fix: [Connectivity] Change (almost) all JKS usage to PKCS12#1185
Conversation
rpanackal
changed the title
| IOException | ||
| { | ||
| final List<Certificate> certs = new ArrayList<>(); | ||
| final CertificateFactory factory = CertificateFactory.getInstance("X509"); |
There was a problem hiding this comment.
(drive-by)
This is the standard notation to be used for X.509 certificates
CharlesDuboisSAP
left a comment
CharlesDuboisSAP
left a comment
There was a problem hiding this comment.
You should e2e test this, and there might already be an e2e test for this.
Successful run on branch |
| <modules> | ||
| <module>connectivity-fips-sample</module> | ||
| </modules> | ||
| </profile> |
There was a problem hiding this comment.
Isn't this useless if the module is added anyway line 45?
There was a problem hiding this comment.
thanks for catching this
CharlesDuboisSAP
left a comment
CharlesDuboisSAP
left a comment
There was a problem hiding this comment.
Could you add a JVM argument to run the connectivity-fips-sample and make sure it passes the FIPS check
I already have it in Or do you mean something else? If so, please clarify in detail. |
rpanackal
force-pushed
the
fips-keystore-change
branch
from
841b411 to
ee6633c
Compare
2 participants
Context
Helpful links:
To be FIPS, we need to change out of JKS usages in our SDK. JKS is a format by SUN, which used MD5 + some proprietary cipher (not FIPS approved).
We can therefore switch to PKCS12 is a fips compatible keystore type.
"PKCS12"works in standard JDK, BC FIPS JVM (non-approved), Red Hat FIPS OpenJDK and IBM JCEPlusFIPS.Even better, we dont harcode the type but invoke it as
KeyStore.getDefaultType()whose value can be overriden on jvm parameters.Technically, our choice only affects the internal memory representation and therefore shouldn't break anything for our user.
Feature scope:
Definition of Done
Error handling created / updated & covered by the tests aboveDocumentation updatedRelease notes updated