steps are required as the module is pre-built into the images that the vendor provides.
To verify that the module is prebuilt into a Chainguard image, the Crypto Officer must review the image specification (e.g. Chainguard Console SBOM tab, SPDX image attestation, apk installed package database, syft output, AWS Inspector) to ensure it contains the package “openssl-fips-provider-3.4.0” version “3.4.0-r4”. The Crypto Officer must verify the name and version of the module. This is done by retrieving the parameters OSSL_PROV_PARAM_NAME and OSSL_PROV_PARAM_BUILDINFO from the module. Since there can be several providers for OpenSSL, and since only the “fips” provider is the module, the Crypto Officer must ensure that the “fips” provider of OpenSSL is queried when retrieving these parameters and when requesting any other services. OSSL_PROV_PARAM_NAME must have the value: “Chainguard FIPS Provider for OpenSSL” OSSL_PROV_PARAM_BUILDINFO must have the value: “3.4.0-r4” The Approved and non-Approved modes of operation are specified in section 2.4. The administrative functions are specified in the Approved Services table. All the logical interfaces are specified in section 3.1. The requirements and restrictions that shall be considered when operating the module in approved mode are specified in section 2.7 and section 6.
There is no non-administrator guidance.
As the module does not persistently store SSPs, secure sanitization of the module consists of unloading the module. This will zeroize all SSPs in volatile memory. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL
Certain cryptographic subroutines and algorithms are vulnerable to timing analysis. The module mitigates this vulnerability by using constant-time implementations. This includes, but is not limited to:
RSA, ECDSA, ECDH, and DH employ blinding techniques to further impede timing and power analysis.
No configuration is needed to enable the aforementioned countermeasures. © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL A Glossary and Abbreviations AES Advanced Encryption Standard AESNI Advanced Encryption Standard New Instructions API Application Programming Interface CAST Cryptographic Algorithm Self-Test CAVP Cryptographic Algorithm Validation Program CBC Cipher Block Chaining CBC-MAC Cipher Block Chaining Message Authentication Code CCM Counter with Cipher Block Chain-Message Authentication Code CCP Cryptographic Co-Processor CFB Cipher Feedback CKG Cryptographic Key Generation CMAC Cipher-based Message Authentication Code CMVP Cryptographic Module Validation Program CSP Critical Security Parameter CTR Counter CTS Ciphertext Stealing DH Diffie-Hellman DRBG Deterministic Random Bit Generator ECB Electronic Code Book ECC Elliptic Curve Cryptographic ECDH Elliptic Curve Diffie-Hellman ECDSA Elliptic Curve Digital Signature Algorithm EVP Envelope FFC Finite Field Cryptography FIPS Federal Information Processing Standards GCM Galois Counter Mode GMAC Galois Counter Mode Message Authentication Code HMAC Keyed-Hash Message Authentication Code IG International Guidance IKE Internet Key Exchange IV Initialization Vector © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL KAS Key Agreement Scheme KAT Known Answer Test KBKDF Key-Based Derivation Function KMAC KECCAK Message Authentication Code KW Key Wrap KWP Key Wrap with Padding MAC Message Authentication Code NIST National Institute of Science and Technology OEAP Optimal Asymmetric Encryption Padding OFB Output Feedback PAA Processor Algorithm Acceleration PBKDF2 Password-based Key Derivation Function v2 PCT Pair-wise Consistency Test PKI Public Key Infrastructure PSP Public Security Parameter PSS Probabilistic Signature Scheme RSA Rivest Shamir Adleman RSADP RSA Decryption Primitive RSAEP RSA Encryption Primitive SHA Secure Hash Algorithm SHAKE Secure Hash Algorithm with Keccak SSC Shared Secret Computation SSH Secure Shell SSP Sensitive Security Parameter TLS Transport Layer Security TOEPP Tested Operational Environment’s Physical Perimeter XOF Extendable Output Function XTS XEX-based Tweaked-codebook mode with cipher text Stealing © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL B References ANS X9.42-2001 Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9422001 ANS X9.63-2001 Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography 2001 https://webstore.ansi.org/standards/ascx9/ansix9632001 FIPS 140-3 IG Implementation Guidance for FIPS PUB 140-3 and the Cryptographic Module Validation Program https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validationprogram/documents/fips%20140-3/FIPS%20140-3%20IG.pdf FIPS 180-4 Secure Hash Standard (SHS) August 2015 https://doi.org/10.6028/NIST.FIPS.180-4 FIPS 186-4 Digital Signature Standard (DSS) July 2013 https://doi.org/10.6028/NIST.FIPS.180-4 FIPS 186-5 Digital Signature Standard (DSS) February 2023 https://doi.org/10.6028/NIST.FIPS.186-5 FIPS 197 Advanced Encryption Standard (AES) November 2001; Updated May 2023 https://doi.org/10.6028/NIST.FIPS.197-upd1 FIPS 198-1 The Keyed-Hash Message Authentication Code (HMAC) July 2008 https://doi.org/10.6028/NIST.FIPS.198-1 FIPS 202 SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions August 2015 https://doi.org/10.6028/NIST.FIPS.202 PKCS#1 Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 February 2003 http://www.ietf.org/rfc/rfc3447.txt RFC 3526 More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE) May 2003 https://www.ietf.org/rfc/rfc3526.txt © 2025 Chainguard, Inc., atsec information security.
Chainguard FIPS Provider for OpenSSL RFC 5288 AES Galois Counter Mode (GCM) Cipher Suites for TLS August 2008 https://www.ietf.org/rfc/rfc5288.txt RFC 7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) August 2016 https://www.ietf.org/rfc/rfc7919.txt RFC 8446 The Transport Layer Security (TLS) Protocol Version 1.3 August 2018 https://www.ietf.org/rfc/rfc8446.txt SP 800-90Ar1 Recommendation for Random Number Generation Using Deterministic Random Bit Generators June 2015 https://doi.org/10.6028/NIST.SP.800-90Ar1 SP 800-90B Recommendation for the Entropy Sources Used for Random Bit Generation January 2018 https://doi.org/10.6028/NIST.SP.800-90B SP 800-108r1 Recommendation for Key Derivation Using Pseudorandom Functions August 2022; Updated February 2024 https://doi.org/10.6028/NIST.SP.800-108r1-upd1 SP 800-131Ar2 Transitioning the Use of Cryptographic Algorithms and Key Lengths March 2019 https://doi.org/10.6028/NIST.SP.800-131Ar2 SP 800-133r2 Recommendation for Cryptographic Key Generation June 2020 https://doi.org/10.6028/NIST.SP.800-133r2 SP 800-140Br1 Cryptographic Module Validation Program (CMVP) Security Policy Requirements: CMVP Validation Authority Updates to ISO/IEC 24759 and ISO/IEC 19790 Annex B November 2023 https://doi.org/10.6028/NIST.SP.800-140Br1 © 2025 Chainguard, Inc., atsec information security.