FIPS (Federal Information Processing Standard) [1] is a standard created by the National Institute of Standards and Technology’s (NIST’s) Computer Security Division, FIPS established a data security and computer system standard that organizations must adhere to per the Federal Information Security Management Act of 2002 (FISMA).
When investigating the WSO2 products, it was identified that the Bouncy Castle JCE (Java Cryptographic Extension) provider which is not a FIPS compliant JCE provider is hard coded in most of the products and used as the crypto provider for various use cases. Apart from that, the BC is used as a third party dependency in few scenarios throughout WSO2 products such as certificate revocation (OCSP, CRL), Certificate generation and signing, etc.
As the first step of making the WSO2 products FIPS complaint it was decided to remove the hardcoded use cases of BC as a JCE provider and make it configurable through either a system property or a configuration.
Please find the created GIT internal for the feasibility check of FIPS compliance for more details.
The usages where the org.bouncycastle.jce.provider.BouncyCastleProvider is hardcoded should be configurable along with the "BC" string which is passed as the crypto provider for different usecases.
Problem
FIPS (Federal Information Processing Standard) [1] is a standard created by the National Institute of Standards and Technology’s (NIST’s) Computer Security Division, FIPS established a data security and computer system standard that organizations must adhere to per the Federal Information Security Management Act of 2002 (FISMA).
When investigating the WSO2 products, it was identified that the Bouncy Castle JCE (Java Cryptographic Extension) provider which is not a FIPS compliant JCE provider is hard coded in most of the products and used as the crypto provider for various use cases. Apart from that, the BC is used as a third party dependency in few scenarios throughout WSO2 products such as certificate revocation (OCSP, CRL), Certificate generation and signing, etc.
As the first step of making the WSO2 products FIPS complaint it was decided to remove the hardcoded use cases of BC as a JCE provider and make it configurable through either a system property or a configuration.
Please find the created GIT internal for the feasibility check of FIPS compliance for more details.
[1] https://csrc.nist.gov/publications/detail/fips/140/2/final [2] https://github.com/wso2-enterprise/wso2-apim-internal/issues/1252
Solution
The usages where the
org.bouncycastle.jce.provider.BouncyCastleProvider
is hardcoded should be configurable along with the "BC" string which is passed as the crypto provider for different usecases.Affected Component
APIM
Version
4.2.0 Alpha
Implementation
No response
Related Issues
No response
Suggested Labels
No response