Migrating Bouncy Castle keypairs to FIPS 140-2 compliant key store BCFKS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Migrating Bouncy Castle keypairs to FIPS 140-2 compliant key store BCFKS

Prateek Kumar
Hi,

Could anyone please advise on this requirement for our Java-webapp.

We have created keypairs (RSA and DH) using the non-FIPS Bouncy Castle provider in a .bks keystores, and now we are trying to replace the provider with the FIPS 140-2 compliant BC FIPS at https://downloads.bouncycastle.org/fips-java/bc-fips-1.0.2.jar

For an existing deployment containing these keypairs in .bks (which already exist) is there any way to:

* Migrate them into .bcfks keystores which is the compliant keystore (and any code samples to do so).

* "Convert" these keypairs (with same algorithms/mode/padding/keysizes as the ones chosen at creation time were already compliant but created using standard Bouncy Castle jars) into versions that would be FIPS compliant, or as if they'd been created with the BC FIPS version. I don't know if this is possible and in documentation at https://downloads.bouncycastle.org/fips-java/BC-FJA-UserGuide-1.0.2.pdf (Page 66 Appendix E), all I'm seeing is converting between JCE keypairs to low-level FIPS key-primitives.

Thanks,
Prateek Kumar