-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add FIPS support #828
Add FIPS support #828
Conversation
6c6fac5
to
898a0de
Compare
^ force pushes have been for CI. I split out fips integ testing to its own Makefile rule such that it can be skipped on the macOS platform, and I'm attempting a different approach for pulling in the NASM dep for Windows testing. |
c0d84d0
to
48babcd
Compare
^ use |
^ remove redundant |
add a 'fips' feature to tough crates to enable toggling fips enforcement on crate dependencies. Remove the prebuilt-nasm feature in favor of allowing downstream consumers to set this feature if needed; use setup-nasm in CI for windows integ testing and split out integ testing fips to a new Makefile rule such that it can be skipped in macos testing Signed-off-by: Gavin Inglis <giinglis@amazon.com>
^ rebase off of #826 |
when building the tuftool HTTP client, install the aws_lc_rs default CryptoProvider if none is set yet. This is to ensure that a CryptoProvider for rustls is set before proceeded with HTTP methods. Signed-off-by: Gavin Inglis <giinglis@amazon.com>
^ force push moves Moving out of draft; the steps I took to do some additional manual testing are in the overview of this PR |
^ force push bumps |
Bump reqwest to 0.12 as a prerequisite for FIPS support.
^ more fine-grained |
Issue #, if available:
Description of changes:
fips
feature to all crates in this project for toggling on/offfips
features in dependent cratesCryptoProvider
before constructing areqwest
HTTP clientreqwest
to 0.12This change is dependent on #826 (rustls upgrade included there: https://github.com/smithy-lang/smithy-rs/blob/37c1cc0b31fa85057bd294707bdc88d7bc91d627/rust-runtime/aws-smithy-experimental/Cargo.toml#L25-L26)
Testing
make integ
tuftool
to pull down Bottlerocket TUF repostuftool
against NGINX server using FIPS, and non-FIPS, ciphers, ensure success/failure$ cargo install --path tuftool --all-features
Follow https://www.baeldung.com/openssl-self-signed-cert to add a self signed cert for the HTTPS endpoint of the NGINX server.
sudo trust anchor --store rootCA.crt
to add it to local trust store.Ensure failure to download the repo, since
TLS_CHACHA20_POLY1305_SHA256
is a non-FIPS ciphersuite:Remove
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
and replace withssl_ciphers 'TLSv1.2+FIPS:kRSA+FIPS:!eNULL:!aNULL';
(which is from the openSSL wiki on FIPS: https://wiki.openssl.org/index.php/FIPS_mode_and_TLS)rerun 6. and ensure success
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.