Can UBI images be freely used for commercial purposes and FIPS compliance?
Making Node.js v16 FIPS compliant is hard unless you are willing to develop your own OpenSSL 1.1.1 build and go through the FIPS validation process. It looks like RedHat has done it, see link.
If you run the UBI image with Node.js, it looks like it is using a FIPS-compliant Nodejs stack (i.e. a Node JS compiled using a the FIPS version of OpenSSL, and doing all crypto ops using FIPS-validated modules).
> docker run -it registry.access.redhat.com/ubi8/nodejs-16-minimal /bin/bash bash-4.4$ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021 bash-4.4$ node -p 'crypto.getFips()' 0 bash-4.4$ node -p 'crypto.createHash("md5")' Hash { _options: undefined, [Symbol(kHandle)]: Hash {}, [Symbol(kState)]: { [Symbol(kFinalized)]: false } } bash-4.4$ node --force-fips -p 'crypto.getFips()' 1 bash-4.4$ node --force-fips -p 'crypto.createHash("md5")' node:internal/crypto/hash:67 this[kHandle] = new _Hash(algorithm, xofLen); ^ Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS at new Hash (node:internal/crypto/hash:67:19) at Object.createHash (node:crypto:130:10) at [eval]:1:8 at Script.runInThisContext (node:vm:129:12) at Object.runInThisContext (node:vm:305:38) at node:internal/process/execution:75:19 at [eval]-wrapper:6:22 at evalScript (node:internal/process/execution:74:60) at node:internal/main/eval_string:27:3 { library: 'digital envelope routines', function: 'EVP_DigestInit_ex', reason: 'disabled for FIPS', code: 'ERR_OSSL_EVP_DISABLED_FOR_FIPS' } bash-4.4$ node -e "console.log(process.versions)" | grep openssl openssl: '1.1.1k',
As per the license agreement, my understanding is that UBI images can be freely used in a commercial environment. Therefore,
nodejs-16-minimal
Responses