Using BouncyCastle FIPS for Java FIPS support

How do you use BC FIPS in Java app?

I’ve been trying recently to use BC FIPS module in my Java app. Turns out – not as simple as you’d think.
The problems I faced were mainly with the keystore format, but other issues came up as well.

1. Download the bc-fips-1.0.0.jar (download latest and greatest from here) file
2. Place it in jre/lib/ext
3. Edit jre/lib/security/java.security file. Edit the following line:
security.provider.4=com.sun.net.ssl.internal.ssl.Provider BCFIPS
4. Edit jre/lib/security/java.security file. Add the following line:
security.provider.11=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
(Make sure you use the right numbering. It should be consecutive)
5. Create your keystore:
keytool -genkey -storetype BCFKS -alias mykey -keyalg RSA -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -storepass test123 -keystore test_fips
Of course, you can change the parameters are you need
6. Add the following line in your code (I prefer that over the java.security changes)
new com.sun.net.ssl.internal.ssl.Provider("BCFIPS");
7. If your code requires specifying the keystore type, use the following constant – BCFKS

You should be OK…

Leave a Reply

Your email address will not be published. Required fields are marked *