Question:
How can one programmatically check if a FIPS (Federal Information Processing Standard: Publication 140-2) compatible security provider is enabled, for example the Bouncy Castle implementation?
Answer:
Please NOTE: the following source is provided as-is and is not supported by Azul.
Verify from a Linux command-line that java was started with a custom security setting:
jcmd JVMID VM.system_properties | grep java.security.properties
The JVMID is listed when runing jcmd without parameters, it's the class name or process ID.
Then look into the listed file at property java.security.properties if it contains your intended settings for FIPS. Note, that this test doesn't check which security provided is really actively running inside the application. For that, the next step is recommended:
The following Java code snippet can be used to test if FIPS is enabled:
if (org.bouncycastle.crypto.fips.FipsStatus.isReady()) {
java.security.SecureRandom random = new java.security.SecureRandom();
if (random.getProvider().getName().equals("BCFIPS")) {
System.out.println("FIPS mode ready and active");
} else {
System.out.println("FIPS mode ready but disabled");
}
} else {
System.out.println("FIPS not ready");
}
Finally, if you need a "negative" test (e.g. throw an exception if FIPS is enabled), the attached "fipstest.java" can be used as follows:
- Please replace your
$JAVA_HOME/jre/lib/security/fips.security
configuration file with the attached "fips.security" file. This is only necessary in Azul Zulu Builds of OpenJDK released prior to April 2021. - Compile "fipstest.java" with a JVM that includes Bouncy Castle. For example:
$ export JAVA_HOME=/home/java/fips-jdk8-1.8.0_282-tdc1.x86_64
$ $JAVA_HOME/bin/javac fipstest.java
If necessary, you may need to specify the "bc-fips.jar" implementation. For example:
$ $JAVA_HOME/bin/javac -cp $JAVA_HOME/jre/lib/fips/bc-fips.jar fipstest.java
(a) To test regular (non-FIPS) mode, do as follows:
$ $JAVA_HOME/bin/java fipstest
Regular mode
(b) To test FIPS mode, do as follows:
$ $JAVA_HOME/bin/java -XX:+UseBCFIPS fipstest
Exception in thread "main" java.lang.RuntimeException: FIPS mode enabled
at fipstest.main(fipstest.java:8)
Alternatively, in the original January 2021 implementation, the "-XX:+UseBCFIPS" option was not available, so please use the following options to turn on FIPS:
$ $JAVA_HOME/bin/java -Djava.security.properties=$JAVA_HOME/jre/lib/security/fips.security -Dorg.bouncycastle.fips.approved_only=true fipstest
Exception in thread "main" java.lang.RuntimeException: FIPS mode enabled
at fipstest.main(fipstest.java:8)
Add Comment
Comments
Article is closed for comments.