I have an security protocol whose implementation will be done by many third parties developers (lets call them as 'manufacturers') which in turn will be programmed in the embedded hardware designed by them.
There are some mandatory guidelines (e.g. a particular cryptographic operation must be carried out using cryptoprocesor but not using software library) which must be followed by them.
Now is there any way to check whether they have followed all guidelines of the protocol and certify their implementation if you have access to source and binary file of the implementation?
How can I ensure that the manufacturer has programmed only the certified implementation in all the hardware samples?
Edit 1:
As per my knowledge, a solution for the certification: The source code can be manually inspected to crosscheck compliance with each recommendation. Then the source code as well as binary obtained from it can be certified using the signature of certifying authority on the checksum of both files.
Correct me if there is any loophole in this certification process which can be exploited by a manufacturer.
Now if binary of the implemented protocol is programmed separately, we can check file-system and locate this binary, calculate its checksum and verify it against the certified binary. But if protocol is implemented inside another application, then we can't have have this certification, instead the final application which includes protocol implementation has to be certified. But this may complicate the certification process.