Avatar

Please consider registering
guest

sp_LogInOut Log In sp_Registration Register

Register | Lost password?
Advanced Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed Topic RSS sp_TopicIcon
Support for FIPS compliant Bouncy Castle
March 18, 2020
7:03, EEST
Avatar
Joel Mariadasan
Bangalore
Member
Members
Forum Posts: 3
Member Since:
March 18, 2020
sp_UserOfflineSmall Offline

Bouncy Castle has released FIPS complaint jars
Refer the below link:
https://www.bouncycastle.org/fips-java/

We see that the Java SDK (OPC UA Java client) still depends on the non FIPS complaint bouncy castle libraries.

We would like to know if there is a roadmap to remove non FIPS bouncy castle libraries and support new FIPS compliant bouncy castle libraries and know the timelines for it.

March 18, 2020
13:49, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 846
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

Thank you for a good question and bringing out this requirement.

We had not been aware of the FIPS version of Bouncy Castle so far, so we will have to take a closer look at them. The first impression is that we should be able to support them with rather small modifications.

We won’t be able to remove support for the non-FIPS version, but since we have a flexible CryptoProvider model, we can add support for the FIPS as an alternative that you can choose from. At best it would work automatically depending on which libraries are available on the class path. Similar that we are supporting Spongy Castle for Android at the moment.

How soon would you need this?

March 19, 2020
8:03, EEST
Avatar
Joel Mariadasan
Bangalore
Member
Members
Forum Posts: 3
Member Since:
March 18, 2020
sp_UserOfflineSmall Offline

Thanks for the quick reply Jouni. Basically FIPS bouncy castle introduces a new provider and there are some changes in the packaging structure.

The solution proposed by you would help us. We would need to keep only FIPS bouncy castle libraries in the class path and avoid bundling non FIPS bouncy castle libraries.

We are already in the process of removing non FIPS bouncy castle library dependencies in our project. We are unable to do it completely as OPC UA client still needs non FIPS bouncy castle libraries.

It would be helpful if you can make the changes at the earliest. Please provide an estimated date when we can expect the changes.

March 19, 2020
15:13, EEST
Avatar
Jouni Aro
Moderator
Moderators
Forum Posts: 846
Member Since:
December 21, 2011
sp_UserOfflineSmall Offline

We are working on 4.3.0 release at the moment. When that is done, we can try to integrate this one in. I will let you know when we get something to try out. Hopefully in the coming weeks.

March 23, 2020
18:20, EEST
Avatar
Joel Mariadasan
Bangalore
Member
Members
Forum Posts: 3
Member Since:
March 18, 2020
sp_UserOfflineSmall Offline

Thanks for the update !!!

April 1, 2020
13:36, EEST
Avatar
Bjarne Boström
Moderator
Moderators
Forum Posts: 522
Member Since:
April 3, 2012
sp_UserOfflineSmall Offline

We now have a beta build that should be able to work with BC FIPS, within some limitations. Sending beta link via email.

Also mentioning here some general about the limitations, just in case someone else needs this until we have a proper documentation.

You must set the java system property “org.bouncycastle.rsa.allow_multi_use” to “true” in order for it to work. This can be done by example by starting the jvm with the flag “-Dorg.bouncycastle.rsa.allow_multi_use=true”. There is no way around this that I would be aware of. Not sure how relevant that is to you. This is because OPC UA uses the same key for signing and encrypting, which by default is not allowed by the BC FIPS.

Additionally you most likely need at least Java 8 in order for it to work, per https://www.bouncycastle.org/fips_faq.html it is certified for 1.7 and 1.8. We were not able to get it to run within Java 6. However Java 11 from AdoptOpenJDK did also work. Note that we made minimalistic testing at this point, but a sign&encrypt connection works between sampleconsoleclient and sampleconsoleserver.

Additionally, the bc-fips jar appears to be a so called “Multi-Release” jar. By that mechanism it has a “module-info.class” for Java 9+. IF run within a system that would look at META-INF for data, it might not work if the system is not aware of multi-release jars (and in practice thus Java 9+ aware). Normal java launching commands should be fine, but e.g. some older versions of GlassFish are not (https://stackoverflow.com/questions/50139267/exception-while-glassfish-server-started/50139449).

Forum Timezone: Europe/Helsinki

Most Users Ever Online: 267

Currently Online:
7 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

hbrackel: 100

pramanj: 86

ibrahim: 70

kapsl: 57

gjevremovic: 49

TimK: 41

Fransua33: 39

fred: 37

Rainer Versteeg: 32

Thomas Reuther: 26

Member Stats:

Guest Posters: 0

Members: 1058

Moderators: 14

Admins: 1

Forum Stats:

Groups: 3

Forums: 14

Topics: 981

Posts: 4143

Newest Members:

mats989, Sebastien Petitrenaud, sting2005, Ron Hoppe, Seb, p.devito, g.ilengo, MohamedLazrek, brittr83165991, martintinsley9

Moderators: Jouni Aro: 846, Otso Palonen: 32, Tuomas Hiltunen: 5, janimakela: 0, Pyry: 1, Terho: 0, Petri: 0, Bjarne Boström: 522, Heikki Tahvanainen: 402, Jukka Asikainen: 1, Teppo Uimonen: 20, Markus Johansson: 18, Matti Siponen: 31, Lusetti: 0

Administrators: admin: 0