Provide some means of optionally using OpenSSL as backing cryptographic lib for FIPS applications

[josh-hemphill]

I'm not sure if FIPS certification has been addressed already, but looking at the available Go cryptographic libraries, it looks like there's OpenSSL wrappers that are api compatible with the native one. Providing some ability to swap the backing cryptographic code to OpenSSL could provide a pretty simple way for people who require FIPS certified libraries to still be able to smallstep and applications using the libs.

[maraino]

There's a couple of solutions for this:

1. Compile step-ca with Go's dev.boringcrypto branch, see README.boringcrypto.md, this branch is generally up-to-date with latest versions of Go and replaces crypto primitives with the ones using BoringSSL that is FIPS compliant, although officially they say this:

To be clear, we are not making any statements or representations about the suitability of this code in relation to 
the FIPS 140-2 standard. Interested users will have to evaluate for themselves whether the code is useful for their
own purposes.

For example, Rancher uses this image https://hub.docker.com/r/goboring/golang to build the "RKE Government" version of RKE2.

2. Redhat provides a FIPS version of Go that uses OpenSSL primitives, see the announcemt. RedHat RPM packages are generally a few versions behind, but you can find more updated versions in their repositories.

There's a great article explaining this in more detail

[josh-hemphill]

Will do. Thanks! :)

[maraino]

@josh-hemphill I've just compiled step-ca with goboring/golang:1.16.7b7, the latest image in docker hub, and step-ca compiles and runs fine. Do you know what Go versions are supported in RH FIPS?

[josh-hemphill]

Sorry, I don't have access to a licensed RHEL server at the moment to be able to find out.
If it's important, I could try asking some people who do.

[maraino]

Depending on the Go version that they support I can probably tell you if it will compile or not.

[mmalone]

FYI, you can get a RHEL-licensed server from AWS marketplace and pay by the hour. The process is pretty annoying (it's not as simple as launching a normal AMI) but I clicked around enough to get one spun up a couple weeks ago and it wasn't too terrible. I think GCP / Azure have similar products.

https://aws.amazon.com/marketplace/pp/prodview-ubouaa3jksbmc