Issue with https communication using BC FIPS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Issue with https communication using BC FIPS

pooja venkatesh

Hello everyone,

 

In FIPS mode I am evaluating the https server client communication scenario where keystore are provided externally. With the help of keytool, imported the keystore from jks to bks and validated the cert.

Issue is, handshake failure due to invalid or expired key. Even tried using unlimited policy files. Also, validated bks keystore with keytool, content is listed correctly.

 

Below are the environment details.

Bouncy castle fips bc-fips-1.0.1.jar

openjdk version "1.8.0_131"

 

Security file is configured as below.

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

..

security.provider.5=com.sun.net.ssl.internal.ssl.Provider BCFIPS

 

Following BC suggested permission’s are added in java.policy file

        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec";

        permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";

        permission java.lang.RuntimePermission "getProtectionDomain";

        permission java.util.PropertyPermission "java.runtime.name", "read";

        permission java.lang.RuntimePermission "accessDeclaredMembers";

        permission java.security.SecurityPermission "putProviderProperty.BCFIPS";

        permission org.bouncycastle.crypto.CryptoServicesPermission “defaultRandomConfig”;

        permission org.bouncycastle.crypto.CryptoServicesPermission “threadLocalConfig”;

        permission org.bouncycastle.crypto.CryptoServicesPermission “globalConfig”;

 

 

FIPS is enabled in the product using BC API, “CryptoServicesRegistrar.setApprovedOnlyMode(true)”.

 

Behaviour observed so far is, intermittently both client and server establishes connection and goes through fine. Most of the times the fails due to invalid or expired key.

But if I change the bouncy castle provider priority to 1 and sun provider to 2, the provider fails to get initialise throwing java.lang.ExceptionInInitializerError.

 

Could you please help me in addressing the failure.


Thanks,

Pooja

 

 


Loading...