Hi all,
I want to add support of FIPS 140-2 to Jenkins Core and some plugins.

BouncyCastle Security provider used in Jenkins has FIPS version.
https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf
https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf

I've tried to run Jenkins with BouncyCastleFipsProvider and found some 
blockers:

   - Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)

https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code
Suggested solution:
Change
KeyStore.getInstance("JKS");
to
KeyStore.getInstance(KeyStore.getDefaultType());


   - Don't add BouncyCastleProvider in case 
   BouncyCastleFipsProvider already used, because BouncyCastleProvider 
   contains algorithms, that can't be used in FIPS mode.

https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code
It can be 2 solutions:
1. Check already used providers and don't add new if BouncyCastle(BC) or 
BouncyCastleFIPS(BCFIPS) already used.
Example:
if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) {
    Security.addProvider(new 
org.bouncycastle.jce.provider.BouncyCastleProvider());
}
2. Add the flag for FIPS mode, which should be used in plugins
Example:
if (isFipsMode()) {
    Security.addProvider(new 
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
} else {
Security.addProvider(new 
org.bouncycastle.jce.provider.BouncyCastleProvider()); 
}

What do you think about that change? What you can suggest?
I can do pull requests for projects used in my Jenkins installation and 
will be happy if someone will help with other projects.

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.

Reply via email to