Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue when enabling fips mode on the SDK #4965

Closed
3 tasks done
vineet199 opened this issue Jul 14, 2023 · 6 comments
Closed
3 tasks done

Issue when enabling fips mode on the SDK #4965

vineet199 opened this issue Jul 14, 2023 · 6 comments
Assignees
@yenfryherrerafeliz
Labels
response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.

Comments

@vineet199
Copy link

vineet199 commented Jul 14, 2023
edited
Loading

Checkboxes for prior research

Describe the bug

I am trying to use the aws-sdk in FIPS mode. However, some of the functions, such as the createHash function in aws-sdk is not FIPS compliant. This is the value set in my aws config as well -

region=us-east-1
use_fips_endpoint=true

SDK version number

@aws-sdk/[email protected]

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

node v20.5.0

Reproduction Steps

const { SecretsManagerClient, GetSecretValueCommand } = require("@aws-sdk/client-secrets-manager");
const client = new SecretsManagerClient({ region: "us-east-1"});
try{
    crypto.setFips(true);
} catch(e){
    console.error("Error when enabling fips", e);
}
const input = {
    SecretId: "<secret_id>"
}
const command = new GetSecretValueCommand(input);
const response = yield client.send(command);

Observed Behavior

[PID : 43032 AT :13-07-2023 17:08:46.207] WARN: Unhandled rejection Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:69:19)
    at createHash (node:crypto:138:10)
    at Hash.reset (/Users/user/myproject/node_modules/@smithy/hash-node/dist-cjs/index.js:23:39)
    at new Hash (/Users/user/myproject/node_modules/@smithy/hash-node/dist-cjs/index.js:12:14)
    at getPayloadHash (/Users/user/myproject/node_modules/@smithy/signature-v4/dist-cjs/getPayloadHash.js:18:26)
    at SignatureV4.signRequest (/Users/user/myproject/node_modules/@smithy/signature-v4/dist-cjs/SignatureV4.js:116:71)
    at async /Users/user/myproject/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:16:18
    at async /Users/user/myproject/node_modules/@smithy/middleware-retry/dist-cjs/retryMiddleware.js:27:46
    at async /Users/user/myproject/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26

Expected Behavior

When fips is disabled, the above code snippet works fine and retrieves the secret from the secret manager client successfully

Possible Solution

No response

Additional Information/Context

No response
@vineet199 vineet199 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 14, 2023
@yenfryherrerafeliz yenfryherrerafeliz self-assigned this Jul 17, 2023
@RanVaknin RanVaknin added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Jul 19, 2023
@yenfryherrerafeliz
Copy link
Contributor

Hi @vineet199, could you please confirm if you have fips build of nodejs?

I think this issue here could be related.

Thanks!

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Jul 21, 2023
@yenfryherrerafeliz yenfryherrerafeliz added the response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. label Jul 21, 2023
@github-actions
Copy link

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jul 28, 2023
@vineet199
Copy link
Author

Hi @yenfryherrerafeliz,

The application is compiled with Node js v20.5.0, which has FIPS support.
When crypto.setFips(true), we believe, the application will only use cryptographic functions that are fips compliant.
However, if you check the observed behaviour, you can see that some middleware cryptographic function in the aws sdk, is using a function that is not fips compliant. ( the createHash function probably uses the md5 crypto algorithm which is not fips compliant)
We are under the impression that, setting the use_fips_endpoints flag in the sdk would enforce the usage of fips compliant endpoints, not sure if it enforces usage of FIPS compliant crypto functions.

Thank you for your patience!

@github-actions github-actions bot removed closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. labels Jul 29, 2023
@yenfryherrerafeliz
Copy link
Contributor

@vineet199, when "use_fips_endpoints" is set to true then, it just make the SDK to send the requests to endpoints that are fips compliant. The SDK is actually not using MD5, but sha256. You can actually reproduce this at your end, without using the SDK by doing the following:

import crypto, { createHash } from "crypto";
crypto.setFips(true);
const hash = createHash("sha256");

As you can see we are just using a nodejs native cryptographic function to create a sha256 hash. So, do you know what would be the fips compliance function that we should be using in this case?

Please let me know.

Thanks!

@yenfryherrerafeliz yenfryherrerafeliz added response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. and removed bug This issue is a bug. p2 This is a standard priority issue labels Sep 13, 2023
@vineet199
Copy link
Author

Hi @yenfryherrerafeliz,

You are absolutely right. We were looking into it recently and found that the openssl we were using required a fips compliance configuration step, which we had overlooked, on configuring and enabling fips mode in the openssl library installed, the aws-sdk works as expected. This issue can be considered as invalid.

Thank you for your efforts and support

@github-actions
Copy link

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 28, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@yenfryherrerafeliz yenfryherrerafeliz

Labels
response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vineet199 @yenfryherrerafeliz @RanVaknin