search

aws / constructs

Define composable configuration models through code
Apache License 2.0
405 stars 40 forks source link

crypto.createHash('md5') fails in a FIPS-enabled environment #272

Closed gabe-l-hart closed 4 years ago

gabe-l-hart commented 4 years ago

Description

Our team is building an operator based on cdk8s and one of our deployment targets is a FIPS-enabled kubernetes cluster. When running cdk8s (and by proxy the constructs library), we encounter the following error when attempting to to run a synth:

Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS

Root Cause

The root-cause of this bug is this line where crypto.createHash('md5') is invoked. According to the internet the md5 crypto hash algorithm is considered insecure by FIPS standards and is thus disabled in the underlying openssl libraries when the operating system is running in FIPS mode.

Repro

(In a FIPS-enabled cluster. Not sure how to easily reproduce this)

const crypto = require('crypto');
crypto.createHash('md5').update(path.join('/')).digest("hex");

Proposed Solution

I believe that the point of the offending line is simply to compute a unique value for the given string path, so I think we can simply replace 'md5' with a FIPS-approved algorithm like sha1 or sha256. I've tested both and they both produce valid hash values.

Volunteering!

I'd be happy to try to fix this one and submit a PR

gabe-l-hart commented 4 years ago

Per discussion in the fix PR, it looks like a simple swap from md5 to sha1 isn't immediately acceptable because it will break users who are depending on the current names of the files. In the interim, my team will be using the following script to work-around the issue in our python project:

#!/usr/bin/env bash

################################################################################
# This script is a workaround for a bug in the `constructs` library which
# causes the operator to fail to boot in a FIPS cluster. It is intended to be
# used during the build process inside the docker container to patch the
# version of the constructs javascript library that gets packaged along with
# the python package.
#
# https://github.com/aws/constructs/issues/272
################################################################################

# Find the tarball for constructs
cd /usr/local/lib/python3.6/site-packages
constructs_tar=$(find . -name "constructs*.tgz")

# Patch the constructs library tarball
tar_lib=$(dirname "$constructs_tar")
tar_name=$(basename "$constructs_tar")
cd "$tar_lib"
mkdir tmp
cd tmp
tar -xzvf "../$tar_name"
pushd package/lib/private/
sed -i'' 's/md5/sha1/g' uniqueid.js
popd
tar -czvf "$tar_name" package
mv "$tar_name" ..
cd ..
rm -rf tmp