You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The crypto provider (https://pkg.go.dev/crypto) must offer this feature. Working with this provider to determine what compilation/import flags (if any) are required to explicitly leverage FIPS validated modules is therefore the first step.
Utilize an OpenSSL go library that utilizes FIPS validated modules, or build OpenSSL for go using a version of OpenSSL that is FIPS validated (3.0.9 as of this writing) https://www.openssl.org/source/
Any additional context?
The following Cloud Service Providers reference the Notary Project as their recommended method for signing containers. Any US Federal customer of these providers must therefore meet the FIPS compliance requirement described above.
@gponto could you clarify the requirement on Notary Project. Based on your description, it is not clear on what Notary Project need to do regarding FIPS support.
Is your feature request related to a problem?
FIPS (Federal Information Processing Standards) requires that any cryptographic functions (e.g. hashing) utilize cryptographic modules validated and listed by NIST under https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
What solution do you propose?
--fips-mode true
which engages the appropriate version of https://pkg.go.dev/crypto. However if the providers of https://pkg.go.dev/crypto can attest that their library is fully FIPS 140 validated and can supply the https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all Certificate #, then no such flag is required.What alternatives have you considered?
Utilize an OpenSSL go library that utilizes FIPS validated modules, or build OpenSSL for go using a version of OpenSSL that is FIPS validated (3.0.9 as of this writing) https://www.openssl.org/source/
Any additional context?
The following Cloud Service Providers reference the Notary Project as their recommended method for signing containers. Any US Federal customer of these providers must therefore meet the FIPS compliance requirement described above.
The text was updated successfully, but these errors were encountered: