A Python 3 runtime environment with the Python interpreter and standard library, configured to run Python applications with the python3 command as the default entry point. This image includes FIPS support with OpenSSL FIPS provider integration for applications requiring cryptographic compliance standards.
Getting Started
To pull the image:
docker pull registry.hardened.eu/library/python3-fips:latest
Testing FIPS in Python
When working with this FIPS-compliant environment, always verify FIPS compliance before deploying to production. Use FIPS-approved cryptographic algorithms such as SHA-256, SHA-384, and SHA-512. Avoid deprecated algorithms that may be disabled in FIPS mode. Test cryptographic operations thoroughly in the FIPS environment and monitor for UnsupportedDigestmodError exceptions that indicate non-compliant operations.
To verify that the Python environment is using FIPS-compliant OpenSSL, execute the following verification commands:
import ssl
import os
print(f"OpenSSL Version: {ssl.OPENSSL_VERSION}")
print(f"OpenSSL Config: {os.environ.get('OPENSSL_CONF')}")
Expected output should indicate FIPS provider usage and reference the FIPS configuration file.
The Python hashlib module behavior differs in FIPS mode due to OpenSSL provider restrictions. Standard hashlib operations that fall back to internal implementations:
import hashlib
# These work due to Python's internal fallback implementations
hashlib.md5(b"test").hexdigest()
hashlib.sha1(b"test").hexdigest()
Direct OpenSSL EVP operations that enforce FIPS compliance:
import _hashlib
# These will raise UnsupportedDigestmodError in FIPS mode
try:
_hashlib.openssl_md5(b"test")
except Exception as e:
print(f"FIPS restriction: {e}")
To ensure all cryptographic operations adhere to FIPS standards, override the hashlib fallback mechanisms:
import hashlib
import _hashlib
# Force OpenSSL EVP usage for all hashlib operations
hashlib.md5 = _hashlib.openssl_md5
hashlib.sha1 = _hashlib.openssl_sha1
# Now these will raise exceptions if not FIPS-compliant
try:
hashlib.md5(b"test")
except Exception as e:
print(f"FIPS enforcement: {e}")
The environment is pre-configured with FIPS-compliant SSL/TLS settings:
import ssl
# Verify SSL context uses FIPS-compliant algorithms
context = ssl.create_default_context()
print(f"SSL Protocol: {context.minimum_version}")
print(f"SSL Ciphers: {context.get_ciphers()}")
Verifying Image Signatures
All Hardened B.V. images are signed using cosign. You can verify the signature using the following steps:
Save the public key:
cat >hardened.pub <<EOL
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEbxhUFlXkIIbDzdRAR9rc6kDPNb+k
J48lhqqlOMyiq3jkbKXNj2sEFMduFlNh63MrZA59PKf4TjS1AiCrvaFXNA==
-----END PUBLIC KEY-----
EOL
Verify the image signature:
cosign verify --key hardened.pub registry.hardened.eu/library/python3-fips:latest
The verification will show the signature details and confirm the image’s authenticity.
To verify the SBOM, run the following command:
cosign verify-attestation --type spdxjson --key hardened.pub registry.hardened.eu/library/python3-fips:latest
To download the SBOM, run the same command and decode it:
cosign verify-attestation --type spdxjson --key hardened.pub registry.hardened.eu/library/python3-fips:latest | jq -r .payload | base64 -d | jq -r .predicate > python3-fips-spdx.json
Trademarks
This software is packaged by Hardened B.V. All trademarks are property of their respective owners. Use of these images does not imply any affiliation or endorsement.