FIPS Certification

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

FIPS Certification

Spaulding
On the website, it states:
News: bc-fips-1.0.1.jar has now been certified and has been assigned the certificate number 3152. 

Does this mean the other bc-fips-1.0.1 jars are NOT certified?  For example, bcpkix-fips-1.0.1.jar, bcmail-fips-1.0.1.jar or any of the others?

I need to be using a FIPS certified product, and have a need for  password encrypted certs, signing, and verification.

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: FIPS Certification

David Hook-3

At the risk of sounding like I've gone to the dark side, you really want to get a support contract if you're going to start worrying about things like this!

In general the answer is that only the jars providing the cryptography services detailed in FIPS 140-2 need to be certified. In the case of Bouncy Castle this just means the provider jars. The bcpkix, bcpg, bcmail, and bctls APIs are all designed to outsource the cryptography to the provider jar and where there are differences from the general distribution with these it is generally with making sure FIPS specific functionality is used. There are a still things you can get caught out on, such as inappropriate key management, or poor usage around the DRBGs, but the primary "certified thing" is in the provider jars.

Regards,

David

On 14/09/18 03:39, Terry Schulting wrote:
On the website, it states:
News: bc-fips-1.0.1.jar has now been certified and has been assigned the certificate number 3152. 

Does this mean the other bc-fips-1.0.1 jars are NOT certified?  For example, bcpkix-fips-1.0.1.jar, bcmail-fips-1.0.1.jar or any of the others?

I need to be using a FIPS certified product, and have a need for  password encrypted certs, signing, and verification.

Thanks!