About the Cryptographic Framework in FIPS 140-2 Mode
The Cryptographic Framework implements many cryptographic algorithms with varying key lengths. Each variant of an algorithm is called a mechanism. Not all mechanisms are validated for FIPS 140-2.
When running in FIPS 140-2 mode, the userland Cryptographic Framework does not enforce the use of FIPS 140-2 validated algorithms. This design choice enables you to apply your own security policy.
Tip:
To accommodate a legacy system, non-compliant applications, or problem resolution, you can leave all Cryptographic Framework algorithms enabled. For strict enforcement of FIPS 140-2 mode, you should disable non-FIPS 140-2 algorithms in the Cryptographic Framework. For an example, see the final steps in Example of Running in FIPS 140-2 Mode on an Oracle Solaris 11.4 System.After enabling the providers in FIPS 140-2 mode, you must configure applications and programs to use FIPS 140-2 algorithms.
The cryptoadm
and pktool
commands list the algorithms that the Cryptographic Framework supports.
-
To display a complete list of cryptographic mechanisms, use the
cryptoadm list -vm
command. See thecryptoadm
(8) man page. -
To display the list of curves for ECC algorithms, use the
pktool gencert listcurves
command. See thepktool
(1) man page.For information about ECC curves in Oracle Solaris that are FIPS 140-2 validated for Oracle Solaris, see FIPS 140-2 Algorithms in the Cryptographic Framework.