Hi all, I want to add support of FIPS 140-2 to Jenkins Core and some plugins.
BouncyCastle Security provider used in Jenkins has FIPS version. https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf https://downloads.bouncycastle.org/fips-java/BC-FJA-(D)TLSUserGuide-1.0.9.pdf https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf I've tried to run Jenkins with BouncyCastleFipsProvider and found some blockers: - Use hardcode of JKS keystore (BouncyCastleFipsProvider use BCFKS) https://github.com/search?l=Java&q=org%3Ajenkinsci+JKS&type=Code Suggested solution: Change KeyStore.getInstance("JKS"); to KeyStore.getInstance(KeyStore.getDefaultType()); - Don't add BouncyCastleProvider in case BouncyCastleFipsProvider already used, because BouncyCastleProvider contains algorithms, that can't be used in FIPS mode. https://github.com/search?p=2&q=org%3Ajenkinsci+BouncyCastleProvider&type=Code It can be 2 solutions: 1. Check already used providers and don't add new if BouncyCastle(BC) or BouncyCastleFIPS(BCFIPS) already used. Example: if (Security.getProvider("BC") == null && Security.getProvider("BCFIPS")) { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); } 2. Add the flag for FIPS mode, which should be used in plugins Example: if (isFipsMode()) { Security.addProvider(new org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider()); } else { Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider()); } What do you think about that change? What you can suggest? I can do pull requests for projects used in my Jenkins installation and will be happy if someone will help with other projects. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/c27a5acc-e75b-43b7-826a-1610e12d7565n%40googlegroups.com.