Sorry there is not a FIPS compliant version of the 1.50 jar. We do
not expect to have one in the future either - the boundary issues
that exist in 1.50, which we fixed by creating bc-fips-1.0.0 would
likely make it impossible for a version of the 1.50 jar to survive
the certification process.
Having said, the two versions of BC, if they have stuck with the
JCA/JCE interfaces are not that far apart. If you can give me some
idea of what issues are caused by dropping 1.50, I may be able to
help you migrate the Apache code, or worst case, tell you that it
really is impossible. It may also be worth getting in touch with
them to see if there is any work going on to make their jar usable
with the FIPS API. We have seen a couple projects do that already,
just not that one.
Apologies I can't be more help on this one. If you have any
further questions, please let me know.
On 24/07/17 18:15, Eppa, Shivaprasad wrote:
This is Shiva, from CA Technologies.
I have come across some problematic
situation using bouncy castle jars for which I seek your
support in resolving it.
In one of our web apps we have a dependency
on apacheds-core library which internally require
bcprov-jdk15-150.jar, whereas for our core development code we
started to use fips compliant bc-fips-1.0.0.jar. I see that
the bcprov-jdk15-150.jar has different API compared to
bc-fips-1.0.0.jar and so I could not replace
bcprov-jdk15-150.jar with bc-fips-1.0.0.jar. In this case we
end up having two different versioned jars in the same webapp
which creates more serious issues. Do you have any fips
compliant library which has the API consistent with
bcprov-jdk15-150.jar? Or do you plan to release as such in
near future? Or do you have any other solutions for this case?
We are blocked with this situation, your
quick reply shall help us to take the decision.