Skip to content

FIPS-140 support #277

New issue
New issue
Open
Open
FIPS-140 support#277
@yweiy10

Description

@yweiy10
yweiy10
opened on Jun 15, 2023

Hello,

This is a follow-up question for #259.

I'd like to invest some time here to verify if I can switch the bouncycastle jars to be fips-validated ones. My application is mainly in JRuby and we recently got a request for FIPS compliance. So I don't think I have another choice but to fix the jRuby-openssl and have a FIPS version of it at least. Is that right?

And for the development, I'd like to understand how I can test thoroughly after switching the bc dependencies. Is unit test in the codebase decent?

I also found that OpenSSL, which I believe is the base of JRuby-openssl is FIPS validated. So do you think there is a way that I can borrow some experience or impl from there?

Thanks for your help!

Activity

morneaut

morneaut commented on Jul 5, 2023

@morneaut
morneaut
on Jul 5, 2023

I'm in the exact same situation and would like to explore a solution. I see that BouncyCastle has jars that could take the place of the older non-compliant jars.

kares

kares commented on Jul 6, 2023

@kares
kares
on Jul 6, 2023
Member

In theory this is possible but in practice this would need dedicated work (how much I do not know but I guess a minimum of a week or two) and thus someone would need to simply put in the hours.

yweiy10

yweiy10 commented on Jul 6, 2023

@yweiy10
yweiy10
on Jul 6, 2023
Author

I did poke around and found that the api compatibility between bc and bc-fips are not as ideal as we expected. I did some quick diff comparison and it looks to me that more than 80% are different without considering the impl under the hood and it significantly destroys my confidence to make it even just compile with a short period of time.

yweiy10

yweiy10 commented on Jul 6, 2023

@yweiy10
yweiy10
on Jul 6, 2023
Author

And the way I'm pursuing right now is through an encryption shim in my JRuby application. I would use another java security provider library, Conscrypt, to provide the encryption functionalities and answer all the encryption calls(luckily not that much) in my application.

kares

kares commented on Jul 6, 2023

@kares
kares
on Jul 6, 2023
Member

Yeah, I also thought it's not just .jar replacement and that JOSSL might need to build a level of indirection using some of the APIs.

Not sure about the scope of the whole thing, my initial time estimate this would take might be very optimistic and I do not see anyone understanding the code base committing to that much work here...

RTrampov

RTrampov commented on Sep 2, 2024

@RTrampov
RTrampov
on Sep 2, 2024

Hi, are there any updates on this?

mmguero
mentioned this on Jun 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      FIPS-140 support · Issue #277 · jruby/jruby-openssl