I see your points. Enabling both Sun and a FIPS mode JCE provider could
be challenging.
I might be a solution to separate the X.509 services from the Sun provider.
Xuelei
On 3/13/2019 9:03 AM, Martin Balao wrote:
Hi Xuelei,
On 3/13/19 11:05 AM, Xuelei Fan wrote:
To use FIPS mode JCE provider, an application could:
1. implement the required algorithm in the FIPS mode JCE provider.
2. don't those algorithms that outside the scope of the FIPS mode JCE
provider (restrict them).
Yes, there could be a 3rd party JCE provider that implements all the
required algorithms and does not even need any other OpenJDK provider to
be enabled. When it comes to OpenJDK-only providers, the current way to
operate in FIPS is through SunPKCS11. SunPKCS11 alone is not enough for
a TLS engine because X.509 (CertificateFactory) is not supported. We
need SUN provider to be enabled too.
In regards to #2, yes: we can do that. My point, though, is that this is
not an easy and reliable user interface to provide FIPS mode in OpenJDK,
but a workaround. The list of algorithms wouldn't even be fixed. Despite
its drawbacks, the experimental SunJSSE FIPS mode provided a straight
path to this use-case.
I'm not advocating for re-introducing the whole SunJSSE FIPS feature but
wish we could discuss something for providing better support for this
use-case.
Kind regards,
Martin.-
