SunJSSE and SunPKCS11 (NSS + FIPS)
Xuelei Fan
xuelei.fan at oracle.com
Wed Mar 13 19:00:19 UTC 2019
I see your points. Enabling both Sun and a FIPS mode JCE provider could
be challenging.
I might be a solution to separate the X.509 services from the Sun provider.
Xuelei
On 3/13/2019 9:03 AM, Martin Balao wrote:
> Hi Xuelei,
>
> On 3/13/19 11:05 AM, Xuelei Fan wrote:
>> To use FIPS mode JCE provider, an application could:
>> 1. implement the required algorithm in the FIPS mode JCE provider.
>> 2. don't those algorithms that outside the scope of the FIPS mode JCE
>> provider (restrict them).
>>
>
> Yes, there could be a 3rd party JCE provider that implements all the
> required algorithms and does not even need any other OpenJDK provider to
> be enabled. When it comes to OpenJDK-only providers, the current way to
> operate in FIPS is through SunPKCS11. SunPKCS11 alone is not enough for
> a TLS engine because X.509 (CertificateFactory) is not supported. We
> need SUN provider to be enabled too.
>
> In regards to #2, yes: we can do that. My point, though, is that this is
> not an easy and reliable user interface to provide FIPS mode in OpenJDK,
> but a workaround. The list of algorithms wouldn't even be fixed. Despite
> its drawbacks, the experimental SunJSSE FIPS mode provided a straight
> path to this use-case.
>
> I'm not advocating for re-introducing the whole SunJSSE FIPS feature but
> wish we could discuss something for providing better support for this
> use-case.
>
> Kind regards,
> Martin.-
>
More information about the security-dev
mailing list