展开描述
本节提供有关在 rustls 中使用经 FIPS 批准的密码学的指导。
§Using rustls with FIPS-approved cryptography
To use FIPS-approved cryptography with rustls, you should
utilize 一个 FIPS-approved CryptoProvider。
rustls ships with one using aws-lc-rs, take these actions 到 make use of it:
§1. Enable the fips crate feature for rustls.
Use:
rustls = { version = "0.23", features = [ "fips" ] }§2. Use the FIPS CryptoProvider
This is default_fips_provider():
rustls::crypto::default_fips_provider()
.install_default()
.expect("default provider already set elsewhere");This snippet makes use of the process-default provider,
and that assumes all your uses of rustls use that.
See CryptoProvider documentation for other ways to
specify which CryptoProvider to use.
§3. Validate the FIPS status of your ClientConfig/ServerConfig at run-time
See ClientConfig::fips() or ServerConfig::fips()。
You could, for example:
assert!(client_config.fips());But maybe your application has an error handling or health-check strategy better than panicking.
§aws-lc-rs FIPS approval status
This is covered by FIPS 140-3 certificate #4816。 See the security policy for precisely which environments and functions this certificate covers.
Later releases of aws-lc-rs may be covered by later certificates, or be pending certification.
For the most up-to-date details see the latest documentation
for the aws-lc-fips-sys crate.