7:03, EET
March 18, 2020
Bouncy Castle has released FIPS complaint jars
Refer the below link:
https://www.bouncycastle.org/fips-java/
We see that the Java SDK (OPC UA Java client) still depends on the non FIPS complaint bouncy castle libraries.
We would like to know if there is a roadmap to remove non FIPS bouncy castle libraries and support new FIPS compliant bouncy castle libraries and know the timelines for it.
13:49, EET
December 21, 2011
Thank you for a good question and bringing out this requirement.
We had not been aware of the FIPS version of Bouncy Castle so far, so we will have to take a closer look at them. The first impression is that we should be able to support them with rather small modifications.
We won’t be able to remove support for the non-FIPS version, but since we have a flexible CryptoProvider model, we can add support for the FIPS as an alternative that you can choose from. At best it would work automatically depending on which libraries are available on the class path. Similar that we are supporting Spongy Castle for Android at the moment.
How soon would you need this?
8:03, EET
March 18, 2020
Thanks for the quick reply Jouni. Basically FIPS bouncy castle introduces a new provider and there are some changes in the packaging structure.
The solution proposed by you would help us. We would need to keep only FIPS bouncy castle libraries in the class path and avoid bundling non FIPS bouncy castle libraries.
We are already in the process of removing non FIPS bouncy castle library dependencies in our project. We are unable to do it completely as OPC UA client still needs non FIPS bouncy castle libraries.
It would be helpful if you can make the changes at the earliest. Please provide an estimated date when we can expect the changes.
15:13, EET
December 21, 2011
18:20, EET
March 18, 2020
13:36, EEST
April 3, 2012
We now have a beta build that should be able to work with BC FIPS, within some limitations. Sending beta link via email.
Also mentioning here some general about the limitations, just in case someone else needs this until we have a proper documentation.
You must set the java system property “org.bouncycastle.rsa.allow_multi_use” to “true” in order for it to work. This can be done by example by starting the jvm with the flag “-Dorg.bouncycastle.rsa.allow_multi_use=true”. There is no way around this that I would be aware of. Not sure how relevant that is to you. This is because OPC UA uses the same key for signing and encrypting, which by default is not allowed by the BC FIPS.
Additionally you most likely need at least Java 8 in order for it to work, per https://www.bouncycastle.org/fips_faq.html it is certified for 1.7 and 1.8. We were not able to get it to run within Java 6. However Java 11 from AdoptOpenJDK did also work. Note that we made minimalistic testing at this point, but a sign&encrypt connection works between sampleconsoleclient and sampleconsoleserver.
Additionally, the bc-fips jar appears to be a so called “Multi-Release” jar. By that mechanism it has a “module-info.class” for Java 9+. IF run within a system that would look at META-INF for data, it might not work if the system is not aware of multi-release jars (and in practice thus Java 9+ aware). Normal java launching commands should be fine, but e.g. some older versions of GlassFish are not (https://stackoverflow.com/questions/50139267/exception-while-glassfish-server-started/50139449).
Most Users Ever Online: 1919
Currently Online:
50 Guest(s)
Currently Browsing this Page:
1 Guest(s)
Top Posters:
Heikki Tahvanainen: 402
hbrackel: 144
rocket science: 88
pramanj: 86
Francesco Zambon: 83
Ibrahim: 78
Sabari: 62
kapsl: 57
gjevremovic: 49
Xavier: 43
Member Stats:
Guest Posters: 0
Members: 734
Moderators: 7
Admins: 1
Forum Stats:
Groups: 3
Forums: 15
Topics: 1523
Posts: 6449
Newest Members:
christamcdowall, redaahern07571, nigelbdhmp, travistimmons, AnnelCib, dalenegettinger, howardkennerley, Thomassnism, biancacraft16, edgardo3518Moderators: Jouni Aro: 1026, Pyry: 1, Petri: 0, Bjarne Boström: 1026, Jimmy Ni: 26, Matti Siponen: 346, Lusetti: 0
Administrators: admin: 1