Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
sp_Search Search
Advanced Search
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Search Search
Go to Bottom
No permission to create posts
sp_Feed Topic RSS sp_TopicIcon
Support for FIPS compliant Bouncy Castle
March 18, 2020
7:03, EET
Avatar
Joel Mariadasan
Bangalore
Member
Members
Forum Posts: 3
Member Since:
March 18, 2020
sp_UserOfflineSmall Offline
Go to Top
1sp_Permalink sp_Print

Bouncy Castle has released FIPS complaint jars
Refer the below link:
https://www.bouncycastle.org/fips-java/

We see that the Java SDK (OPC UA Java client) still depends on the non FIPS complaint bouncy castle libraries.

We would like to know if there is a roadmap to remove non FIPS bouncy castle libraries and support new FIPS compliant bouncy castle libraries and know the timelines for it.

March 18, 2020
13:49, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1010
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
2sp_Permalink sp_Print

Thank you for a good question and bringing out this requirement.

We had not been aware of the FIPS version of Bouncy Castle so far, so we will have to take a closer look at them. The first impression is that we should be able to support them with rather small modifications.

We won’t be able to remove support for the non-FIPS version, but since we have a flexible CryptoProvider model, we can add support for the FIPS as an alternative that you can choose from. At best it would work automatically depending on which libraries are available on the class path. Similar that we are supporting Spongy Castle for Android at the moment.

How soon would you need this?

March 19, 2020
8:03, EET
Avatar
Joel Mariadasan
Bangalore
Member
Members
Forum Posts: 3
Member Since:
March 18, 2020
sp_UserOfflineSmall Offline
Go to Top
3sp_EditHistory sp_Permalink sp_Print

Thanks for the quick reply Jouni. Basically FIPS bouncy castle introduces a new provider and there are some changes in the packaging structure.

The solution proposed by you would help us. We would need to keep only FIPS bouncy castle libraries in the class path and avoid bundling non FIPS bouncy castle libraries.

We are already in the process of removing non FIPS bouncy castle library dependencies in our project. We are unable to do it completely as OPC UA client still needs non FIPS bouncy castle libraries.

It would be helpful if you can make the changes at the earliest. Please provide an estimated date when we can expect the changes.

March 19, 2020
15:13, EET
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 1010
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline
sp_UserWebsite
Go to Top
4sp_Permalink sp_Print

We are working on 4.3.0 release at the moment. When that is done, we can try to integrate this one in. I will let you know when we get something to try out. Hopefully in the coming weeks.

March 23, 2020
18:20, EET
Avatar
Joel Mariadasan
Bangalore
Member
Members
Forum Posts: 3
Member Since:
March 18, 2020
sp_UserOfflineSmall Offline
Go to Top
5sp_Permalink sp_Print

Thanks for the update !!!

April 1, 2020
13:36, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 983
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline
Go to Top
6sp_Permalink sp_Print

We now have a beta build that should be able to work with BC FIPS, within some limitations. Sending beta link via email.

Also mentioning here some general about the limitations, just in case someone else needs this until we have a proper documentation.

You must set the java system property “org.bouncycastle.rsa.allow_multi_use” to “true” in order for it to work. This can be done by example by starting the jvm with the flag “-Dorg.bouncycastle.rsa.allow_multi_use=true”. There is no way around this that I would be aware of. Not sure how relevant that is to you. This is because OPC UA uses the same key for signing and encrypting, which by default is not allowed by the BC FIPS.

Additionally you most likely need at least Java 8 in order for it to work, per https://www.bouncycastle.org/fips_faq.html it is certified for 1.7 and 1.8. We were not able to get it to run within Java 6. However Java 11 from AdoptOpenJDK did also work. Note that we made minimalistic testing at this point, but a sign&encrypt connection works between sampleconsoleclient and sampleconsoleserver.

Additionally, the bc-fips jar appears to be a so called “Multi-Release” jar. By that mechanism it has a “module-info.class” for Java 9+. IF run within a system that would look at META-INF for data, it might not work if the system is not aware of multi-release jars (and in practice thus Java 9+ aware). Normal java launching commands should be fine, but e.g. some older versions of GlassFish are not (https://stackoverflow.com/questions/50139267/exception-while-glassfish-server-started/50139449).

No permission to create posts
sp_Feed All RSS
Go to top
Forum Timezone: Europe/Helsinki

Most Users Ever Online: 518

Currently Online:
20 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 135

pramanj: 86

Francesco Zambon: 81

rocket science: 77

Ibrahim: 76

Sabari: 62

kapsl: 57

gjevremovic: 49

Xavier: 43

fred: 41

Member Stats:

Guest Posters: 0

Members: 681

Moderators: 16

Admins: 1

Forum Stats:

Groups: 3

Forums: 15

Topics: 1467

Posts: 6261

Newest Members:

graciela2073, sagarchau, elviralangwell4, Donnavek, Eddiefauth, DonaldPooma, fidelduke938316, Jan-Pfizer, DavidROunc, fen.pang@woodside.com

Moderators: Jouni Aro: 1010, Otso Palonen: 32, Tuomas Hiltunen: 5, Pyry: 1, Petri: 0, Bjarne Boström: 983, Heikki Tahvanainen: 402, Jukka Asikainen: 1, moldzh08: 0, Jimmy Ni: 26, Teppo Uimonen: 21, Markus Johansson: 42, Niklas Nurminen: 0, Matti Siponen: 321, Lusetti: 0, Ari-Pekka Soikkeli: 5

Administrators: admin: 1