I think it'll require a bit more patching than just that. What about all the plugins and Jenkins core code that requests non-FIPS algorithms? For example, MD5 is still used for some non-security features, and I wouldn't expect that to be available in a FIPS-compliant JCE provider.
On the other hand, I'd hope that their JSSE stuff for TLS connections works fairly transparently which would at least cover the HTTPS and some Remoting connections. On Fri, Feb 5, 2021 at 7:41 AM Илья Гуляев <[email protected]> wrote: > > Hi all, > I want to add support of FIPS 140-2 to Jenkins Core and some plugins. > > BouncyCastle Security provider used in Jenkins has FIPS version. > https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf > https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf > https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf > > I've tried to run Jenkins with BouncyCastleFipsProvider and found some > blockers: > > Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS) > > https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code > Suggested solution: > Change > KeyStore.getInstance("JKS"); > to > KeyStore.getInstance(KeyStore.getDefaultType()); > > Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, > because BouncyCastleProvider contains algorithms, that can't be used in FIPS > mode. > > https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code > It can be 2 solutions: > 1. Check already used providers and don't add new if BouncyCastle(BC) or > BouncyCastleFIPS(BCFIPS) already used. > Example: > if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) { > Security.addProvider(new > org.bouncycastle.jce.provider.BouncyCastleProvider()); > } > 2. Add the flag for FIPS mode, which should be used in plugins > Example: > if (isFipsMode()) { > Security.addProvider(new > org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider()); > } else { > Security.addProvider(new > org.bouncycastle.jce.provider.BouncyCastleProvider()); > } > > What do you think about that change? What you can suggest? > I can do pull requests for projects used in my Jenkins installation and will > be happy if someone will help with other projects. > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com. -- Matt Sicker Senior Software Engineer, CloudBees -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAEot4oz-f6BSRnHtgTu3WGdNCoAg7SkRUSX-H7UhPS%3Dgx65spQ%40mail.gmail.com.
