JCEKS Format does not work while FIPS is enabled

[m-ross-h]

I am running python version 2.7.5 on RHEL 7 with FIPS enabled. When trying to open a JCEKS format keystore, I run into this error:

ks = jks.KeyStore.load('keystore.jceks','password') Traceback (most recent call last): File "", line 1, in File "build/bdist.linux-x86_64/egg/jks/util.py", line 92, in load File "build/bdist.linux-x86_64/egg/jks/jks.py", line 525, in loads File "build/bdist.linux-x86_64/egg/jks/jks.py", line 212, in decrypt File "build/bdist.linux-x86_64/egg/jks/sun_crypto.py", line 66, in jce_pbe_decrypt File "build/bdist.linux-x86_64/egg/jks/sun_crypto.py", line 95, in _jce_pbe_derive_key_and_iv ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

Through some quick googling, it looks like FIPS disables the use of MD5, which may be causing this error.

[mahmoud]

Hmm, sounds like, for better or for worse, FIPS is working as intended. By the law of transitive compliance, if md5 is incompatible with FIPS, then JCEKS isn't compatible with FIPS.

[m-ross-h]

Yup, was just researching JCEKS, didn't realize MD5 was baked into the implementation. Is adding support for PKCS12 format keystores feasible?

[mahmoud]

Hmm, I think we've briefly discussed this in the past and mostly landed on "the .p12 format is outside the scope of PyJKS", but always willing to hear proposals and merge PRs.