Search code examples
androidandroid-ndkopensslfips

How to meet FIPS 140-2 by building source code for Android L

We are working on Android L application that is intended to use FIPS 140-2 validated cryptography.

In my knowledge, Adroid has FIPS library but is not validated yet. (After compiling, there are libssl.so and libcrypto.so in out/system/lib/)

How to configure the envsetup.sh or make file or source file to produce libssl.so and libcrypto.so to meet the FIPS 140-2 requirement?

Thanks.

Solution

  • How to meet FIPS 140-2 by building source code for Android L

    Android L is an Operational Environment (OE) in FIPS terminology. Looking at the OpenSSL FIPS 2.0 Security Policy, Table 2, pp. 10-12, the OE has not been validated under Certificate 1747. So the short answer is, You Can't.

    The longer answer is, You can contact the OpenSSL Foundation, and maybe get a change letter or private label validation. It may build upon the short answer of You Can't by turning it into a You Can by using Certificate 1747 as a starting point and then satisfying additional bureaucracy requirements.

    The really long answer is, You Can't because the CMVP recently changed some rules. The CMVP wanted the rule change to to apply retroactively to existing - already approved - validations. If OpenSSL did not agree, then the CMVP would not approve future change letters and private validations based upon Certificate 1747.

    OpenSSL did not agree because it applied retroactively to existing validations (effectively, it unvalidated exiting validations), and it was not fair to the folks who funded those validations. The CMVP responded by withdrawaling a number of previous validations under the 1747 certificate.

    If you have been following these event, this is the core of the The FIPS 140-2 "Hostage" Issue. I'm told a major news outlet with investigative reporting is getting ready to publish an article about the CMVP's actions, and how its harmed open source software, internet users and US Federal Agencies. It should be along the lines of The U.S. Government: Paying to Undermine Internet Security, Not to Fix It article.

    Two related resources if you have an approved Operational Environment are FIPS Library and Android and OpenSSL and Android. OpenSSL provides them through its wiki.

    If you need more information or guidance on how to proceed, then contact Steve Marquess of the OpenSSL Foundation.