6

I have client who wants our application to use FIPS 140-2 validated cryptography. The app uses Okhttp and does some HTTPS requests. AFAIK Android uses OpenSSL C library and uses java wrapper javax/net/ssl.

Questions:

  1. How to make android Application FIPS 140 -2 Complaint?

  2. Is it not android at stack(OS) level should use FIPS Compliant OpenSSL, hence all app are default FIPS 140 -2 Compliant?

  3. Or our app should use FIPS 140-2 validated cryptography and make java javax/net/ssl to use it? Feasible?

  4. Is there a FIPS 140-2 JCE library which can be pluggable to OKhttp?

Thanks

jww
  • 97,681
  • 90
  • 411
  • 885
NitZRobotKoder
  • 1,046
  • 8
  • 44
  • 74
  • 1
    Android uses Google's own BoringSSL instead of OpenSSL, starting from Marshmallow, and they generally disable all FIPS flags, because they make OpenSSL less secure by delaying bugfixes. So you will need to compile OpenSSL yourself, and include it into your app. – pelya Jul 13 '16 at 14:00
  • @pelya have you tried OpenSSL and made javax/net/ssl use the same? any example.. – NitZRobotKoder Jul 15 '16 at 06:26
  • What level of security(Defines by FIPS 140-2) you require in your app? – Pravin Divraniya Jul 17 '16 at 12:37
  • @PravinDivraniya basically the TLS/SSL crypto library needs to approved by FIPS by certifying it. https://www.wolfssl.com/wolfSSL/fips.html – NitZRobotKoder Jul 19 '16 at 09:24

1 Answers1

-1

Modified OKHTTP and OKIO code to use the WolfSSL java wrappers and made it work.

Now any https requests made will go to WolfSSL layer instead of stock android BoringSSL/OpenSSL.

NitZRobotKoder
  • 1,046
  • 8
  • 44
  • 74
  • 1
    Maybe it would have been to dupe your question to your other question, if answer is the same http://stackoverflow.com/a/43184135/5292302 – Petter Friberg Apr 03 '17 at 12:10
  • 2
    This answer is just barely above useless. If you are going to have it as an answer, then *show* what changes were needed, don't just tell people that some unspecified modifications were needed. We could give that answer to **any** debugging question. "You have to make some changes, then it works." Is not an answer. – Makyen Apr 03 '17 at 21:49
  • 1
    Could you please provide more context around what you actually did here to make this work? As mentioned above, this answer doesn't provide much value to readers – Smalls Jun 27 '18 at 14:59