Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS compliancy #23354

Open
pavolloffay opened this issue Aug 20, 2024 · 16 comments
Open

FIPS compliancy #23354

pavolloffay opened this issue Aug 20, 2024 · 16 comments
Labels
Azure.Identity customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close.

Comments

@pavolloffay
Copy link

Feature Request

Related to #21047

This library depends on x/crypto which does not have FIPS validated crypto algorithms:

./vendor/github.com/Azure/azure-sdk-for-go/sdk/azidentity/client_certificate_credential.go:19:	"golang.org/x/crypto/pkcs12"

Not FIPS compliant: pkcs12.ToPEM() performs a MAC check operation, for which it uses getSafeContents(), which calls verifyMac(), which calls pbkdf(), which is implemented in x/crypto, and thus not FIPS validated.

References:

Would you accept a patch to fix this?
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Aug 20, 2024
@jhendrixMSFT
Copy link
Member

What would be the replacement for the current crypto module?

@pavolloffay
Copy link
Author

I don't know exactly. I am not sure if there is an alternative in the main crypto package. If no then could we add a build tag to use the implementation from openssl?

@jhendrixMSFT jhendrixMSFT added Azure.Identity feature-request This issue requires a new behavior in the product in order be resolved. and removed question The issue doesn't require a change to the product in order to be resolved. Most issues start as that needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Aug 21, 2024
@github-actions github-actions bot added the needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team label Aug 21, 2024
@chlowell
Copy link
Member

Only azidentity.ParseCertificates calls pkcs12.ToPEM (see here). This is a helper method for getting a cert and key to pass to NewClientCertificateCredential. That constructor takes the cert and key as types from the standard library's crypto module, so applications aren't required to call ParseCertificates. Is the pkcs12.ToPEM call a problem even if it's never executed?

@chlowell chlowell added needs-author-feedback Workflow: More information is needed from author to address the issue. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Aug 23, 2024
@github-actions GitHub Actions
Copy link

Hi @pavolloffay. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@github-actions GitHub Actions
Copy link

Hi @pavolloffay, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@github-actions github-actions bot added the no-recent-activity There has been no recent activity on this issue. label Aug 30, 2024
@pavolloffay
Copy link
Author

@chlowell I got this reply from our FIPS folks:

Not FIPS compliant: pkcs12.ToPEM() performs a MAC check operation, for which it uses getSafeContents(), which calls verifyMac(), which calls pbkdf(), which is implemented in x/crypto, and thus not FIPS validated.

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. labels Sep 2, 2024
@chlowell
Copy link
Member

chlowell commented Sep 3, 2024

Sure, that makes sense. What I want to understand is whether this is a static analysis or a runtime problem. Our cert authentication implementation doesn't require applications to call pkcs12.ToPEM(), so we have a straightforward workaround if your application can comply by simply not calling that function. But if the fact that the module contains a line invoking pkcs12.ToPEM() makes your application noncompliant even if it never executes that line, that's a hard problem 😄

@chlowell chlowell added needs-author-feedback Workflow: More information is needed from author to address the issue. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Sep 3, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 3, 2024

Hi @pavolloffay. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

@github-actions GitHub Actions
Copy link

Hi @pavolloffay, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@github-actions github-actions bot added the no-recent-activity There has been no recent activity on this issue. label Sep 11, 2024
@pavolloffay
Copy link
Author

This is supposed to be a runtime problem.

Are you saying that the app importing azure SDK will never cause invoking pkcs12.ToPEM() at runtime?

@github-actions github-actions bot added needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team and removed needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. labels Sep 11, 2024
@chlowell
Copy link
Member

Are you saying that the app importing azure SDK will never cause invoking pkcs12.ToPEM() at runtime?

Yes. azidentity invokes pkcs12.ToPEM() only when you call azidentity.ParseCertificates with a PKCS#12 (PFX) cert. That function exists to help apps get the []*x509.Certificate and crypto.PrivateKey for azidentity.NewClientCertificateCredential but you don't have to use it, the constructor parameters are simple standard library types you can get however you like.

This is supposed to be a runtime problem.

😅 Great! Then we have a couple straightforward workarounds:

  • parse certs yourself i.e. don't call azidentity.ParseCertificates
  • use only PEM format for certs

@chlowell chlowell added issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close. and removed needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team labels Sep 11, 2024
@github-actions GitHub Actions
Copy link

Hi @pavolloffay. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

@pavolloffay
Copy link
Author

This is great, thanks :)

Would it be possible to deprecate->remove azidentity.ParseCertificates so that we get rid of x/crypto import entirely from this package?

@jhendrixMSFT
Copy link
Member

jhendrixMSFT commented Sep 16, 2024
edited
Loading

Removing it would be a breaking change and that bar is very high, so it's unlikely. In addition, others without FIPS requirements might find value in the helper.

@pavolloffay
Copy link
Author

azidentity.ParseCertificates is also called from:

  • azidentity.NewEnvironmentCredential
  • azidentity.NewDefaultAzureCredential
  • azidentity.NewOnBehalfOfCredentialWithCertificate

@chlowell
Copy link
Member

You're quite right, NewEnvironmentCredential and NewDefaultAzureCredential call ParseCertificates when AZURE_CLIENT_CERTIFICATE_PATH is set, because they must parse the specified file. "Parse certs yourself" is still the best guidance: when you need to authenticate with a cert, parse it in your own code and call a constructor that takes []*x509.Certificate and crypto.PrivateKey i.e., NewClientCertificateCredential or NewOnBehalfOfCredentialWithCertificate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Azure.Identity customer-reported Issues that are reported by GitHub users external to the Azure organization. feature-request This issue requires a new behavior in the product in order be resolved. issue-addressed Workflow: The Azure SDK team believes it to be addressed and ready to close.
Projects
Azure Identity SDK Improvements
Status: Untriaged
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pavolloffay @jhendrixMSFT @chlowell