jruby-openssl icon indicating copy to clipboard operation
jruby-openssl copied to clipboard
verified publisher icon jruby

FIPS-140 support

Open yweiy10 opened this issue 2 years ago • 6 comments

Hello,

This is a follow-up question for https://github.com/jruby/jruby-openssl/issues/259.

I'd like to invest some time here to verify if I can switch the bouncycastle jars to be fips-validated ones. My application is mainly in JRuby and we recently got a request for FIPS compliance. So I don't think I have another choice but to fix the jRuby-openssl and have a FIPS version of it at least. Is that right?

And for the development, I'd like to understand how I can test thoroughly after switching the bc dependencies. Is unit test in the codebase decent?

I also found that OpenSSL, which I believe is the base of JRuby-openssl is FIPS validated. So do you think there is a way that I can borrow some experience or impl from there?

Thanks for your help!

yweiy10 avatar Jun 15 '23 19:06 yweiy10

I'm in the exact same situation and would like to explore a solution. I see that BouncyCastle has jars that could take the place of the older non-compliant jars.

morneaut avatar Jul 05 '23 22:07 morneaut

In theory this is possible but in practice this would need dedicated work (how much I do not know but I guess a minimum of a week or two) and thus someone would need to simply put in the hours.

kares avatar Jul 06 '23 12:07 kares

I did poke around and found that the api compatibility between bc and bc-fips are not as ideal as we expected. I did some quick diff comparison and it looks to me that more than 80% are different without considering the impl under the hood and it significantly destroys my confidence to make it even just compile with a short period of time.

yweiy10 avatar Jul 06 '23 14:07 yweiy10

And the way I'm pursuing right now is through an encryption shim in my JRuby application. I would use another java security provider library, Conscrypt, to provide the encryption functionalities and answer all the encryption calls(luckily not that much) in my application.

yweiy10 avatar Jul 06 '23 14:07 yweiy10

Yeah, I also thought it's not just .jar replacement and that JOSSL might need to build a level of indirection using some of the APIs.

Not sure about the scope of the whole thing, my initial time estimate this would take might be very optimistic and I do not see anyone understanding the code base committing to that much work here...

kares avatar Jul 06 '23 15:07 kares

Hi, are there any updates on this?

RTrampov avatar Sep 02 '24 15:09 RTrampov