0

I need to use "SunJGSS" as one of the security providers in a FIPS environment. Is there a FIPS version of the "SunJGSS" Provider or if the underlying JCE/JCA is a FIPS provider meant to use the FIPS crypto impl and qualify to be a FIPS provider?

TIA

Kedarnath
  • 260
  • 1
  • 3
  • 13
  • The latter. FIPS140 applies only to implementation of cryptographic primitives; higher-level protocols such as GSS, SASL, TLS and XML among the Java providers -- and SSH, PGP, SMIME, JOSE etc outside -- must (on a govt system) _use_ FIPS but are not themselves tested or validated. It's at best debatable if this is about programming, and would probably be better on crypto.SX or security.SX. – dave_thompson_085 May 08 '23 at 18:37
  • Thanks so much @dave_thompson_085 for the info. Is there any official FIPS/Java documentation supporting the claim that you can point me to? I could not find that. – Kedarnath May 09 '23 at 17:43
  • For the functions that can be validated in a FIPS140 module, see SP800-140C and D linked from https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-3-standards; you'll see they are all primitives (cipher, signature, hash/XOF, MAC, RBG) and 'parameter' (which in this context means key) generation. Official 'Java' (i.e. JLS+library spec and TCK) doesn't include crypto at all; OpenJDK (which is the de facto Java standard since things like Apple's variant and gcj fell by the wayside) doesn't include any FIPS except that SunPKCS11 can _interface to_ a PKCS11 module ... – dave_thompson_085 May 11 '23 at 07:46
  • ... that is validated -- see https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-85EA1017-E59C-49B9-9207-65B7B2BF171E for one example -- and this can provide only the functions defined in the PKCS11 interface and those are all primitives, though a broader set of primitives (especially ciphers) than allowed in FIPS140. – dave_thompson_085 May 11 '23 at 07:49

0 Answers0