Utilize FIPS-validated cryptographic modules

[georgedias]

All encryption must be accomplished utilizing a FIPS 140-2 compliant modules:

Rule Title	Vul ID	Severity
[ ] The application must utilize FIPS-validated cryptographic modules when signing application components	V-222570	CAT II (Medium)
[ ] The application must utilize FIPS-validated cryptographic modules when generating cryptographic hashes	V-222571	CAT II (Medium)
[ ] The application must utilize FIPS-validated cryptographic modules when protecting unclassified information that requires cryptographic protection	V-222572	CAT II (Medium)
[ ] The application must use the Federal Information Processing Standard (FIPS) 140-2-validated cryptographic modules and random number generator if the application implements encryption, key exchange, digital signature, and hash functionality	V-222583	CAT II (Medium)

References: Application Security and Development Security Technical Implementation Guide :: Version 5, Release: 2 Benchmark Date: 27 Oct 2022

• Heimdall Server uses bcryptjs for encryption/hashing, which at this time is NOT FIPS 140-2 compliant.

• The bcryptjs npm module is used to generate encryption key. It makes use of cryptographic salt to ensure keys and passwords are uniquely encrypted. In the browser, bcrypt.js relies on Web Crypto API's getRandomValues interface to obtain secure random numbers.

• [ ] Build Heimdall on a host OS that has FIPS turned on (Ubuntu with FIPS enabled) - look at ubuntu advanced from AWS or Canonical - reference https://canonical.com/blog/how-to-develop-linux-applications-for-fips-on-ubuntu. Create a development machine with FIPS enabled. Example: https://github.com/valentincanonical/ubuntu-ua-fips-nginx-example

• [ ] Replace or conditionally use bycrypt library

• [ ] Create a process to configure FIPS in Heimdall so it can be run with or without FIPS enabled

[Amndeep7]

[aws (s3), splunk, tenable] = load data areas, [github, okta, oidc, 'passport', etc] = log in, [axios, seqeulize] = calls between db+backend+frontend, [operating system, docker, nodejs, browser, db, nginx] = deployment environment, [bcrypt] = password/api key generation

[Amndeep7]

what is the request? is it 'fips enabled heimdall' or is it 'fips enabled deployment of heimdall'?

[Amndeep7]

going to need to figure out how to a) run postgres in fips compliant mode and b) use libraries that can interface with it while fips compliant. OR we're gonna need to swap out DB's entirely.

heimdall2-server-1    | DOMException [NotSupportedError]: Unrecognized name.
heimdall2-server-1    |     at new DOMException (node:internal/per_context/domexception:53:5)
heimdall2-server-1    |     at __node_internal_ (node:internal/util:505:10)
heimdall2-server-1    |     at normalizeAlgorithm (node:internal/crypto/util:212:15)
heimdall2-server-1    |     at SubtleCrypto.asyncDigest (node:internal/crypto/hash:171:15)
heimdall2-server-1    |     at SubtleCrypto.digest (node:internal/crypto/webcrypto:76:10)
heimdall2-server-1    |     at md5 (/app/apps/backend/node_modules/pg/lib/crypto/utils-webcrypto.js:41:37)
heimdall2-server-1    |     at Object.postgresMd5PasswordHash (/app/apps/backend/node_modules/pg/lib/crypto/utils-webcrypto.js:50:21)
heimdall2-server-1    |     at /app/apps/backend/node_modules/pg/lib/client.js:251:45
heimdall2-server-1    |     at Client._checkPgPass (/app/apps/backend/node_modules/pg/lib/client.js:226:7)
heimdall2-server-1    |     at Client._handleAuthMD5Password (/app/apps/backend/node_modules/pg/lib/client.js:249:10)
heimdall2-server-1    | Emitted 'error' event on Client instance at:
heimdall2-server-1    |     at /app/apps/backend/node_modules/pg/lib/client.js:254:14
heimdall2-server-1    |     at processTicksAndRejections (node:internal/process/task_queues:96:5)