FIPS support - Githubissues

docusign / docusign-esign-java-client

The Official Docusign Java Client Library used to interact with the eSignature REST API. Send, sign, and approve documents using this client.

https://javadoc.io/doc/com.docusign/docusign-esign-java/latest/index.html

MIT License

104 stars 95 forks source link

FIPS support #162

Open yelabbas opened 3 years ago

yelabbas commented 3 years ago

Hi there,

We are using the "docusign-java-client" library to automate an eSignature process. However, at runtime we face an issue due to the fact that other dependencies we are using are using FIPS version of Bouncy Castle dependency. Can you please indicate if/how we can use FIPS Bouncy castle for this library as well? Thanks in advance. Youssef EL ABBASSI

LarryKlugerDS commented 3 years ago

You have some options:

You could rebuild the SDK yourself with the FIPS Bouncy Castle
You could isolate this SDK from the rest of your app.
You could call the API directly and not use this SDK. If you need JWT authentication, then you'd need to create the signed JWT yourself. DocuSign uses a standard JWT signed format.

We do not have a plan to support the FIPS Bouncy Castle library at this time.

larrywest commented 2 years ago

@LarryKlugerDS the primary difference seems to be only using BouncyCastleFipsProvider instead of BouncyCastleProvider ... and making both libraries <optional> dependencies, and deciding which based of the presence of BouncyCastleFipsProvider on the classpath (of course defaulting to the non-FIPS) wouldn't be a lot of code (or risk).

Is this something I should pursue contributing as a PR?

LarryKlugerDS commented 2 years ago

Hi Larry, I've passed on your issue to our SDK Product Manager. I appreciate your offer of a PR. Unfortunately, because the SDK is machine generated by the Swagger code generator, we usually can't use a PR directly.

Your proposed solution sounds good to me but I'm not a Java guy.

If you can get it working (FIPS and current BouncyCastle) and propose a PR that would certainly be helpful, but I don't know when/if it could be integrated. That depends on the product manager and the many competing projects for very few engineering resources.

larrywest commented 2 years ago

@LarryKlugerDS A big thank-you for the quick response - let me know if the product manager sees a possibility here.

(PS: I'm also a happy end-user.)

LarryKlugerDS commented 2 years ago

Hi @larrywest , I heard back from the prod mgr. Your request is on the roadmap to be investigated, but we don't have a schedule for it yet. If you have time to create PR (see my notes above), that would be helpful. /Larry

LarryKlugerDS commented 2 years ago

Internal DocuSign ticket DCM-7010. You can ask customer service to add your information to the request ticket.