Skip to content

A Java security provider based on FIPS-compliant openssl

License

Notifications You must be signed in to change notification settings

canonical/openssl-fips-java

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Introduction

The OpenSSL FIPS Java project is a Java FIPS security provider module layered on top of the OpenSSL library and its FIPS module. Complying with the Java Cryptography Architecture, it implements the Java security SPI classes for security functions including Deterministic Random Bit Generators, Ciphers, Key Agreements, Key Derivations, Key Encapsulation, Message Digests, Message Authentication Codes and Signatures.

Under the covers, OpenSSL FIPS Java is quite tightly coupled with OpenSSL through the Java Native Interface and the OpenSSL EVP API. Only FIPS-approved algorithms, offered by the OpenSSL FIPS module are registered with this provider. The binaries produced from this source should be generally considered FIPS-compliant if the underlying OpenSSL module is FIPS 140-2/140-3 certified.

Structure of the source code

Directory Functionality
src/main/java/com/canonical/openssl Java classes, including SPI implementations
src/main/native/c C code that invokes OpenSSL EVP API, JNI code
src/main/native/include JNI headers and library header files
src/test C and Java tests

Instructions to build and test the provider

Install and configure OpenSSL FIPS

You should skip this step if you have OpenSSL and OpenSSL FIPS module installed. Here are the commands for Ubuntu/Debian installations:

git clone https://github.com/openssl/openssl && cd openssl
git checkout openssl-3.0.2
sudo apt update && sudo apt install build-essential -y
./Configure enable-fips && make && sudo make install && sudo make install_fips

Create a FIPS module configuration file which will be loaded by the provider. Please keep this file under /usr/local/ssl only.

sudo mkdir -p /usr/local/ssl
sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib64/ossl-modules/fips.so
ln -s /usr/local/lib64/ossl-modules/fips.so /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so

Open the OpenSSL config file

sudo nano $(openssl version -d | awk '{gsub (/"/, "", $2); print $2}')/openssl.cnf 

Add the following to the config file of OpenSSL

config_diagnostics = 1
openssl_conf = openssl_init

.include /usr/local/ssl/fipsmodule.cnf

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
fips = fips_sect
base = base_sect

[algorithm_sect]
default_properties = fips=yes

Install OpenJDK v17

This project needs OpenJDK 17 or a later release of it. On Ubuntu/Debian systems, you may install the OpenJDK from the archive.

sudo apt update
sudo apt install openjdk-17-jdk-headless

Clone the project, build and test

This set of commands may be used on Ubuntu/Debian systems.

git clone https://github.com/canonical/openssl-fips-java && cd openssl-fips-java
export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64/
export OPENSSL_MODULES=/usr/local/lib64/ossl-modules
mvn -B package --file pom.xml

Refer to this GitHub Action for more details.

About

A Java security provider based on FIPS-compliant openssl

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Contributors 3

  •  
  •  
  •