jsonwebtoken icon indicating copy to clipboard operation
jsonwebtoken copied to clipboard
verified publisher icon Keats

Add feature based on aws-lc-rs cryptographic library instead of ring

Open KirilNN opened this issue 1 year ago • 11 comments

The goal here is to enable feature based on aws-lc-rs library, so it can be used on demand instead of ring which is not FIPS certified.

KirilNN avatar Mar 12 '24 15:03 KirilNN

@Keats thanks for taking a look, I changed the feature name and added it to the CI, do you mind taking a look again?

KirilNN avatar Mar 15 '24 08:03 KirilNN

Have you seen this PR: https://github.com/Keats/jsonwebtoken/pull/318 ? It's something I was considering

Keats avatar Mar 15 '24 18:03 Keats

Well this is also reasonable imo, for me the question is whether these libs are FIPS compliant, cause this is the biggest issue we are tackling with this PR, as AWS did get it certified. Can we do features as well - like remove ring, get a feature for FIPS using aws lib and all the rest with the lib combo? Does it sound good? I believe removing ring is OK for everyone.

KirilNN avatar Mar 18 '24 09:03 KirilNN

It looks like building this lib on windows is problematic? https://github.com/aws/aws-lc/issues/1477

Keats avatar Mar 18 '24 21:03 Keats

@Keats that is very unfortunate. I think that there is a compliant Microsoft library for the same that should be windows compilable. Let me do some research and get back.

KirilNN avatar Mar 21 '24 08:03 KirilNN

It looks like the symcrypt from Microsoft does not have wide support of platforms, although has the needed features, so I guess we can either merge the PR you suggest which is not guaranteed we have FIPS compliance, or we wait for the AWS folks to fix the windows build? Or maybe just use ring for windows?

KirilNN avatar Apr 05 '24 09:04 KirilNN