Outcome Overview

This feature addresses the FIPS 140 compliance challenges in OpenShift Container Platform arising from the use of golang.org/x/crypto. The primary objective is to thoroughly identify all instances of golang.org/x/crypto usage within OpenShift components, assess their FIPS compliance status, evaluate the associated security risks in a FIPS-enabled environment, and develop a comprehensive remediation plan. This plan will outline proposed technical approaches, including potential phased rollouts or documented risk acceptance measures, to ensure OpenShift's cryptographic operations align with FIPS 140 requirements. This feature is focused on the analysis and planning phases, not the execution of the remediation.

Success Criteria

• Inventory golang.org/x/crypto Usage:
  • Code review: Implement or leverage tooling (e.g., static analysis, dependency scanning) to automatically identify all Go modules and packages within OpenShift's core components, first-party operators, and critical bundled services that import golang.org/x/crypto.
  • Component Mapping: For each identified usage, map it back to the specific OpenShift component (e.g., kube-apiserver, oauth-proxy, specific operators) and the nature of its cryptographic usage.
• Risk Assessment:
  • Impact Analysis: For each non-compliant or non-Red Hat validated x/crypto usage, analyze the potential impact on OpenShift's FIPS compliance posture, including data confidentiality, integrity, and regulatory auditability.
  • Severity Rating: Assign a risk severity level (e.g., Critical, High, Medium, Low) based on the impact, likelihood of exploitation, and sensitivity of data or operations involved.
  • Dependency Mapping: Understand if the non-compliant usage is a direct dependency or a transitive dependency, and the complexity of its removal or replacement.

Expected Results (what, how, when)

• Propose concrete technical strategies for addressing each identified FIPS compliance gap. These may include:
  • Migrating to Red Hat validated cryptographic libraries (e.g., through RHEL's Go toolchain that uses OpenSSL).
  • Updating Go versions to leverage native FIPS 140-3 support when available, ensuring it meets Red Hat's certification standards.
  • Identifying and evaluating alternative Go cryptographic modules or implementations.
  • Proposing patches or modifications to golang.org/x/crypto usage patterns to conform to FIPS guidelines (if feasible and within Red Hat's FIPS module scope).
• Phased Rollout Suggestions: Outline potential phased approaches for remediation, considering complexity, impact, and dependencies across OpenShift components.

Post Completion Review – Actual Results

A new Outcome will deal with the actual remediation, so we can close this 2+ years old Outcome.

Results are in a clear understanding of OCP x/crypto usage and prioritization of the major issues to be remediated.