Jenkins Core and Plugins VS FIPS 140-2
444 views
Skip to first unread message
Илья Гуляев
Feb 5, 2021, 8:41:11 AM2/5/21
to Jenkins Developers
Hi all,
I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
BouncyCastle Security provider used in Jenkins has FIPS version.
I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers:
- Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS)
Suggested solution:
Change
KeyStore.getInstance("JKS");
to
KeyStore.getInstance(KeyStore.getDefaultType());
- Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode.
It can be 2 solutions:
1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used.
Example:
if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
}
2. Add the flag for FIPS mode, which should be used in plugins
Example:
if (isFipsMode()) {
Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider());
} else {
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider());
}
What do you think about that change? What you can suggest?
I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects.
Matt Sicker
Feb 5, 2021, 10:38:11 AM2/5/21
to jenkin...@googlegroups.com
I think it'll require a bit more patching than just that. What about
all the plugins and Jenkins core code that requests non-FIPS
algorithms? For example, MD5 is still used for some non-security
features, and I wouldn't expect that to be available in a
FIPS-compliant JCE provider.
On the other hand, I'd hope that their JSSE stuff for TLS connections
works fairly transparently which would at least cover the HTTPS and
some Remoting connections.
> --
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.
--
Matt Sicker
Senior Software Engineer, CloudBees
all the plugins and Jenkins core code that requests non-FIPS
algorithms? For example, MD5 is still used for some non-security
features, and I wouldn't expect that to be available in a
FIPS-compliant JCE provider.
On the other hand, I'd hope that their JSSE stuff for TLS connections
works fairly transparently which would at least cover the HTTPS and
some Remoting connections.
> You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.
--
Matt Sicker
Senior Software Engineer, CloudBees
Илья Гуляев
Feb 5, 2021, 10:52:47 AM2/5/21
to Jenkins Developers
I've done several PR in Jenkins Core and Remoting:
Also, I've added change to kubernetes-client used in several plugins:
At least the following plugins should bump the version of kubernetes-client after the fix will be released:
Now I need suggestions on how to exclude adding BouncyCastleProvider time.
пятница, 5 февраля 2021 г. в 18:38:11 UTC+3, msi...@cloudbees.com:
Matt Sicker
Feb 5, 2021, 11:00:00 AM2/5/21
to jenkin...@googlegroups.com
I'd imagine a global security configuration option in
bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
work. If that's too late in the initialization process, then a system
property to allow overriding which BC provider to use may be more
appropriate.
I also have a concern about data migration for any encrypted stored
data if it needs to change algorithms, but that might not be a problem
depending on which AES modes are still allowed in FIPS. For that area,
there's the ConfidentialStore API in Jenkins core along with
hudson.util.Secret (which uses that store API), some encryption code
in credentials plugin for certificate credentials support, and some
encryption code in ssh-credentials plugin for supporting different key
formats (FIPS requires use of PKCS12 private keys, not the OpenSSH
format, so you may need to add support there if you're using SSH,
too).
> To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/aa187189-bb31-43c4-9de9-d53b0f2442a2n%40googlegroups.com.
bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
work. If that's too late in the initialization process, then a system
property to allow overriding which BC provider to use may be more
appropriate.
I also have a concern about data migration for any encrypted stored
data if it needs to change algorithms, but that might not be a problem
depending on which AES modes are still allowed in FIPS. For that area,
there's the ConfidentialStore API in Jenkins core along with
hudson.util.Secret (which uses that store API), some encryption code
in credentials plugin for certificate credentials support, and some
encryption code in ssh-credentials plugin for supporting different key
formats (FIPS requires use of PKCS12 private keys, not the OpenSSH
format, so you may need to add support there if you're using SSH,
too).
Илья Гуляев
Feb 5, 2021, 11:02:45 AM2/5/21
to Jenkins Developers
> I think it'll require a bit more patching than just that. What about
> all the plugins and Jenkins core code that requests non-FIPS
> algorithms? For example, MD5 is still used for some non-security
> features, and I wouldn't expect that to be available in a
> FIPS-compliant JCE provider.
As I know MD5 still can be used for not-security features.> all the plugins and Jenkins core code that requests non-FIPS
> algorithms? For example, MD5 is still used for some non-security
> features, and I wouldn't expect that to be available in a
> FIPS-compliant JCE provider.
I'm sure that issue is more complex than removing JKS and add a security provider. But this is a prerequisite for FIPS support.
Suggested changes will allow to run Jenkins with BouncyCastleFipsProvider, find unapproved algorithms in Jenkins Core and plugins.
After that maintainers can find other issues with FIPS and decide to support FIPS mode or not.
Thanks,
Ilya Gulyaev
пятница, 5 февраля 2021 г. в 18:38:11 UTC+3, msi...@cloudbees.com:
I think it'll require a bit more patching than just that. What about
Илья Гуляев
Feb 5, 2021, 11:21:31 AM2/5/21
to Jenkins Developers
> I'd imagine a global security configuration option in
> bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
> work. If that's too late in the initialization process, then a system
> property to allow overriding which BC provider to use may be more
> appropriate.
> bouncycastle-api-plugin to choose whether to use BC or BCFIPS could
> work. If that's too late in the initialization process, then a system
> property to allow overriding which BC provider to use may be more
> appropriate.
You are right!
In my test Jenkins installation (with self-compiled changes in core and plugins), I've added BouncyCastleFipsProvider to java.security file.
Maybe it will be better to disable adding BouncyCastleProvider in case if any of Bouncy Castle providers (simple or FIPS) already exists?
Also, I've tested ConfidentialStore API in Jenkins with FIPS mode, and simple credentials like username:password and secret text work without any changes. This means that the used AES algorithm is approved for FIPS.
I'm not using SSH plugins, but they can be updated, too.
пятница, 5 февраля 2021 г. в 19:00:00 UTC+3, msi...@cloudbees.com:
Reply all
Reply to author
Forward
0 new messages