Updates for libica versions 4.1 and 4.2
Edition SC34-2602-15
The current libica versions 4.1 and 4.2 provide the following new features:
- The libica library is enabled for FIPS 140-3 compliance. Whether or not an instance of libica that uses OpenSSL, can be successfully certified for the FIPS 140-3 level, depends on the Linux™ distribution and the version or the distribution-specific variant of OpenSSL that this instance of libica links to. This documentation describes the changes in behavior of libica.
- The following new functions are provided:
- Function ica_aes_xts_ex() supports multi-part operations.
- Use function ica_ecdsa_sign_ex() to create a deterministic ECDSA signature for a given hash data using an ECC key object and a known value k. This allows to implement known-answer tests. Therefore, in FIPS mode this function is only allowed for internal self tests, because in FIPS mode, it is not allowed to create deterministic signatures using an external API.
- A new FIPS-compliant function ica_aes_gcm_initialize_fips() has the same purpose as the existing ica_aes_gcm_initialize() API, but additionally allows to create the initialization vector internally via an approved random source and pass it back to the application.
- A new FIPS-compliant function ica_aes_gcm_kma_init_fips() has the same purpose as the existing ica_aes_gcm_kma_init() API, but creates the initialization vector (IV) for encryption operations internally using an approved random source. This FIPS compliant IV can be obtained with API ica_aes_gcm_kma_get_iv() for subsequent decryption operations.
- Function ica_get_msa_level() returns the processor's highest message security assist level (MSA Extension).
- Function ica_get_fips_indicator() returns a FIPS service indicator. That is, for each hardware function or any other mechanism ID, an indication is provided whether this function or mechanism is FIPS-compliant or not.
- Function ica_get_build_version() returns a configurable string to indicate libica build information. This can for example be used by vendors to indicate a special vendor build.
- Function ica_get_hw_info() returns hardware information about the used processor. It is a FIPS requirement to allow applications to unambiguously determine the version of underlying hardware components. The processor information together with the MSA level uniquely identify the CPACF firmware level.
- The icainfo utility has new options:
- Use option -f to display algorithms or libica mechanisms that are considered to be not FIPS-compliant, but are not blocked. Applications may then decide whether to use an algorithm or mechanism or not.
- Use option -r to display the available RSA key sizes on the current system configuration.
- Using option -v now additionally displays available distribution- or vendor-specific libica build information.