Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inquiry About FIPS-Compliant MimeKit #1090

Open
fyodorklimenko opened this issue Oct 26, 2024 · 3 comments
Open

Inquiry About FIPS-Compliant MimeKit #1090

fyodorklimenko opened this issue Oct 26, 2024 · 3 comments
Labels
question A question about how to do something

Comments

@fyodorklimenko
Copy link
Contributor

Dear Mr. Stedfast,

Thank you for your efforts and for creating such a fantastic library!

The Federal Information Processing Standard (FIPS) specifies security requirements for cryptographic modules that protect sensitive information in the US and Canada.

My understanding is as follows:

  • The software that depends on MimeKit is FIPS-compliant if the MimeKit is FIPS-compliant.
  • MimeKit depends on the Bouncy Castle.
  • There is a FIPS-certified Bouncy Castle edition.
  • MimeKit will be FIPS-compliant if it uses the FIPS-compliant Bouncy Castle edition.

Are you considering to introduce FIPS-compliant MimeKit?
@jstedfast
Copy link
Owner

Thank you for your efforts and for creating such a fantastic library!

Thanks! I appreciate your kind words!

Are you considering to introduce FIPS-compliant MimeKit?

Honestly, I had not put much thought into it because no one had asked for it and I wasn't sure what would be involved in making MimeKit FIPS compliant.

I suspect there's more than just using the FIPS version of BouncyCastle since at the very least, MimeKit does use MD5 for computing the Content-MD5 headers, but that is also "optional" in that it's not something that is on by default. It's only there for backward compatibility with ancient mail clients that used to compute a Content-MD5 header as a sort of "checksum" (much like a lot of download sites have md5 and/or sha1/sha256 checksums that you can use to verify the download isn't corrupt).

MD5, as you likely know, is most likely something that would kill FIPS certification. Probably even SHA-1 would as well these days.

That said, outside of the MD5 stuff for the Content-MD5 header support (which uses .NET's MD5 context), I do think most everything else uses BouncyCastle's crypto engines, so if MimeKit was built and linked against the FIPS-compliant BouncyCastle, you are probably correct that that would be all it really takes.

I'll try to look into this because I'm sure the reason you're asking is likely due to being required to have your product FIPS-compliant to be able to sell to a government agency somewhere?

I wonder if I'll need to have a separate FIPS-compliant MimeKit nuget package.

@jstedfast jstedfast added the question A question about how to do something label Nov 5, 2024
@CoenraadS
Copy link

CoenraadS commented Dec 16, 2024
edited
Loading

Consider allowing the user to pass in their own cryptography implementations, then we can just pass in our FIPS implementation and MimeKit doesn't need to do anything else. I would avoid adding a dependency to BouncyCastle FIPS library, it has issues giving wrong results on .Net Core, and has conflicting namespace issues with BouncyCastle.Cryptography, making it hard to use both libraries at the same time. It's also not published on nuget.

I see a similar idea was already attempted in: #820

@jstedfast
Copy link
Owner

Yes, I had the same thought.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question A question about how to do something
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jstedfast @CoenraadS @fyodorklimenko and others