ENH: Add support for python in FIPS mode for document identifier #3438
Conversation
In FIPS mode, md5 might be available and approved. It might also be available, but only on opt-in basis for unapproved usage. And very strict systems might not have md5 even on opt-in basis. Python has API to expose this as "usedforsecurity=False" argument, see python documentation. The rolling document checksum is not used for cryptograpic protection, but rather used out of convenience. Hence allow using MD5 on more FIPS systems. This is no effective change for regular non-fips python builds.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@ ## main #3438 +/- ## ======================================= Coverage 96.97% 96.97% ======================================= Files 54 54 Lines 9337 9337 Branches 1711 1711 ======================================= Hits 9055 9055 Misses 168 168 Partials 114 114 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
| Thanks for the report and the fix. Is there any risk of accidentally breaking FIPS compatibility with further changes where a corresponding test run would help - or is this specific change sufficient for most of the PDF-related use cases? |
this absolutely is enough as is for most usage, without need for any further testing. If you must you can pull down freely available azure linux fips containers; or like launch amazon linux 2023 EC2 instance, put it into fips mode...... to then check that this just works. But I find this in general un-necessary. Upstream cpython, has extensive test suite to ensure this hashlib api works correctly with openssl in fips mode already, which they validate on every PR and release as is. The encrypted pdf works with the aes-256 / latest key derivation based on sha256, and as expected loudly fails when using RC4 based stuff - but all that clearly is done for cryptographic protection and all FIPS users expect such behaviour of allowed aes to work, and rc4 stuff to fail. |
## What's new ### New Features (ENH) - Enhance XMP metadata handling with creation and setter methods (#3410) by @Arya-A-Nair - Add all font metrics for base 14 Type 1 PDF fonts (#3363) by @PJBrs - Allow deleting embedded files (#3461) by @stefan6419846 - Add support for Python in FIPS mode for document identifier (#3438) by @xnox ### Bug Fixes (BUG) - Fix handling of UTF-16 encoded destination titles (#3463) by @stefan6419846 - Guard empty input to prevent IndexError (#3448) by @KyleJung0828 ### Developer Experience (DEV) - Fix type hint for XMP metadata setter to add bytes type (#3464) by @stefan6419846 [Full Changelog](6.0.0...6.1.0)
…pdf#3438) In FIPS mode, md5 might be available and approved. It might also be available, but only on opt-in basis for unapproved usage. And very strict systems might not have md5 even on opt-in basis. Python has API to expose this as "usedforsecurity=False" argument, see python documentation. The rolling document checksum is not used for cryptograpic protection, but rather used out of convenience. Hence allow using MD5 on more FIPS systems. This is no effective change for regular non-fips python builds.
## What's new ### New Features (ENH) - Enhance XMP metadata handling with creation and setter methods (py-pdf#3410) by @Arya-A-Nair - Add all font metrics for base 14 Type 1 PDF fonts (py-pdf#3363) by @PJBrs - Allow deleting embedded files (py-pdf#3461) by @stefan6419846 - Add support for Python in FIPS mode for document identifier (py-pdf#3438) by @xnox ### Bug Fixes (BUG) - Fix handling of UTF-16 encoded destination titles (py-pdf#3463) by @stefan6419846 - Guard empty input to prevent IndexError (py-pdf#3448) by @KyleJung0828 ### Developer Experience (DEV) - Fix type hint for XMP metadata setter to add bytes type (py-pdf#3464) by @stefan6419846 [Full Changelog](py-pdf/pypdf@6.0.0...6.1.0)
2 participants
In FIPS mode, md5 might be available and approved. It might also be
available, but only on opt-in basis for unapproved usage. And very
strict systems might not have md5 even on opt-in basis.
Python has API to expose this as "usedforsecurity=False" argument, see
python documentation.
The rolling document checksum is not used for cryptograpic protection,
but rather used out of convenience. Hence allow using MD5 on more FIPS
systems.
This is no effective change for regular non-fips python builds.