tholenst
commented
8 months ago I commented on the linked bug. Let me know if there are more issues.
Closed ber4444 closed 8 months ago
tholenst
commented
8 months ago I commented on the linked bug. Let me know if there are more issues.
ber4444
commented
8 months ago Thanks, can we have documentation about creating a FIPS build for Java?
tholenst
commented
8 months ago Tink doesn't need any special instructions. You can call TinkFips.restrictToFips(); in your binary as a first thing to make Tink try to do its best to ensure FIPS compliance.
You need to have conscrypt installed though, and it needs to be new enough and be built in fips compliant mode. I don't know how that works. Tink tries to fail if conscrypt isn't in the correct mode.
Help us help you
Tell us more about your Tink deployment.
Is your feature request related to a problem?
I am facing this issue using
com.google.crypto.tink:tink-android:1.12.0and I believe a FIPS compatible binary would resolve this.There are also other vulnerabilities like hardcoded crypto encryption in
com.google.crypto.tink.subtle.AesEaxJce, which would be dead code and resolved with FIPS based on https://github.com/tink-crypto/tink-java/blob/e079e833f86e21cd619b93887954a5773991144b/src/main/java/com/google/crypto/tink/aead/AeadConfig.java#L140What sort of feature would you like to see?
Describe your feature request. Or, how can we help solve the problem you noted above?
This page states FIPS is only supported for C++ but I see relevant code in the Java repo
Have you considered any alternative solutions?
Use Facebook Conceal
Would you like to add additional context?
Vulnerability reports from a DAST tool