Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS-140 support #277

Open
yweiy10 opened this issue Jun 15, 2023 · 5 comments
Open

FIPS-140 support #277

yweiy10 opened this issue Jun 15, 2023 · 5 comments

Comments

@yweiy10
Copy link

yweiy10 commented Jun 15, 2023

Hello,

This is a follow-up question for #259.

I'd like to invest some time here to verify if I can switch the bouncycastle jars to be fips-validated ones. My application is mainly in JRuby and we recently got a request for FIPS compliance. So I don't think I have another choice but to fix the jRuby-openssl and have a FIPS version of it at least. Is that right?

And for the development, I'd like to understand how I can test thoroughly after switching the bc dependencies. Is unit test in the codebase decent?

I also found that OpenSSL, which I believe is the base of JRuby-openssl is FIPS validated. So do you think there is a way that I can borrow some experience or impl from there?

Thanks for your help!
@morneaut
Copy link

morneaut commented Jul 5, 2023

I'm in the exact same situation and would like to explore a solution. I see that BouncyCastle has jars that could take the place of the older non-compliant jars.

@kares
Copy link
Member

kares commented Jul 6, 2023

In theory this is possible but in practice this would need dedicated work (how much I do not know but I guess a minimum of a week or two) and thus someone would need to simply put in the hours.

@yweiy10
Copy link
Author

yweiy10 commented Jul 6, 2023

I did poke around and found that the api compatibility between bc and bc-fips are not as ideal as we expected. I did some quick diff comparison and it looks to me that more than 80% are different without considering the impl under the hood and it significantly destroys my confidence to make it even just compile with a short period of time.

@yweiy10
Copy link
Author

yweiy10 commented Jul 6, 2023

And the way I'm pursuing right now is through an encryption shim in my JRuby application. I would use another java security provider library, Conscrypt, to provide the encryption functionalities and answer all the encryption calls(luckily not that much) in my application.

@kares
Copy link
Member

kares commented Jul 6, 2023

Yeah, I also thought it's not just .jar replacement and that JOSSL might need to build a level of indirection using some of the APIs.

Not sure about the scope of the whole thing, my initial time estimate this would take might be very optimistic and I do not see anyone understanding the code base committing to that much work here...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kares @morneaut @yweiy10