I'd imagine a global security configuration option in
bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
work. If that's too late in the initialization process, then a system
property to allow overriding which BC provider to use may be more
appropriate.
I also have a concern about data migration for any encrypted stored
data if it needs to change algorithms, but that might not be a problem
depending on which AES modes are still allowed in FIPS. For that area,
there's the ConfidentialStore API in Jenkins core along with
hudson.util.Secret (which uses that store API), some encryption code
in credentials plugin for certificate credentials support, and some
encryption code in ssh-credentials plugin for supporting different key
formats (FIPS requires use of PKCS12 private keys, not the OpenSSH
format, so you may need to add support there if you're using SSH,
too).
> To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/aa187189-bb31-43c4-9de9-d53b0f2442a2n%40googlegroups.com.