Fips and non-fips bc jars co-existence

[RashmiSunil]

Hi Team,

My product is a legacy product and has many dependency with manyexternal jars and I see that few external jars are internally referring BlockCipher, SHA256Digest etc from bcprov-jdk-15on /bcprov-jdk16.

Now our product wants to support fips from bouncy castle (bc-fips-1.0.1).

According to your official document which stated :
"The bcfips provider jar itself has no external dependencies, but it cannot be used in the same JVM as the regular Bouncy Castle provider. The classes in the two jar files do not get along."

So how can I use bc-fips along with regular provider and what are all the alternatives that you can suggest ?
Since I must have bcprov-jdk as well.

Thanks and Regards,

[bcgit]

When you say FIPS support, do you mean you actually need the product to be FIPS compliant?

[RashmiSunil]

Thats right. We want our product to be FIPS complaint. And we were using other provider and this provider has reached end of life so wants to move with Bouncy Castle for FIPS complaince.

[bcgit]

Okay, so where people need to use classes from the non-FIPS BC API together with the FIPS one the trick is to use the "org.spongycastle" approach.

There's one catch though, the application can't be FIPS compliant if it uses any of the cryptographic classes from the old BC API. Given some of the classes you have mentioned, you need to be making sure only the classes from the BC FIPS API are used and also those are used in accordance with the module's security policy.

[RashmiSunil]

Thanks for the quick reply and I have few follow-ups on it,

1. I see that org.spongycastle approach is for android. Can this be used for desktop application?
2. The BC API's that I have mentioned like SHA256Digest, BlockCipher are used by third party jar. Not by our product directly. So are you suggesting to check and move these classes to equivalent BC FIPS API's?
   I am afraid that this point is not in my hands as its third party jar usage.
   Please correct me if my understanding is wrong here.
3. Does BC FIPS work on LINUX platform or do you have specific platform dependency for this?

[dghbc]

org.spongycastle is just a package name - it's first use was with the Android port, but the same idea can be applied to get two versions of BC running side by side in any environment.
On 2, yes you need to use the FIPS equivalents, the resulting product will not be FIPS compliant otherwise as it will using cryptographic services from a non-certified provider.
On 3, yes it works on Linux. Details of primary platforms and porting can be found in the security policy for the module:

https://downloads.bouncycastle.org/fips-java/BC-FJA-SecurityPolicy-1.0.2.pdf

[dghgit]

Closed, assumed dealt with as no further feedback.

[cid77]

Okay, so where people need to use classes from the non-FIPS BC API together with the FIPS one the trick is to use the "org.spongycastle" approach.

There's one catch though, the application can't be FIPS compliant if it uses any of the cryptographic classes from the old BC API. Given some of the classes you have mentioned, you need to be making sure only the classes from the BC FIPS API are used and also those are used in accordance with the module's security policy.

What's the "org.spongycastle" approach? I'm in a situation where both bc-fips and bc jars are in the classpath, but none of the bc providers (fips or non-fips) can be loaded. Is there a way to make it work? Thanks.

[dghgit]

Recompile the API as org.spongycastle and give the provider the name "SC" rather than "BC".