icainfo - Show available libica functions
Use the icainfo command to find out which libica functions are available on your Linux™ system.
The icainfo output also indicates, whether the libica library has built-in FIPS support, whether it is
running in FIPS mode, and whether it is in an error state. Algorithms that are not FIPS approved are
marked as blocked in both table columns and cannot be processed
when running in FIPS mode. All algorithms are marked as blocked when libica is in an error state.
Format
Where:
- -v or --version
- Displays the version number of icainfo, and additionally displays optional vendor-specific libica build information.
- -c or --list-curves
- Displays the supported curves for elliptic curve cryptography. See also Elliptic curve cryptography (ECC) functions.
- -r or --list-rsa
- Displays the supported minimum and maximum RSA key lengths (for an example, see Using RSA in FIPS mode). When not running in FIPS mode, libica allows RSA keys of 57 bits up to 4096 bits. The lower limit depends on the distribution and the used OpenSSL version. The upper limit is imposed by the cryptographic coprocessors.
- -f or --list-fips-exceptions
- Display available algorithms that are non-approved.
- -h or --help
- Displays help information for the command.
# icainfo
View a sample output produced by this command. Available hardware support is presented in two
columns: hardware - dynamic means support by cryptographic coprocessors, hardware - static means support by
CPACF, with the current MSA level indicated. A 'no' in column
software indicates, that for this function no software fallback provided by OpenSSL is implemented in libica. A dash '-' in column
software indicates, that libica is built
without software fallbacks.
Cryptographic algorithm support
------------------------------------------------------
| hardware |
function | dynamic | static | software
| | (msa=09) |
---------------+------------+------------+------------
SHA-1 | no | yes | -
SHA-224 | no | yes | -
...
SHA-512 | no | yes | -
SHA-512/224 | no | yes | -
SHA-512/256 | no | yes | -
...
SHA3-512 | no | yes | -
...
SHAKE-256 | no | yes | -
GHASH | no | yes | -
P_RNG | blocked | blocked | blocked
DRBG-SHA-512 | no | yes | -
ECDH | no | yes | - /* ECDH+ECDSA only w. CPACF in FIPS mode
ECDSA Sign | no | yes | -
ECDSA Verify | no | yes | -
EC Keygen | no | no | yes /* EC keygen: FIPS mode only in SW fallback
Ed25519 Keygen | blocked | blocked | blocked /* all ED/X curves blocked in FIPS mode
Ed25519 Sign | blocked | blocked | blocked
Ed25519 Verify | blocked | blocked | blocked
...
X25519 Keygen | blocked | blocked | blocked
X25519 Derive | blocked | blocked | blocked
X448 Keygen | blocked | blocked | blocked
X448 Derive | blocked | blocked | blocked
RSA Keygen ME | no | no | yes
RSA Keygen CRT | no | no | yes
RSA ME | yes | no | -
RSA CRT | yes | no | -
DES ECB | blocked | blocked | blocked
DES CBC | blocked | blocked | blocked
...
3DES ECB | blocked | blocked | blocked /* 3DES blocked in FIPS mode
3DES CBC | blocked | blocked | blocked
...
AES ECB | no | yes | -
...
AES GCM | no | yes | -
------------------------------------------------------
Built-in FIPS support: FIPS 140-3 mode active.
Software fallbacks are disabled.
The variant of the libica.so module, called libica-cex.so, introduced in Using the libica-cex variant provides a corresponding icainfo-cex command to display the available functions of the libica-cex module.
The icainfo-cex command has the same syntax as icainfo (see Figure 1).
See an excerpt from an icainfo-cex output produced when running with the
libica-cex module. The minus-sign - indicates the disabled
features:
Cryptographic algorithm support
------------------------------------------------------
| hardware |
function | dynamic | static | software
---------------+------------+------------+------------
SHA-1 | no | - | -
SHA-224 | no | - | -
SHA-256 | no | - | -
...
ECDH | yes | - | -
ECDSA Sign | yes | - | -
ECDSA Verify | yes | - | -
EC Keygen | yes | - | -
Ed25519 Keygen | no | - | -
Ed25519 Sign | no | - | -
...
RSA ME | yes | - | -
RSA CRT | yes | - | -
DES ECB | no | - | -
DES CBC | no | - | -
...
------------------------------------------------------
No built-in FIPS support.
Software fallbacks are disabled in libica-cex.
CPACF support (including fallbacks) is disabled in libica-cex.
icainfo -c
Use the icainfo -c command to list the elliptic curves that are supported by libica on your current system configuration. The availability of curves is, for example, dependent from the installed MSA level, whether cryptographic coprocessors in CCA mode are available, whether OpenSSL is in FIPS mode, or whether the whole system is in FIPS mode.
The table columns show whether a curve is supported by the hardware, either on a cryptographic coprocessor in CCA mode (dynamic), on CPACF (static), or with a software fallback by OpenSSL.
# icainfo -c
-------------------------------------------------------
| hardware |
EC curve | dynamic | static | software
| | (msa=09) |
-----------------+------------+------------+-----------
prime192v1 | yes | no | yes
secp224r1 | yes | no | yes
prime256v1 | yes | yes | yes
secp384r1 | yes | yes | yes
secp521r1 | yes | yes | yes
brainpoolP160r1 | yes | no | yes
brainpoolP192r1 | yes | no | yes
brainpoolP224r1 | yes | no | yes
brainpoolP256r1 | yes | no | yes
brainpoolP320r1 | yes | no | yes
brainpoolP384r1 | yes | no | yes
brainpoolP512r1 | yes | no | yes
ED25519 | no | yes | no
ED448 | no | yes | no
X25519 | no | yes | no
X448 | no | yes | no
-------------------------------------------------------
No built-in FIPS support.
Curves may or may not be supported because of the following reasons:
- The curve requires MSA9 (IBM z15® or later).
- A CCA coprocessor is available.
- The curve is not supported by OpenSSL in FIPS mode.
icainfo -f
Use the icainfo -f command to list non-approved, but still available functions in FIPS mode.
# icainfo -f
FIPS service indicator
------------------------------------------------------
| Available but non-approved
function | dynamic | static | software
---------------+--------------------------------------
DRBG-SHA-512 | - | yes | -
RSA ME | yes | - | -
RSA CRT | yes | - | -
------------------------------------------------------
The output displays algorithms or libica mechanisms that are considered to be not FIPS-compliant, but are not blocked. Applications may then decide whether to use an algorithm or mechanism or not. All algorithms or mechanisms that are not displayed, are either FIPS-compliant or shown as blocked in the default icainfo output (without a parameter). Applications can obtain a FIPS service indicator list using the ica_get_fips_indicator function. This list indicates for each function whether it is approved (FIPS-compliant), non-approved, or non-approved but still available through an exception.
Note that this list is a static list. When using API function ica_allow_external_gcm_iv_in_fips_mode() to dynamically allow or disallow external GCM initialization vectors, this is not reflected in this static icainfo output. Instead, the GCM API functions themselves indicate via errno if their usage is in approved or non-approved mode. Refer to ica_aes_gcm_initialize and ica_aes_gcm_kma_init.