Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GEMSTASH-194 Support for FIPS Mode #195

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

ayohrling
Copy link

This updates the digest usage from MD5 to SHA256 to support hosts that are
configured in FIPS mode.

Fixes #194

This updates the digest usage from MD5 to SHA256 to support hosts that are
configured in FIPS mode.
@olleolleolle
Copy link
Member

If I understand this correctly, this change modifies the directory names for Storage's "Resources" (aka uploaded things).

That would be a breaking change, right?

@ayohrling
Copy link
Author

Yes, it changes the hashing mechanism used in the storage structure to a FIPS-compliant cipher. It will break any cached resources from older versions. Upgraded systems would need to re-cache. A conversion really wouldn't be possible, because we'd be guessing at rolling back from safe_name to name with regards to casing.

@bronzdoc
Copy link
Member

Maybe add this as a flag at the moment and make it the default in a major version.

@olleolleolle
Copy link
Member

To suggest a flag name, I read a bit about the "FIPS mode" concept.

I like the MS registry key name best: FipsAlgorithmPolicy.

It describes what we do to Gemstash when this new option is set. We choose crypto in FIPS-compliant ways.

As an option name --use-fips-algorithm-policy (default: false).

What are some better flag names?

@bronzdoc
Copy link
Member

@olleolleolle what about --fips and have what it does in the description?

@olleolleolle
Copy link
Member

I added a PR on top of the @ayohrling one.

@benklop benklop mentioned this pull request Mar 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants