Using BouncyCastle FIPS for Java FIPS support

How do you use BC FIPS in Java app?

I’ve been trying recently to use BC FIPS module in my Java app. Turns out – not as simple as you’d think.
The problems I faced were mainly with the keystore format, but other issues came up as well.

1. Download the bc-fips-1.0.0.jar (download latest and greatest from here) file
2. Place it in jre/lib/ext
3. Edit jre/lib/security/java.security file. Edit the following line:
security.provider.4=com.sun.net.ssl.internal.ssl.Provider BCFIPS
4. Edit jre/lib/security/java.security file. Add the following line:
security.provider.11=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
(Make sure you use the right numbering. It should be consecutive)
5. Create your keystore:
keytool -genkey -storetype BCFKS -alias mykey -keyalg RSA -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -storepass test123 -keystore test_fips
Of course, you can change the parameters are you need
6. Add the following line in your code (I prefer that over the java.security changes)
new com.sun.net.ssl.internal.ssl.Provider("BCFIPS");
7. If your code requires specifying the keystore type, use the following constant – BCFKS

You should be OK…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s