-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add API support for SHA3-384 and friends #57
Comments
Mind if I ask how you're using this library to create a FIPS-compliant Go application? With the way this library is currently implemented, it doesn't seem like it would necessarily be straightforward to use the new API in practice. go-crypto-openssl is designed to be used by forks of Go, where the fork internally loads OpenSSL--it would be difficult in this situation for a non-built-in crypto package to get access to the same loaded OpenSSL. If you're writing an application from scratch and using This repo is not designed as a drop-in replacement for |
Yes, that's the intention. github.com/snapcore/snapd uses crypto, and _ golang.org/x/crypto/sha3 and would like to use Canonical Ubuntu OpenSSL FIPS which has certified RSA, SHA-2 and SHA-3.
However, that's what built-in crypto package requires one to do to use import "crypto"
import _ "golang.org/x/crypto/sha3"
....
crypto.SHA3_384() becomes usable So sha3 is half-way in the crypto package, it works as long as side-effect init of crypto/sha3 has been imported. Poking this module, it seems like the easiest way to bring over sha3, albeit with duplicate import of this whole module.
In snapd source, and also elsewhere on the github there are many users of both direct users of golang.org/x/crypto/sha3 package and those that rely on the side-effect hash registration.
To be more specific I understand that this module is not replacement for "crypto", but I hope it can offer replacement for |
This adds OpenSSL SHA-3 family of hashes in the openssl package. Separately sha3 package is added as a drop-in replacement for golang.org/x/crypto/sha3 package. Together with FIPS-compliant Go toolchain one can thus attempt building FIPS-compliant applications that use "crypto" package and also need FIPS-compliant SHA-3. Marshaling is not cross-platform compatible (32/64 & be/le issues). Fixes: microsoft#57
Thanks for the detailing your use-case and for sending out a working PR @xnox. This repo is going to be archived once the Microsoft Go fork migrates to https://github.com/golang-fips/openssl (see golang-fips/openssl#83). Therefore, I suggest you to fill an issue in that repo. Following @dagood comments, the Having said this, I'm ok adding drop-in replacements for the |
Ack. I found this repository by following what Microsoft Go fork current versions used. I can absolutely make a similar issue and PR there.
I mean, everything would be much easier if sha3 graduated to be part of the standard library, as then everything would be in the compiler provided packages. I will ask upstream about graduating sha3 into standard library. |
Thanks for the info about the standard library For the sake of discussion... the way we're designing the fork, I believe we would want SHA3_384 to be usable through OpenSSL even without removing a That's not to say that a drop-in module can't be made, I just don't think that it's the ideal approach when a Go fork is in the mix that can be used to do this in a more source-compatible way. (For the sake of ensuring "new" code written with our fork is still compatible with official Go, we should likely still make sure |
yes yes yes. Ideally somehow internal openssl/sha3 should be registered with crypto api, and exposed instead of x/crypto/sha3 whenever that is imported for direct usage or via crypto api. I will open that as a separate request on the compiler fork, once sha3 is available in the openssl module. |
Closing this issue in favor of that golang-fips/openssl#87. |
openssl provides sha3-384 implementation.
when available please expose sha3-384 implementation.
This is to gain access to a FIPS certified SHA3 implementation instead of golang.org/x/crypto/sha3
ideally as a drop in replacement for golang.org/x/crypto/sha3
The text was updated successfully, but these errors were encountered: