Please let me know if this is not the right place to ask the following.
I am used to OpenSSL and GnuTLS, both of which have an explicit method for enabling FIPS and at the same time run the FIPS self-tests. This method is called very near the start of the code, for instance.
I would like to use NSS with FIPS support. I am browsing the code (3.17.4) and although there are a few methods for doing various checks, such as sftk_fipsPowerUpSelfTest() and various power on self tests, the file fipstest.c seems to happily delve in testing without doing any FIPS initialization at all. Now, NSS was appropriately set externaly froma ny code in FIPS mode by doing:
modutil -force -fips true -dbdir <directory>
And then checking it out with:
modutil -chkfips false -dbdir <directory>
Is that all that's needed, assuming that any application using NSS will now work with a FIPS-enabled NSS ?
Then what would be the way for an application to first verify that indeed NSS is in FIPS mode ? What woudl be the preferred method for doing so ? Are the methods inside fipstokn.c such as sftk_fipsCheck() available for applications ? Finally, and simple example code out there that checks FIPS mode and perhaps do a simple operation ?