Hi Xuelei, On 3/13/19 11:05 AM, Xuelei Fan wrote: > To use FIPS mode JCE provider, an application could: > 1. implement the required algorithm in the FIPS mode JCE provider. > 2. don't those algorithms that outside the scope of the FIPS mode JCE > provider (restrict them). >
Yes, there could be a 3rd party JCE provider that implements all the required algorithms and does not even need any other OpenJDK provider to be enabled. When it comes to OpenJDK-only providers, the current way to operate in FIPS is through SunPKCS11. SunPKCS11 alone is not enough for a TLS engine because X.509 (CertificateFactory) is not supported. We need SUN provider to be enabled too. In regards to #2, yes: we can do that. My point, though, is that this is not an easy and reliable user interface to provide FIPS mode in OpenJDK, but a workaround. The list of algorithms wouldn't even be fixed. Despite its drawbacks, the experimental SunJSSE FIPS mode provided a straight path to this use-case. I'm not advocating for re-introducing the whole SunJSSE FIPS feature but wish we could discuss something for providing better support for this use-case. Kind regards, Martin.-
