Add app for fips installation

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9634)

1 files changed, 147 insertions, 0 deletions

diff --git a/doc/man1/fipsinstall.pod b/doc/man1/fipsinstall.pod
new file mode 100644
index 0000000000..7481cafb5d
--- /dev/null
+++ b/doc/man1/fipsinstall.pod
@@ -0,0 +1,147 @@
+=pod
+
+=head1 NAME
+
+openssl-fipsinstall - perform FIPS configuration installation
+
+=head1 SYNOPSIS
+
+B<openssl fipsinstall>
+[B<-help>]
+[B<-in configfilename>]
+[B<-out configfilename>]
+[B<-module modulefilename>]
+[B<-provider_name providername>]
+[B<-section_name sectionname>]
+[B<-verify>]
+[B<-mac_name macname>]
+[B<-macopt>]
+
+B<openssl> I<fipsinstall> [B<...>]
+
+=head1 DESCRIPTION
+
+This utility is used to generate a FIPS module configuration file.
+The generated configuration file consists of:
+
+=over 4
+
+=item - A mac of the FIPS module file.
+
+=item - A status indicator that indicates if the known answer Self Tests (KAT's)
+have successfully run.
+
+=back
+
+This configuration file can be used each time a FIPS module is loaded
+in order to pass data to the FIPS modules self tests. The FIPS module always
+verifies the modules MAC, but only needs to run the KATS once during install.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-help>
+
+Print a usage message.
+
+=item B<-module filename>
+
+Filename of a fips module to perform an integrity check on.
+
+=item B<-out configfilename>
+
+Filename to output the configuration data to, or standard output by default.
+
+=item B<-in configfilename>
+
+Input filename to load configuration data from. Used with the '-verify' option.
+Standard input is used if the filename is '-'.
+
+=item B<-verify>
+
+Verify that the input configuration file contains the correct information
+
+=item B<-provider_name providername>
+
+Name of the provider inside the configuration file.
+
+=item B<-section_name sectionname>
+
+Name of the section inside the configuration file.
+
+=item B<-mac_name name>
+
+Specifies the name of a supported MAC algorithm which will be used.
+To see the list of supported MAC's use the command I<list -mac-algorithms>.
+The default is "HMAC".
+
+=item B<-macopt nm:v>
+
+Passes options to the MAC algorithm.
+A comprehensive list of controls can be found in the EVP_MAC implementation
+documentation.
+Common control strings used for fipsinstall are:
+
+=over 4
+
+=item B<key:string>
+
+Specifies the MAC key as an alphanumeric string (use if the key contains
+printable characters only).
+The string length must conform to any restrictions of the MAC algorithm.
+A key must be specified for every MAC algorithm.
+
+=item B<hexkey:string>
+
+Specifies the MAC key in hexadecimal form (two hex digits per byte).
+The key length must conform to any restrictions of the MAC algorithm.
+A key must be specified for every MAC algorithm.
+
+=item B<digest:string>
+
+Used by HMAC as an alphanumeric string (use if the key contains printable
+characters only).
+The string length must conform to any restrictions of the MAC algorithm.
+To see the list of supported digests, use the command I<list -digest-commands>.
+
+=back
+
+=back
+
+=head1 EXAMPLES
+
+Calculate the mac of a FIPS module 'fips.so' and run a FIPS self test
+for the module, and save the fips.conf configuration file:
+
+ openssl fipsinstall -module ./fips.so -out fips.conf -provider_name fips \
+         -section_name fipsinstall -mac_name HMAC -macopt digest:SHA256 \
+         -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213
+
+Verify that the configuration file 'fips.conf' contains the correct info:
+
+ openssl fipsinstall -module ./fips.so -in fips.conf  -provider_name fips \
+          -section_name fips_install -mac_name HMAC -macopt digest:SHA256 \
+          -macopt hexkey:000102030405060708090A0B0C0D0E0F10111213 -verify
+
+=head1 NOTES
+
+The MAC mechanisms that are available will depend on the options
+used when building OpenSSL.
+The B<list -mac-algorithms> command can be used to list them.
+
+=head1 SEE ALSO
+
+L<fips_config(5)>,
+L<EVP_MAC(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut