feat: support "verify" with FIPS crypto backend#233
feat: support "verify" with FIPS crypto backend#233domodwyer wants to merge 1 commit intorusticata:masterfrom
Conversation
Allow verifying cryptographic signatures using the AWS-LC's FIPS crypto backend. This change allows this library to be used in FedRAMP / US Gov deployments, which have a hard requirement on using FIPS-approved crypto modules only. The "verify-aws-fips" feature flag is functionally identical to using "verify-aws", but it selects the FIPS backend in aws-lc-rs.
| #[cfg(any(feature = "verify", feature = "verify-aws"))] | ||
| #[cfg(any( | ||
| feature = "verify", | ||
| feature = "verify-aws", | ||
| feature = "verify-aws-fips" | ||
| ))] |
There was a problem hiding this comment.
This is basically all the source code changes in this PR: adding a new feature flag in the same place as verify-aws.
| default = [] | ||
| verify-aws = ["aws-lc-rs"] | ||
| verify-aws = ["aws-lc-rs/aws-lc-sys"] # Non-FIPS backend | ||
| verify-aws-fips = ["aws-lc-rs/fips"] # FIPS crypto backend |
There was a problem hiding this comment.
This is the new feature flag which switches on the fips feature of the aws-lc-rs crate.
It's either / or for the backends though, and the non-FIPS backend is enabled by default, so I've disabled the default features for aws-lc-rs and let the x509-parser feature flags enable the relevant crypto backend.
| test_fips: | ||
| name: verify-aws-fips dependency on FIPS backend only | ||
| needs: check-all-features | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Install stable toolchain | ||
| uses: dtolnay/rust-toolchain@stable | ||
| - run: "if cargo tree --features=verify-aws-fips -i aws-lc-sys; then false; else [ $? -eq 101 ]; fi" | ||
| - run: "cargo tree --features=verify-aws-fips -i aws-lc-fips-sys" | ||
|
|
There was a problem hiding this comment.
I figured it was a good idea to add a CI step to verify the FIPS backend is used when the fips flag is provided.
Specifically:
- The non-FIPS backend is not used (
aws-lc-sys) - The FIPS backend is used (
aws-lc-fips-sys)
|
Thanks for the PR (& self-review), I will try to review it soon but I'm supportive of the general direction.
FWIW you can ignore this failing CI job, it's being addressed in #223 |
|
Awesome! No rush. Thanks for the link - I see you're keeping support for a MSRV of 1.67.1 in the linked PR, but
Should I gate the CI checks agains the FIPS backend with |
I think this will ultimately come down to @chifflier's preference. IMHO I think an MSRV of 1.67 is too stale and many crates in the ecosystem with larger use have more aggressive MSRVs (e.g. Tokio at 1.71, aws-lc-rs at 1.70, rustls at 1.83). I would personally be in favour of taking an MSRV increase that was more in-line with those projects. 1.71 seems like an OK target and was a rust version released ~2 years ago. |
|
It's a shame there's no way of getting hold of rust version metadata for downloads from crates.io in order to make an informed decision - I agree it's quite a low MSRV and I doubt there's a meaningful fraction of users on <1.71 these days. I will leave it as-is for now, and make any changes after review / when there's a MSRV plan 👍 |
2 participants
Hi there! First off, thanks for this library and the careful thought put into the security aspects.
I'm working on a system that is deployed in FedRAMP environments, which requires FIPS certified crypto backends, and fortunately the
aws-lc-rscrate used byx509-parseris already supported! However it's configured to use the non-FIPS backend when enabling theverify-awsfeature today.This PR adds a new feature flag
verify-aws-fipsto go alongside the existingverify-awsfeature flag, enabling the FIPS-approved aws-lc-rs backend.There's no code changes, just feature flag toggling 👍
feat: support "verify" with FIPS crypto backend (8f355a0)