Feature Overview

During the FIPS usage analysis of OCP and OCP layered products (rhel-els then ubi usage guidance, see here), we also uncovered the use of x/crypto in Go-based development. x/crypto can be part of Red Hat code, or pulled as a dependency to Red Hat code.

x/crypto covers various cryptographic modules, most of which are unsuitable in a FIPS context (i.e., are not FIPS-approved cryptographic modules,and are NOT FIPS validated).

The current ask is to identify the use of x/crypto in Red Hat code or dependencies. Although this is a request initiated in a FIPS context, having a clear cryptography inventory will come very handy when the Post Quantum Cryptography will be introduced (second half of 2025 or 2026).

Goals

You identify the use of x/crypto in your code and classify it according to their category (suitable, to investigate, not suitable), which is documented in the following document: https://docs.google.com/document/d/1uEV5rhmuwwVgrRfgXIEf9dNQLSiK78t1P8-h8aKpjhU/edit?tab=t.0#heading=h.h64v2bfmtnn7 .

The current ask is to inventory and consider how running in FIPS mode would require you to change non-FIPS approved algorithms to at least an x/crypto or golang main crypto module FIPS level algorithm. There is no need to initiate changes now.

Why: because changes are ongoing with the main go1/crypto module, and (some of the) FIPS-level algorithms in x/crypto might move to the core crypto module, which upstream version will undergo FIPS validation testing. Until we have clarity on this ongoing work (hopefully by the end of Q1 2025), steps to remediate would be premature.

Knowing we have a problem is the first step to remediation. Please do that first step. Layered product teams must create a Jira in their respective Jira projects and link it (“blocks”) to this card.

Requirements

You have a Jira card in your Project to track this work and it is linked to this card (blocks this card).

You have documented a list of all x/crypto algorithms that you use, and have classified them & clarified the use of the ones that require further investigation. Optionally, cryptographic algorithms your code carries but does not use can be listed.