SunJSSE and SunPKCS11 (NSS + FIPS)
Martin Balao
mbalao at redhat.com
Wed Mar 13 16:03:45 UTC 2019
Hi Xuelei,
On 3/13/19 11:05 AM, Xuelei Fan wrote:
> To use FIPS mode JCE provider, an application could:
> 1. implement the required algorithm in the FIPS mode JCE provider.
> 2. don't those algorithms that outside the scope of the FIPS mode JCE
> provider (restrict them).
>
Yes, there could be a 3rd party JCE provider that implements all the
required algorithms and does not even need any other OpenJDK provider to
be enabled. When it comes to OpenJDK-only providers, the current way to
operate in FIPS is through SunPKCS11. SunPKCS11 alone is not enough for
a TLS engine because X.509 (CertificateFactory) is not supported. We
need SUN provider to be enabled too.
In regards to #2, yes: we can do that. My point, though, is that this is
not an easy and reliable user interface to provide FIPS mode in OpenJDK,
but a workaround. The list of algorithms wouldn't even be fixed. Despite
its drawbacks, the experimental SunJSSE FIPS mode provided a straight
path to this use-case.
I'm not advocating for re-introducing the whole SunJSSE FIPS feature but
wish we could discuss something for providing better support for this
use-case.
Kind regards,
Martin.-
More information about the security-dev
mailing list