> I'd imagine a global security configuration option in
> bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
> work. If that's too late in the initialization process, then a system
> property to allow overriding which BC provider to use may be more
> appropriate.

You are right!
In my test Jenkins installation (with self-compiled changes in core and 
plugins), I've added BouncyCastleFipsProvider to* java.security *file.
Maybe it will be better to disable adding BouncyCastleProvider in case if 
any of Bouncy Castle providers (simple or FIPS) already exists?

Also, I've tested ConfidentialStore API in Jenkins with FIPS mode, and 
simple credentials like *username:password* and *secret text* work without 
any changes. This means that the used AES algorithm is approved for FIPS.
I'm not using SSH plugins, but they can be updated, too.
пятница, 5 февраля 2021 г. в 19:00:00 UTC+3, [email protected]: 

> I'd imagine a global security configuration option in
> bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
> work. If that's too late in the initialization process, then a system
> property to allow overriding which BC provider to use may be more
> appropriate.
>
> I also have a concern about data migration for any encrypted stored
> data if it needs to change algorithms, but that might not be a problem
> depending on which AES modes are still allowed in FIPS. For that area,
> there's the ConfidentialStore API in Jenkins core along with
> hudson.util.Secret (which uses that store API), some encryption code
> in credentials plugin for certificate credentials support, and some
> encryption code in ssh-credentials plugin for supporting different key
> formats (FIPS requires use of PKCS12 private keys, not the OpenSSH
> format, so you may need to add support there if you're using SSH,
> too).
>
> On Fri, Feb 5, 2021 at 9:52 AM Илья Гуляев <[email protected]> wrote:
> >
> > I've done several PR in Jenkins Core and Remoting:
> > https://github.com/jenkinsci/jenkins/pull/5266
> > https://github.com/jenkinsci/remoting/pull/435
> >
> > Also, I've added change to kubernetes-client used in several plugins:
> > https://github.com/fabric8io/kubernetes-client/pull/2788
> >
> > At least the following plugins should bump the version of 
> kubernetes-client after the fix will be released:
> > https://github.com/jenkinsci/kubernetes-client-api-plugin
> > https://github.com/jenkinsci/kubernetes-plugin
> >
> > Now I need suggestions on how to exclude adding BouncyCastleProvider 
> time.
> > 
> https://github.com/jenkinsci/bouncycastle-api-plugin/blob/master/src/main/java/jenkins/bouncycastle/api/InstallBouncyCastleJCAProvider.java
> > 
> https://github.com/jenkinsci/bouncycastle-api-plugin/blob/master/src/main/java/jenkins/bouncycastle/api/SecurityProviderInitializer.java
> >
> >
> > пятница, 5 февраля 2021 г. в 18:38:11 UTC+3, [email protected]:
> >>
> >> I think it'll require a bit more patching than just that. What about
> >> all the plugins and Jenkins core code that requests non-FIPS
> >> algorithms? For example, MD5 is still used for some non-security
> >> features, and I wouldn't expect that to be available in a
> >> FIPS-compliant JCE provider.
> >>
> >> On the other hand, I'd hope that their JSSE stuff for TLS connections
> >> works fairly transparently which would at least cover the HTTPS and
> >> some Remoting connections.
> >>
> >> On Fri, Feb 5, 2021 at 7:41 AM Илья Гуляев <[email protected]> wrote:
> >> >
> >> > Hi all,
> >> > I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
> >> >
> >> > BouncyCastle Security provider used in Jenkins has FIPS version.
> >> > 
> https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf
> >> > 
> https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf
> >> > 
> https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf
> >> >
> >> > I've tried to run Jenkins with BouncyCastleFipsProvider and found 
> some blockers:
> >> >
> >> > Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)
> >> >
> >> > https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code
> >> > Suggested solution:
> >> > Change
> >> > KeyStore.getInstance("JKS");
> >> > to
> >> > KeyStore.getInstance(KeyStore.getDefaultType());
> >> >
> >> > Don't add BouncyCastleProvider in case BouncyCastleFipsProvider 
> already used, because BouncyCastleProvider contains algorithms, that can't 
> be used in FIPS mode.
> >> >
> >> > 
> https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code
> >> > It can be 2 solutions:
> >> > 1. Check already used providers and don't add new if BouncyCastle(BC) 
> or BouncyCastleFIPS(BCFIPS) already used.
> >> > Example:
> >> > if (Security.getProvider("BC") == null && 
> Security.getProvider("BCFIPS")) {
> >> > Security.addProvider(new 
> org.bouncycastle.jce.provider.BouncyCastleProvider());
> >> > }
> >> > 2. Add the flag for FIPS mode, which should be used in plugins
> >> > Example:
> >> > if (isFipsMode()) {
> >> > Security.addProvider(new 
> org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
> >> > } else {
> >> > Security.addProvider(new 
> org.bouncycastle.jce.provider.BouncyCastleProvider());
> >> > }
> >> >
> >> > What do you think about that change? What you can suggest?
> >> > I can do pull requests for projects used in my Jenkins installation 
> and will be happy if someone will help with other projects.
> >> >
> >> > --
> >> > You received this message because you are subscribed to the Google 
> Groups "Jenkins Developers" group.
> >> > To unsubscribe from this group and stop receiving emails from it, 
> send an email to [email protected].
> >> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com
> .
> >>
> >>
> >>
> >> --
> >> Matt Sicker
> >> Senior Software Engineer, CloudBees
> >
> > --
> > You received this message because you are subscribed to the Google 
> Groups "Jenkins Developers" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to [email protected].
> > To view this discussion on the web visit 
> https://groups.google.com/d/msgid/jenkinsci-dev/aa187189-bb31-43c4-9de9-d53b0f2442a2n%40googlegroups.com
> .
>
>
>
> -- 
> Matt Sicker
> Senior Software Engineer, CloudBees
>

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/cfcd1005-b451-4cf0-8e64-1c0126d22a7an%40googlegroups.com.

Reply via email to