FIPS Capable OpenSSL and general Android questions

Question

My requirement is integrate the application with FIPS Capable OpenSSL. I am following the next tutorial to compile the libraries at https://wiki.openssl.org/index.php/FIPS_Library_and_Android.

But i have some general questions that I dont understand yet.

1. Why I need to compile the libraries with FIPS, and why they are not precompiled??

2. Can I compile them in Windows using Cygwin? I have been reviewing the shell and it looks that is made for linux and Mac only.

3. After compiled the libraries can I add to my project in the jniLibs folder with gradle and they are going to run in all device?? or I need to precompiled for every architecture that i want to support?

4. After compile the libraries and get the .so files i am planing to integrate it using the NDK, but do I need to create a wrapper class in C/C++ to made a bridge between the OpenSSL library and the java code?

5. Do you have a tutorial for create this wraper class, I have not experience in C neither OpenSSL, I have always used Java and BouncyCastle.

Thanks in advance.

Answer 1

1. Why I need to compile the libraries with FIPS, and why they are not precompiled??

OpenSSL and the US government pursued the validation in source form, so it was not tied to any platform (some hand waiving sine there is an Operational Environment or OE).

---

2. Can I compile them in Windows using Cygwin? I have been reviewing the shell and it looks that is made for linux and Mac only.

For that, you need to check the OpenSSL FIPS 140-2 Security Policy. It is very specific about the platforms supported. The table starts on page 9.

---

3. After compiled the libraries can I add to my project in the jniLibs folder with gradle and they are going to run in all device?

NO. If you dropped the shared object in the JNI folder, then it would never be loaded. That's because Zygote loads the system's down level version of OpenSSL. When you call loadLibrary, the dependency is already satisfied with the down level version so your version is not mapped into the process.

You have to build a wrapper shared object that links to the static version of the OpenSSL library.

---

3. ... Or I need to precompiled for every architecture that i want to support?

Yes, you need to build it for every platform of Android you plan to support (ARMv7, MIPSEL, ARM64, etc). And that version has to be validated under the 1747 certificate. You can check if its been validated in the OpenSSL FIPS 140-2 Security Policy.

---

4. After compile the libraries and get the .so files i am planing to integrate it using the NDK, but do I need to create a wrapper class in C/C++ to made a bridge between the OpenSSL library and the java code?

Correct. See the answer to (3).

---

5. Do you have a tutorial for create this wraper class, I have not experience in C neither OpenSSL, I have always used Java and BouncyCastle.

Nope, that's off-topic here. You have to find your own tutorials. With that said, here's a book I have that provides a good treatment of it: Android Native Development Kit Cookbook. See Chapter 9.

You will still have to build the OpenSSL library using OpenSSL's makefiles from the command line. That's a FIPS 140-2 policy and procedure requirement. But you can build your shared object using Android's modified make/build system.

And good luck with using Android's modified make/build system. Its very frustrating because its poorly documented. There's no comprehensive treatment that I have found. You kind of start with "Hello World" JNI projects in the docs. Then you try to scale it up to the real world by searching for answers and asking questions on Stack Overflow (when you encounter problems, like the compiler cannot find the OpenSSL headers, the linker cannot find the static library, or the wrapper shared object is not packaged with the APK).