1. Azul
  2. Azul Platform Core (Zulu)

How can one programmatically check if FIPS is enabled?

Question:

How can one programmatically check if FIPS (Federal Information Processing Standard: Publication 140-2) is enabled, for example the Bouncy Castle implementation? 

 

Answer:  

Please NOTE: the following source is provided as-is and is not supported by Azul.

 

(a) To verify from a Linux command-line that Java was started with FIPS enabled, you could run the following command:

ps -ef | grep "Djava.security.properties" | tail -1 | grep "Djava.security.properties=$JAVA_HOME/jre/lib/security/fips.security"

 

 

(b) Alternatively, the following Java code snippet can be used to test if FIPS is enabled:

    if (org.bouncycastle.crypto.fips.FipsStatus.isReady()) {
      java.security.SecureRandom random = new java.security.SecureRandom();
      if (random.getProvider().getName().equals("BCFIPS")) {
        System.out.println("FIPS mode ready and active");
      } else {
        System.out.println("FIPS mode ready but disabled");
      }
    } else {
      System.out.println("FIPS not ready");
    }

 

 

(c) Finally, if you need a "negative" test (e.g. throw an exception if FIPS is enabled), the attached "fipstest.java" can be used as follows:

 

1.)  Please replace your $JAVA_HOME/jre/lib/security/fips.security configuration file with the attached "fips.security" file.  This is only necessary in Azul Zulu Builds of OpenJDK released prior to April 2021.

2.)  Compile "fipstest.java" with a JVM that includes Bouncy Castle.  For example:

$ export JAVA_HOME=/home/java/fips-jdk8-1.8.0_282-tdc1.x86_64
$ $JAVA_HOME/bin/javac fipstest.java

If necessary, you may need to specify the "bc-fips.jar" implementation.  For example:

$ $JAVA_HOME/bin/javac -cp $JAVA_HOME/jre/lib/fips/bc-fips.jar fipstest.java


  (a) To test regular (non-FIPS) mode, do as follows:

$ $JAVA_HOME/bin/java fipstest
Regular mode


  (b) To test FIPS mode, do as follows:

$ $JAVA_HOME/bin/java -XX:+UseBCFIPS fipstest 
Exception in thread "main" java.lang.RuntimeException: FIPS mode enabled
              at fipstest.main(fipstest.java:8)

Alternatively, in the original January 2021 implementation, the "-XX:+UseBCFIPS" option was not available, so please use the following options to turn on FIPS:

$ $JAVA_HOME/bin/java -Djava.security.properties=$JAVA_HOME/jre/lib/security/fips.security -Dorg.bouncycastle.fips.approved_only=true fipstest 
Exception in thread "main" java.lang.RuntimeException: FIPS mode enabled
              at fipstest.main(fipstest.java:8)

Add Comment

Comments

0 comments

Article is closed for comments.

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful