Can I set FIPS mode globally?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Can I set FIPS mode globally?

Ernie Kovak
Hello -

I've searched the archive, and I find no information on whether or not approved mode can be set on all threads by default. I'm running in tomcat without a security manager, but would still like to have all threads in approved mode.

Any suggestions?

Thanks!
Ernie
Reply | Threaded
Open this post in threaded view
|

RE: Can I set FIPS mode globally?

Arnold Geels
Hi Ernie,

You can set System property "org.bouncycastle.fips.approved_only".  Look in org.bouncycastle.crypto.CryptoServicesRegistrar.java for details.

HTH,

Arno1d.


From: Ernie Kovak [mailto:[hidden email]]
Sent: Monday, February 25, 2019 22:14
To: [hidden email]
Subject: [dev-crypto] Can I set FIPS mode globally?

Hello -

I've searched the archive, and I find no information on whether or not approved mode can be set on all threads by default. I'm running in tomcat without a security manager, but would still like to have all threads in approved mode.

Any suggestions?

Thanks!
Ernie
Reply | Threaded
Open this post in threaded view
|

RE: Can I set FIPS mode globally?

James Bloom
Hello,

Using the bc-fips 1.02, I am attempting to set the fips approved mode
globally by passing it in as an argument to the jar:

-Dorg.bouncycastle.fips.approved_only=true

I programmatically insert the BC JSSE Provider in FIPS configuration:

    // install the provider at the top
    Provider jsseProv = new BouncyCastleJsseProvider("fips:BCFIPS");
    int position = Security.insertProviderAt(jsseProv, 2);

And then attempt verify that the property is set globally:
                                       
    LOGGER.info("approved mode set: {}",
Properties.isOverrideSet("org.bouncycastle.fips.approved_only"));
    LOGGER.info("property: {}",
System.getProperty("org.bouncycastle.fips.approved_only"));
    LOGGER.info("fips ready: {}", FipsStatus.isReady());
    LOGGER.info("approved mode: {}",
CryptoServicesRegistrar.isInApprovedOnlyMode());

I feel like I'm missing something extremely simple because the output of the
logs is always:

        approved mode set: true
        property: true
        fips ready: true
        approved mode: false

I'm running on Windows 10, Java 1.8.0_152, and using IntelliJ if that helps
reproduce the issue.  No security manager is set.  Looking at the .class
files, there doesn't seem to be anything complicated in getDefaultMode so
I'm unsure where the disconnect is.

I can explicitly call CryptoServicesRegistrar.setApprovedOnlyMode(true); but
then all other threads will throw the unapproved error:

org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: Attempt to use
approved implementation in unapproved thread: SHA-512

Any help or support you can provide would be most appreciated.

Cheers,
  James



--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html