Hi all, I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
BouncyCastle Security provider used in Jenkins has FIPS version. https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers: - Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS) https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code Suggested solution: Change KeyStore.getInstance("JKS"); to KeyStore.getInstance(KeyStore.getDefaultType()); - Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode. https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code It can be 2 solutions: 1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used. Example: if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); } 2. Add the flag for FIPS mode, which should be used in plugins Example: if (isFipsMode()) { Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider()); } else { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); } What do you think about that change? What you can suggest? I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.
