-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make certificate generation FIPS compliant #378
Conversation
Skipping CI for Draft Pull Request. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: weinimo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
38acf6e
to
34f694f
Compare
Golang's own, deprecated x509.EncryptPEMBlock function uses MD5, which is forbidden in FIPS mode. This change copies the problematic function and modifies it so that it uses SHA256 instead of MD5.
34f694f
to
6f070fe
Compare
6f070fe
to
9e9777c
Compare
This is inspired by [1] (Apache-2.0 license) [1]: https://github.com/smallstep/crypto
9e9777c
to
234d68f
Compare
/lgtm tested in non-FIPS env, no regression |
This uses PKCS#8 private key encryption now, which is FIPS compliant.
OSPRH-9709
OSPRH-6237