gemstash icon indicating copy to clipboard operation
gemstash copied to clipboard

Published 20 hours ago verified publisher icon rubygems

GEMSTASH-194 Support for FIPS Mode

Open ayohrling opened this issue 6 years ago • 6 comments

This updates the digest usage from MD5 to SHA256 to support hosts that are configured in FIPS mode.

Fixes #194

ayohrling avatar Oct 31 '18 13:10 ayohrling

If I understand this correctly, this change modifies the directory names for Storage's "Resources" (aka uploaded things).

That would be a breaking change, right?

olleolleolle avatar Dec 10 '18 16:12 olleolleolle

Yes, it changes the hashing mechanism used in the storage structure to a FIPS-compliant cipher. It will break any cached resources from older versions. Upgraded systems would need to re-cache. A conversion really wouldn't be possible, because we'd be guessing at rolling back from safe_name to name with regards to casing.

ayohrling avatar Dec 10 '18 16:12 ayohrling

Maybe add this as a flag at the moment and make it the default in a major version.

bronzdoc avatar Dec 10 '18 16:12 bronzdoc

To suggest a flag name, I read a bit about the "FIPS mode" concept.

I like the MS registry key name best: FipsAlgorithmPolicy.

It describes what we do to Gemstash when this new option is set. We choose crypto in FIPS-compliant ways.

As an option name --use-fips-algorithm-policy (default: false).

What are some better flag names?

olleolleolle avatar Dec 10 '18 16:12 olleolleolle

@olleolleolle what about --fips and have what it does in the description?

bronzdoc avatar Dec 10 '18 16:12 bronzdoc

I added a PR on top of the @ayohrling one.

olleolleolle avatar Mar 18 '19 21:03 olleolleolle