FIPS Cryptography in Go, Java, Python, and Node.js
Different languages have varying FIPS support levels. This guide covers language-specific approaches to using FIPS cryptography.
Go
Go has excellent FIPS support via BoringSSL:
// Build with FIPSgo build -tags fips // Code automatically uses FIPS when built with tagpackage main import "crypto/sha256" func main() { data := []byte("test") hash := sha256.Sum256(data) // Uses FIPS module when tag is set}FIPS Status: ✓ Excellent (native support via crypto/tls)
Java
Java uses pluggable TLS providers:
import javax.net.ssl.*;import java.security.Security; // Enable FIPS provider (Bouncy Castle FIPS)Security.addProvider(new BouncyCastleFipsProvider()); // Or use Java's native FIPS support (Java 11+)SSLContext context = SSLContext.getInstance("TLSv1.3", "BCFIPS");context.init(null, null, null); // Use context for FIPS TLSSSLSocketFactory factory = context.getSocketFactory();FIPS Status: ✓ Good (Bouncy Castle FIPS provider, Java 11+ native)
Python
Python's cryptography library supports FIPS:
from cryptography.hazmat.primitives import hashesfrom cryptography.hazmat.backends import openssl # Check if FIPS is enabledbackend = openssl.backendprint(backend._lib.FIPS_mode_get()) # 1 = FIPS enabled # Use FIPS-approved hashingfrom cryptography.hazmat.primitives import hashesdigest = hashes.Hash(hashes.SHA256(), backend=backend)FIPS Status: ✓ Good (via cryptography library with FIPS OpenSSL)
Node.js
Node.js builds against OpenSSL, inheriting FIPS support:
// Check FIPS statusconst crypto = require('crypto');console.log(crypto.fips); // 1 = FIPS enabled // Build Node.js with FIPS// node -gyp configure -- --openssl-fips=/usr/lib/fips// node-gyp build // Use FIPS-approved algorithmsconst hash = crypto.createHash('sha256');hash.update('test');console.log(hash.digest('hex'));FIPS Status: ✓ Good (requires building with FIPS OpenSSL)
C/C++
C/C++ has the most direct FIPS support:
#include <openssl/evp.h>#include <openssl/fips.h> int main() { // Verify FIPS mode if (FIPS_mode_get() == 1) { printf("FIPS mode is ON\n"); } // Use EVP (high-level) for automatic FIPS support EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL); EVP_DigestUpdate(mdctx, "test", 4); // ...}FIPS Status: ✓ Excellent (direct OpenSSL access)
Rust
Rust has FIPS support through rustls and OpenSSL bindings:
// Using openssl crateuse openssl::hash::MessageDigest; fn main() { let hash = openssl::hash::hash( MessageDigest::sha256(), b"test" ).unwrap();} // Or use rustls for TLS (FIPS OpenSSL backend)use rustls::{ClientConfig, ServerConfig};FIPS Status: ✓ Good (via openssl crate, rustls)
.NET/C#
.NET has FIPS support through System.Security.Cryptography:
using System.Security.Cryptography; class Program { static void Main() { // .NET automatically uses FIPS when available using (var sha256 = SHA256.Create()) { byte[] hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes("test")); } // Check FIPS status bool isFips = System.Security.Cryptography.SHA256.Create().GetType().Name.Contains("Managed"); }}FIPS Status: ✓ Good (built-in support on FIPS systems)
PHP
PHP with OpenSSL module supports FIPS:
<?php// Check FIPS statusif (openssl_get_cert_locations()['default_cert_file'] !== false) { echo "OpenSSL available\n";} // Use FIPS-approved algorithms$hash = hash('sha256', 'test'); // SHA-256 (FIPS-approved) // Or with OpenSSL functions$hash = openssl_digest('test', 'sha256');?>FIPS Status: ✓ Good (via OpenSSL extension)
Ruby
Ruby supports FIPS through OpenSSL:
require 'openssl' # Check FIPS modeputs OpenSSL::OPENSSL_VERSION_NUMBER # Version info # Use FIPS-approved algorithmsdigest = OpenSSL::Digest::SHA256.newdigest << 'test'puts digest.hexdigest # TLS with FIPSrequire 'net/https'http = Net::HTTP.new('example.com', 443)http.use_ssl = truehttp.verify_mode = OpenSSL::SSL::VERIFY_PEERFIPS Status: ✓ Good (via openssl gem)
FIPS Mode Configuration by Language
Environment Variables
# Most languages respect FIPS_FORCE_MODE_STATUSexport FIPS_FORCE_MODE_STATUS=1python app.py # Or via OpenSSLexport OPENSSL_FORCE_FIPS_MODE=1java -cp . MyApp # Verifyecho $FIPS_FORCE_MODE_STATUSBuild Time
# Gogo build -tags fips # Node.jsnode-gyp configure -- --openssl-fips=/usr/lib/fips # Python (already uses system OpenSSL if FIPS-enabled)pip install cryptography # Rubygem install openssl -- --with-openssl-dir=/usr/lib/fipsRuntime
# Java: Add to JVM argsjava -Dcom.sun.jndi.ldap.connect.pool=false MyApp # .NET: Check FIPS at runtimeif (System.Security.Cryptography.CryptoConfig.AllowOnlyFipsAlgorithms) { // FIPS is enforced}Comparing Language FIPS Support
Language | FIPS Support | Effort | Notes |
|---|---|---|---|
Go | Excellent | Low | Automatic via tag |
Rust | Good | Low | Via openssl crate |
C/C++ | Excellent | Low | Direct access |
Java | Good | Medium | Requires Bouncy Castle or Java 11+ |
Python | Good | Low | Via cryptography library |
Node.js | Good | Medium | Rebuild with FIPS OpenSSL |
C#/.NET | Good | Low | Automatic on FIPS systems |
PHP | Good | Low | Via OpenSSL extension |
Ruby | Good | Medium | Via openssl gem |
Common Issues and Solutions
Issue: Library Not Using FIPS
# Check if FIPS is activefrom cryptography.hazmat.backends import opensslbackend = openssl.backendprint(backend._lib.FIPS_mode_get()) # Should be 1 # If 0, FIPS module not loaded# Solution: Install libssl3-fips and rebuildIssue: Algorithm Not Supported in FIPS Mode
// BAD: MD5 is not FIPS-approvedhash := md5.New() // Panics in FIPS mode // GOOD: SHA-256 is FIPS-approvedhash := sha256.New() // Works in FIPS modeIssue: FIPS Mode Disallows Certain Operations
// Some operations may be restricted in FIPS// Solution: Switch to FIPS-approved operation// BAD: RSA with PKCS#1 v1.5 padding// GOOD: RSA with PSS padding (FIPS-approved)Best Practices
- Use Language-Native Support: Don't implement crypto yourself
- Test FIPS Mode: Verify your code works with FIPS enabled
- Update Dependencies: Keep crypto libraries current
- Document Requirements: Note FIPS requirements in README
- Use FIPS-Traces: Monitor runtime for non-FIPS operations
See Also
FIPS Overview: fips-140-overview.md — FIPS fundamentals. FIPS-Verifier: fips-verifier.md — Automated compliance checking. Runtime Monitoring: fips-traces.md — Catch violations at runtime.