BSI's job generally is ensuring IT security, not breaking it.
Even the weirder jobs they're tasked with, such as certifying backdoor software for LEAs, it's not about ensuring its operation as a backdoor, but that it only does the designated job (and in particular doesn't bring additional capabilities that are outside their charter)
I sometimes wish BSI had more teeth (e.g. when it comes to stuff like reviewing official backdoor trojans, it's annoying that we need private initiatives and the constitutional court every single time, although that keeps the topic hot), on the other hand it also has a strong whiff of incompetence and bureaucracy that I don't want to see with actual power.
> BSI's job generally is ensuring IT security, not breaking it.
Unfortunately that's also not true. The role of the BSI is very mixed and they have a role as both being offensive and defensive. Which is one of the problems. They're not trustworthy.
The BND/BSI split as implemented in Germany is relatively unique precisely to separate offensive and defensive concerns. The biggest issue IMHO is that they both report to the same federal office.
I worked on SINA components in the past, so I know first hand what they're capable of and what some parts of the German tech media claimed they're used for. (tl;dr: there's very little overlap between some of the more popular claims and reality)
I suspect something similar happened here: BKA and some contractors build the trojan software. BVerfG requires that these tools are limited in their impact, and lawyers would also have a field day in court with any case where the software was used, if it can be shown to create security issues and so the BKA requests a security audit from the BSI (that's part of their charter) and gets it. That might have meant some code (in form of patches) flows back, but given that it's the BSI we're talking about, I doubt it.
Unfortunately the BSI is chartered to do security reviews for federal software, so they can't simply refuse. Meanwhile BSI officials are paranoid because they know (from the SINA/ISP surveillance FUD) what public reception of such a job looks like and tries to do PR management (and fails, which surprises probably no-one).
BSI's job generally is ensuring IT security, not breaking it.
Even the weirder jobs they're tasked with, such as certifying backdoor software for LEAs, it's not about ensuring its operation as a backdoor, but that it only does the designated job (and in particular doesn't bring additional capabilities that are outside their charter)