5

After Java 12, internal package com.sun.net.ssl is removed. Is there any way that allow me to programmatically check if FIPS is enabled on JVM?

user1684651
  • 390
  • 1
  • 8
  • 21
  • Could explain a bit more in detail what you want to check. Which check you did till Java 12? – SubOptimal Feb 18 '20 at 12:30
  • isn't that enough? https://docs.oracle.com/middleware/1213/wls/SECMG/fips.htm#SECMG773 but please provide more context how you were checking this before and what exacly you need – GotoFinal Feb 18 '20 at 17:23
  • @GotoFinal If this is really what the @user1684651 wants to achieve he shouldn't bother about it when he is using Java >= 1.8.0_161. It's enabled by default (possible exceptions are mentioned on the bug report) https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8170157 and can be checked easily with e.g. `Cipher.getMaxAllowedKeyLength("AES")` if the result is > 128 then Java Cryptography Extension (JCE) Unlimited Strength is enabled. Which still would leave the question what is the relation to Java > 12 in the question. – SubOptimal Feb 18 '20 at 20:37

1 Answers1

2

You can use java.security.Security class that centralize Security configurations and providers, and then check if a FIPS provider is registered.

Javadoc: Security

You can iterate over security providers and check if you have a FIPS provider, e.g. BouncyCastleFipsProvider or any other FIPS provider.

Also, You can check if you have the SunJSSE FIPS in compliant mode (SunPKCS11-NSS provider). Bear in mind that the SunJSSE Fips compliant mode is being removed in JDK13 and as comments say, the provider is available until Java 13 but since Java 9 it probably won't work properly. It is a point to consider and test.

Javadoc Provider: javadoc here).

For example:

Provider[] providers=Security.getProviders();
for (int i=0; i < providers.length;i++){
     if (providers[i].getName().contains(“Fips”)) return true;
}

Hope it helps.

Justin Ethier
  • 131,333
  • 52
  • 229
  • 284
Ariel Carrera
  • 5,113
  • 25
  • 36
  • 1
    Based on [JDK-8217835](https://bugs.openjdk.java.net/browse/JDK-8217835) for provider `SunPKCS11-NSS` the `SunJSSE FIPS compliant mode` was not usable since Java 9. Or is the bug unrelated in this case. – SubOptimal Feb 24 '20 at 12:31
  • 1
    @SubOptimal after java 9 redesign, it has some bugs (e.g. https://bugs.openjdk.java.net/browse/JDK-8161536). The provider is available until java 13 but it probably won’t work properly. It’s a point to consider – Ariel Carrera Feb 24 '20 at 17:36