[2.0] Research continued FIPS 140-2 Compliance

[yezr]

#765 added the BouncyCastle library to RCTab 1.3.2 in order to satisfy FIPS 140-2 compliance mandated in California Voting System Standards (CVSS). 2.0 upgrades Java to Java 20. Those BouncyCastle libraries are not compatible with Java 20.

We need to make a decision on how to move forward in 2.0: do we find another FIPS 140-2 compliant library? Do we downgrade to an earlier Java version that is compatible with BouncyCastle? Do we somehow implement a two build system, one for CA and one for other jurisdictions?

[yezr]

We also need to understand the ramifications of the changes in #769 (the addition of --ignore-signing-information) that were required to build the jar with BouncyCastle. SO has some details here

[HEdingfield]

From Slack convo:

@HEdingfield

RE: FIPS, what does it do if you try to run that code with 20? Does it fail silently, or just refuse to compile or what?

@artoonie

I haven't tried running FIPS on 20, I expect it will neither fail silently nor refuse to compile -- it just doesn't have the FIPS certification. That means everything should work, but we won't be FIPS compliant.

@yezr

like the bouncycastle library silently isn't FIPS compliant when running with java 20?

@artoonie

Right -- if you look here: https://www.bouncycastle.org/fips_java_roadmap.html
You'll see the release notes of 1.0.2.4:

Patch release to add Java 17 to BC-FJA 1.0.2.3 as an operational environment. Removes the risk of CVE 2022-45146 and also deals with the end of the transition periods for PKCS 1.5 RSA encryption and TDES encryption. Module is now certified with certificate #4616.

So we are good on 1.3.2 which uses Java 17, but we kind of got lucky that we weren't on -- we just happened to be using the exact right version of Java here.

[HEdingfield]

@artoonie created #770 to bring --ignore-signing-information into develop, pending #767 (comment) to understand exactly what that does.