FROM ubuntu:24.04 #### OPENSSL STUFF #### ARG OPENSSL_VERSION=3.0.8 # Make the fips module using FIPS-approved openssl 3.0.8 RUN apt-get update && apt-get install -y \ make gcc libc-dev perl vim wget RUN wget https://www.openssl.org/source/openssl-3.0.8.tar.gz \ && tar -xf openssl-3.0.8.tar.gz \ && cd openssl-3.0.8 \ && ./Configure enable-fips --libdir=lib --prefix=/usr/local --openssldir=/usr/local/ssl \ && make \ && make install \ && make install_fips # Add openssl to the path ENV PATH="${PATH}:/usr/local/bin" # As per documentation, tests have to be run on every machine that uses # openssl in FIPS mode WORKDIR "/openssl-3.0.8" RUN make tests # TODO NOTE that we are running tests against /openssl-3.0.8 and not # against /usr/local/bin. Something is wrong with /usr/local/bin still! # TODO why does this say "/etc/ssl" and not "/usr/local/ssl"? RUN echo "GET THE CONF DIRECTORY HERE" RUN openssl version -d # See https://www.openssl.org/docs/manmaster/man7/fips_module.html RUN echo -e '\ config_diagnostics = 1\n\ openssl_conf = openssl_init\n\ \n\ .include /usr/local/ssl/fipsmodule.cnf\n\ \n\ [openssl_init]\n\ providers = provider_sect\n\ alg_section = algorithm_sect\n\ \n\ [provider_sect]\n\ fips = fips_sect\n\ default = default_sect\n\ \n\ [default_sect]\n\ activate = 1\n\ \n\ [algorithm_sect]\n\ default_properties = fips=yes'\ >> /usr/local/ssl/openssl.cnf # Just to look at what you think you wrote # RUN cat /usr/local/ssl/openssl.cnf # This tells us what versions of openssl we have and if any are FIPs providers RUN echo "looking /openssl-3.0.8" WORKDIR "/openssl-3.0.8" RUN ls -l RUN ./util/wrap.pl -fips apps/openssl list -provider-path providers -provider fips -providers #### PYTHON STUFF #### # TODO Note that python does not build successfully with the version of openssl we made above # It will build successful with a default installation of openssl # The failure says we are missing a half dozen library files with names like lib-devz and lib-zdev, etc. # But trying to apk add the listed files results in the same error # you can specify python version during image build ARG PYTHON_VERSION=3.12.2 WORKDIR "/" # install build dependencies and needed tools RUN apt-get update && apt-get install -y \ wget gcc make zlib1g-dev libffi-dev libssl-dev libc-dev build-essential # download and extract python sources RUN cd /opt \ && wget https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tgz \ && tar xzf Python-${PYTHON_VERSION}.tgz # build python and remove left-over sources RUN cd /opt/Python-${PYTHON_VERSION} \ && ./configure --prefix=/usr/local --with-openssl=/openssl-3.0.8 -with-ensurepip=install \ && make install \ && rm /opt/Python-${PYTHON_VERSION}.tgz /opt/Python-${PYTHON_VERSION} -rf RUN python3 -m pip install cryptography # This is a little test everyone uses to see if cryptography is fips-enabled #from cryptography.hazmat.backends import default_backend\n\ RUN echo '\ from cryptography.hazmat.backends import default_backend\n\n\ def is_fips_enabled():\n\ try:\n\ backend = default_backend()\n\ fips_mode = backend._fips_enabled\n\ return fips_mode\n\ except AttributeError:\n\ return False\n\ print(f"IS FIPS ENABLED? {is_fips_enabled()}")'\ >> ./is_fips_enabled.py RUN cat ./is_fips_enabled.py RUN echo "looking /usr/local/bin" WORKDIR "/usr/local/bin" RUN ls -l RUN echo "which python?" RUN python3 -v WORKDIR "/" RUN echo "TRYING TO RUN is_fips_enabled.py" RUN python3 ./is_fips_enabled.py # This "succeeds" in that there are no errors, but fips says it is not enabled # I think this is because we are trying to bolt on cryptography after we build python, # and probably we have to build cryptography from source along with python.