What crypto library does Eclipse Ditto use by default? I need to determine if it is FIPS 140-2 validated. If not is there a way to build Ditto with an alternative crypto library that's validated?
Eclipse Ditto is not FIPS 140-2 compliant (to be honest that is the first time that I hear of FIPS 140-2).
I guess you figured that our already.
Ditto uses the OpenJ9 JVM including OpenJDK 11 (since Ditto 1.1.0) with its by default included crypto provider.
So I guess you would have to fork Ditto and switch out the used Java runtime bundled inside the Docker image to a FIPS 140-2 validated one (or use a Docker base image which contains a a certified Java runtime) and build your own Ditto Docker images.
Related
I used wxsqlite3 (version 3.11.1) to encrypt SQLite database on Windows OS. I simply included sqlite3.h and sqlite3.lib into my projects, and used sqlite3_key to encrypt my database. It works fine, but now I want to use wxsqlite3 on Linux (Centos 7).
I spent many days trying to compile but failed. How I can use the same methods as on Windows on Linux? Could anyone who has experience, share their knowledge and practice on how to compile SQLite and wxSqlite3 in order to be able to access encryption functions.
There never existed a version 3.11.1 of wxSQLite3. However, there was a release of SQLite 3.11.1 in March 2016. Current version of SQLite is version 3.23.1.
wxSQLite3 is mainly a thin wrapper for the SQLite library for wxWidgets based applications. Are you developing a wxWidgets application? Or are/were you just using the SQLite library with encryption extension that is included in wxSQLite3?
Starting with wxSQLite3 version 3.5.0 the included build system was overhauled, making it easier to build wxSQLite3 under Windows and Linux. Up to version wxSQLite3 3.5.9 pre-generated build files were included for the wxWidgets wrapper library only, but a premake5 script for generating build files was included. Since version wxSQLite3 4.0.0 pre-generated build files are also included for the SQLite library with encryption extension.
So, my advice would be to download a recent version of wxSQLite3 and try the included build files for Linux (and other Linux-like systems).
Background Info:
Linux OS: Stripped down, minimalistic and very customized (no apt-get, yum, etc)
Linux Kernel: 2.6.19.1
Current glibc version: 2.3.6
Target glibc version: 2.6.1
Issue:
Attempting to install an ipk package provided by 3rd party which has a dependency on a glibc version >= 2.6 (current version is 2.3.6)
The 3rd party provided a different ipk package to upgrade glibc to 2.6.1. After executing the install of the package, all other applications that depend upon glibc report "libc.so.6: cannot handle TLS data"
Is anyone familiar with upgrading glibc on a customized Linux OS without using any sort of package manager for support?
My understanding is that glibc should be backwards compatible and upgrading it shouldn't cause issues with applications that had previously been working. Is this assumption incorrect?
I can post more information as it is requested. Any and all help is greatly appreciated, thank you in advance.
My understanding is that glibc should be backwards compatible and upgrading it shouldn't cause issues with applications that had previously been working.
That is correct.
Your issue is most likely the result of mismatch between ld-linux and libc.so.6 -- they must come from the same build, of bad things will happen (GLIBC actually consists of many libraries, and they all must match).
It's possible that your 3rd-party provided glibc package is mis-configured and replaced one, but not the other. Possibly it installed libc.so.6 into /usr/local/lib instead of whatever location is appropriate for your OS.
So find all files that "belong" to GLIBC before the installation of 3rd-party update, and verify that every one of them is replaced by it.
It is also possible, though less likely, that the 3rd party package is simply broken, or configured without TLS support.
If you link an app against GLIBC with TLS support, then upgrade GLIBC to one configured without TLS support, the applications will break. That is expected and "normal" (configuring GLIBC without TLS support is simply not a good idea).
My company uses an applet which needs JNI to access some PKI features.
This is a very stable (+4 years) solution and is already in production in several clients.
It's a signed (Thawte Certificate) applet and it worked fine until JRE7 21 - now a security exception has popped (all Applet JNI solutions we have are presenting the same issue).
I checked Java applet stopped working after update to JRE 7u21 and Cannot launch applet using Java 7u21. I've checked Java 7 Update 21 Security Improvements in Detail, but it doesn't mention anything about JNI.
I've already tried using TurstedLibrary and recompiling it with JDK7 21 but it still pops the security exception.
I'd like to check with you guys if you had the same issue and if someone is able to use Java + JNI again (don't know if there's some new stuff to sign the DLL or something like that)..
Update:
Working - got it through http://docs.oracle.com/javase/6/docs/technotes/guides/jweb/mixed_code.html#trusted_library
Adding the correct Trusted Library manifest make it stop prompting the error - remembering that you need to use JDK7 21.
I would like to know is openssl and curl are a part of android core .. becoz I have seen in many forums where users are trying build the openssl and curl for android ndk and use in there ..
Why do users go with their own build?
Android comes with /system/lib/libssl.so and /system/lib/libcrypto.so, which are ported from www.openssl.org. For example, the 4.0r1 (ICS) build includes version 1.0.0e. These libraries may not expose all the features of OpenSSL, though.
As for curl, look in Using cURL in Android for references.
They're not. On the other hand, both cryptographic primitives in the scope of OpenSSL and an HTTP stack are a part of Android API on the Java side.
Why do folks roll their own? Probably to migrate legacy C/C++ code, rather than rewrite into reflected Java calls. Those are ugly.
Here is the situation: I've built a native library for re-distribution in other apps. Because we're using ARMv7 NEON, we ship two versions of the library: One for most devices and a "fallback" limited capability version for ARMv5/ARMv6. So far so good and this has worked well.
However, for some reason a newly created app running on a Nexus S with Android 4.0.3 is picking up the wrong (armeabi rather than armeabi-v7a) version of the library.
If we dig into the device filesystem, we find that /data/app/my_app.apk contains the correct versions of the library. However, when Android extracts it to /data/data/my_app, we find that /data/data/my_app/lib/my_lib.so is the armeabi version. But, strangely, /data/data/my_other_app/lib/my_lib.so is the correct armeabi-v7a version.
So the questions are:
1) WTF??
2) How does Android decide which eabi to extract from the APK?
Yes, this is known bug in ICS - it chooses wrong library.
Read about it here:
http://www.moodstocks.com/2012/03/20/ice-cream-sandwich-why-native-code-support-sucks/
https://groups.google.com/d/msg/android-ndk/N8FLjvM81pg/2rYeClQZcckJ