Create an example Dockerfile showing how to use golang-fips and build openssl in a fips-compliant manner

[Nyefan]

No description provided.

[spalatnik]

I want to add that only the OpenSSL provider needs to be on the fips version 3.0.9. The Openssl module itself can be on the latest version that the provider supports.

[Nyefan]

The current version of openssl in the APK registry is installed on line 88 and then configured to use the previously compiled fips provider.

[spalatnik]

Got it, I missed that. A question arises though from these instructions:
https://github.com/openssl/openssl/blob/master/README-FIPS.md

We use OpenSSL 3.1.0 here, (but you could also use the latest 3.0.X)

$ wget https://www.openssl.org/source/openssl-3.1.0.tar.gz
$ tar -xf openssl-3.1.0.tar.gz
$ cd openssl-3.1.0
$ ./Configure enable-fips
$ make

In this example, they build the latest module itself with fips flags enabled. They don't elaborate on why that is needed when the FIPS provider is already being used. I took it to mean it is necessary.

[Nyefan]

I believe that would not be a valid 140-2 fips installation as only the fips-module from versions 3.0.8 and 3.0.9 are certified (see https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf). The enable-fips option causes make to install fips.so either in the local or library path, depending on flags that are passed (see line 10 of this PR), and this must come from the 3.0.8 or 3.0.9 version of openssl (at least until another version is certified).

[spalatnik]

That is incorrect. The website clearly states that we can use a certified FIPS provider version e.g 3.0.9 with a higher module version
https://openssl-library.org/source/

Please follow the Security Policy instructions to download, build and install a validated OpenSSL FIPS provider. Other OpenSSL Releases MAY use the validated FIPS provider, but MUST NOT build and use their own FIPS provider. For example you can build OpenSSL 3.4 and use the OpenSSL 3.0.9 FIPS provider with it.

[Nyefan]

I'm not sure I understand the contention. In this PR, I download, build, and run the validated fips provider from version 3.0.9 and then use the latest version of openssl from the apk registry with the 3.0.9 fips module. That is in line with my reading of the security policy and it is the method used for at least one audited and accepted fedramp-moderate product.

[spalatnik]

There is no contention, only a question from me, that's it. #276 (comment)

In this example, they build the latest module itself with fips flags enabled. They don't elaborate on why that is needed when the FIPS provider is already being used. I took it to mean it is necessary.

Basically, I'm asking if we need to build the module with enable-fips even if we are using a FIPS validated provider from another source. I don't know. I just wanted to point that out in case someone has more insight.

[Nyefan]

Ah, I see. If you read the Configure script, enable-fips gets turned into the fips flag when generating the makefile, which just triggers the inclusion of the make install_fips command. Since we must use the 3.0.9 version of fips.so, I don't see any need to build it again either practically or in the associated security policy.