search

wso2 / api-manager

All issues, tasks, improvements and new features of WSO2 API Manager
Apache License 2.0
34 stars 8 forks source link

Make the Crypto Provider configurable #1218

Closed HeshanSudarshana closed 1 year ago

HeshanSudarshana commented 1 year ago

Problem

FIPS (Federal Information Processing Standard) [1] is a standard created by the National Institute of Standards and Technology’s (NIST’s) Computer Security Division, FIPS established a data security and computer system standard that organizations must adhere to per the Federal Information Security Management Act of 2002 (FISMA).

When investigating the WSO2 products, it was identified that the Bouncy Castle JCE (Java Cryptographic Extension) provider which is not a FIPS compliant JCE provider is hard coded in most of the products and used as the crypto provider for various use cases. Apart from that, the BC is used as a third party dependency in few scenarios throughout WSO2 products such as certificate revocation (OCSP, CRL), Certificate generation and signing, etc.

As the first step of making the WSO2 products FIPS complaint it was decided to remove the hardcoded use cases of BC as a JCE provider and make it configurable through either a system property or a configuration.

Please find the created GIT internal for the feasibility check of FIPS compliance for more details.

[1] https://csrc.nist.gov/publications/detail/fips/140/2/final [2] https://github.com/wso2-enterprise/wso2-apim-internal/issues/1252

Solution

The usages where the org.bouncycastle.jce.provider.BouncyCastleProvider is hardcoded should be configurable along with the "BC" string which is passed as the crypto provider for different usecases.

Affected Component

APIM

Version

4.2.0 Alpha

Implementation

No response

Related Issues

No response

Suggested Labels

No response

HeshanSudarshana commented 1 year ago

Duplicate of https://github.com/wso2/api-manager/issues/1219