How to programmatically check if a FIPS compatible security provider is enabled?

Question:

How can one programmatically check if a FIPS (Federal Information Processing Standard: Publication 140-2) compatible security provider is enabled, for example the Bouncy Castle implementation? 

Answer:  

Please NOTE: the following source is provided as-is and is not supported by Azul.

Verify from a Linux command-line that java was started with a custom security setting:

jcmd JVMID VM.system_properties | grep java.security.properties

The JVMID is listed when runing jcmd without parameters, it's the class name or process ID.

Then look into the listed file at property java.security.properties if it contains your intended settings for FIPS. Note, that this test doesn't check which security provided is really actively running inside the application. For that, the next step is recommended:

The following Java code snippet can be used to test if FIPS is enabled:

    if (org.bouncycastle.crypto.fips.FipsStatus.isReady()) {
      java.security.SecureRandom random = new java.security.SecureRandom();
      if (random.getProvider().getName().equals("BCFIPS")) {
        System.out.println("FIPS mode ready and active");
      } else {
        System.out.println("FIPS mode ready but disabled");
      }
    } else {
      System.out.println("FIPS not ready");
    }

Finally, if you need a "negative" test (e.g. throw an exception if FIPS is enabled), the attached "fipstest.java" can be used as follows:

  1. Please replace your $JAVA_HOME/jre/lib/security/fips.security configuration file with the attached "fips.security" file.  This is only necessary in Azul Zulu Builds of OpenJDK released prior to April 2021.
  2. Compile "fipstest.java" with a JVM that includes Bouncy Castle.  For example:
$ export JAVA_HOME=/home/java/fips-jdk8-1.8.0_282-tdc1.x86_64
$ $JAVA_HOME/bin/javac fipstest.java

If necessary, you may need to specify the "bc-fips.jar" implementation.  For example:

$ $JAVA_HOME/bin/javac -cp $JAVA_HOME/jre/lib/fips/bc-fips.jar fipstest.java

  (a) To test regular (non-FIPS) mode, do as follows:

$ $JAVA_HOME/bin/java fipstest
Regular mode

  (b) To test FIPS mode, do as follows:

$ $JAVA_HOME/bin/java -XX:+UseBCFIPS fipstest 
Exception in thread "main" java.lang.RuntimeException: FIPS mode enabled
              at fipstest.main(fipstest.java:8)

Alternatively, in the original January 2021 implementation, the "-XX:+UseBCFIPS" option was not available, so please use the following options to turn on FIPS:

$ $JAVA_HOME/bin/java -Djava.security.properties=$JAVA_HOME/jre/lib/security/fips.security -Dorg.bouncycastle.fips.approved_only=true fipstest 
Exception in thread "main" java.lang.RuntimeException: FIPS mode enabled
              at fipstest.main(fipstest.java:8)

See also

Add Comment

Comments

0 comments

Article is closed for comments.

Was this article helpful?
0 out of 0 found this helpful