Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support FIPS 140 validated crypto module(s) #897

Open
gponto opened this issue Feb 26, 2024 · 2 comments
Open

Support FIPS 140 validated crypto module(s) #897

gponto opened this issue Feb 26, 2024 · 2 comments
Labels
enhancement New feature or request
Milestone

Comments

@gponto
Copy link

gponto commented Feb 26, 2024

Is your feature request related to a problem?

FIPS (Federal Information Processing Standards) requires that any cryptographic functions (e.g. hashing) utilize cryptographic modules validated and listed by NIST under https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

What solution do you propose?

  1. The crypto provider (https://pkg.go.dev/crypto) must offer this feature. Working with this provider to determine what compilation/import flags (if any) are required to explicitly leverage FIPS validated modules is therefore the first step.
  2. Depending on whether a variant build/flag of https://pkg.go.dev/crypto is required, CLI/tool vendors may support a command line flag such as --fips-mode true which engages the appropriate version of https://pkg.go.dev/crypto. However if the providers of https://pkg.go.dev/crypto can attest that their library is fully FIPS 140 validated and can supply the https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all Certificate #, then no such flag is required.

What alternatives have you considered?

Utilize an OpenSSL go library that utilizes FIPS validated modules, or build OpenSSL for go using a version of OpenSSL that is FIPS validated (3.0.9 as of this writing) https://www.openssl.org/source/

image

Any additional context?

The following Cloud Service Providers reference the Notary Project as their recommended method for signing containers. Any US Federal customer of these providers must therefore meet the FIPS compliance requirement described above. 

@gponto gponto added enhancement New feature or request triage Need to triage labels Feb 26, 2024
@yizha1 yizha1 added this to the Discuss milestone Mar 6, 2024
@yizha1 yizha1 removed the triage Need to triage label Mar 6, 2024
@yizha1 yizha1 modified the milestones: Discuss, 1.3.0 Mar 12, 2024
@yizha1
Copy link
Contributor

yizha1 commented Mar 12, 2024

Per the discussion in the meeting 3/12/2024, set the milestone to 1.3.0

@yizha1
Copy link
Contributor

yizha1 commented Dec 3, 2024

@gponto could you clarify the requirement on Notary Project. Based on your description, it is not clear on what Notary Project need to do regarding FIPS support.

@yizha1 yizha1 modified the milestones: 1.3.0, Discuss Dec 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Todo
Development

No branches or pull requests

2 participants