At the risk of sounding like I've gone to the dark side, you
really want to get a support contract if you're going to start
worrying about things like this!
In general the answer is that only the jars providing the
cryptography services detailed in FIPS 140-2 need to be certified.
In the case of Bouncy Castle this just means the provider jars.
The bcpkix, bcpg, bcmail, and bctls APIs are all designed to
outsource the cryptography to the provider jar and where there are
differences from the general distribution with these it is
generally with making sure FIPS specific functionality is used.
There are a still things you can get caught out on, such as
inappropriate key management, or poor usage around the DRBGs, but
the primary "certified thing" is in the provider jars.
On 14/09/18 03:39, Terry Schulting wrote:
On the website, it states:
News: bc-fips-1.0.1.jar has now
been certified and has been assigned the certificate number 3152.
Does this mean the other bc-fips-1.0.1 jars are NOT
certified? For example, bcpkix-fips-1.0.1.jar,
bcmail-fips-1.0.1.jar or any of the others?
I need to be using a FIPS certified product, and have a
need for password encrypted certs, signing, and verification.