ACVP Proxy

The ACVP Proxy allows the retrieving of test vectors from the ACVP servers. In addition, it allows the submission of test results to the ACVP servers and to retrieve the verdict of the test results.

The obtained test vectors stored in the files testvector-request.json are intended to be transferred to the test system hosting the cryptographic module to be tested. The JSON file must be inserted into the cryptographic module to produce the `testvector-response.json` file holding the responses according to the ACVP protocol specification. An example implementation that parses these JSON files, invokes the cryptographic implementation and generates the test response files, see the ACVP Parser.


The ACVP Proxy is implemented in clean C99 and requires the presence of the POSIX API. In addition, the ACVP Proxy requires libcurl to be present. This library is commonly available to almost all general purpose operating systems. Other runtime-dependencies are not required.

The ACVP Proxy was successfully compiled and executed on the following operating systems:

GitHub Link

A public git repository is found at smuellerDD/acvpproxy.

ACVP Protocol Specification

The ACVP Proxy implements the entire network side of the ACVP Protocol Specification. It implements all aspects of the protocol.

Source Code

The following source code contains the implementation of the ACVP Proxy.

Link Changes

1.0.0 (Signature of source code)

ACVP Proxy was used and subject for first successful ACVP certificate
  • replace --list-certificate-ids with --list-available-ids
  • version crypto implementation
  • OpenSSL: Add SSH KDF
  • add: AES-FF1 and AES-FF3-1 support
  • production ACVP: use testvector-production and secure-datastore-production databases
  • add GMAC testing support
  • fix OE / Dependency meta data handling

0.7.2 (Signature of source code)

ACVP Proxy was used for a successful accreditation
  • add support for DELETE of all meta data endpoints
  • add support for listing certificate IDs and pending request IDs
  • add listing of request IDs
  • add listing of certificate IDs
  • add listing of verdicts
  • add PBKDF support
  • fix storing of OE ID
  • add ECDSA signature generation component testing support
  • add --update-definition command line option - per default the ACVP proxy will now always register meta data with new entries in case the JSON configuration data with its ID does not match with the ACVP server. If the ACVP server shall be updated, --update-definition has to be used
  • add --cipher-list

2019-07-14 smueller at