Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for bc-fips #36

Closed
smirandamedallia opened this issue Sep 8, 2021 · 3 comments
Closed

Support for bc-fips #36

smirandamedallia opened this issue Sep 8, 2021 · 3 comments

Comments

@smirandamedallia
Copy link
Contributor

Hello Team -
Is there a way to use this jar in fips mode ?
Following is what I currently have working in my gradle project but am unsure if this is the correct way to do it.

    implementation('org.c02e.jpgpj:jpgpj:1.1')     
    implementation('org.bouncycastle:bc-fips:1.0.2.1')
    implementation('org.bouncycastle:bcpg-fips:1.0.5.1')

Security.addProvider(new BouncyCastleFipsProvider());

// I had to add this else the initialization fails
CryptoServicesRegistrar.setSecureRandom(
				FipsDRBG.SHA512_HMAC.fromEntropySource(
						new BasicEntropySourceProvider(
								new SecureRandom(), true))
						.build(null, false)
		);

I took a look at some of the classes being used like PGPSignatureGenerator and there look to be two implementations of it, one from bcpg-fips and another from bcpg-jdk15on which looks confusing.
I tried doing this in my build.gradle

implementation('org.c02e.jpgpj:jpgpj:1.1') {
        exclude group: 'org.bouncycastle', module: 'bcpg-jdk15on'
    }

But it fails with the following

Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/openpgp/bc/BcPGPObjectFactory
	at org.c02e.jpgpj.Ring.parse(Ring.java:301)
	at org.c02e.jpgpj.Ring.load(Ring.java:273)
	at org.c02e.jpgpj.Ring.load(Ring.java:260)
	at App.readKeyRingUsingJPGPJ(App.java:35)
	at App.main(App.java:26)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.openpgp.bc.BcPGPObjectFactory
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	... 5 more

I would really love some help in figuring out what would be the best way to use this library in fips mode
@justinludwig
Copy link
Owner

Thanks for raising this issue! I don't think it's currently possible to use the BC FIPS jars with JPGPJ -- JPGPJ is hardcoded in a number of places to use the default (non-FIPS) BC implementation of various crypto primitives. JPGPJ would have to be refactored a bit to lookup the implementation of those primitives through JCA (which would then allow you to configure it to use the FIPS JCA provider).

@smirandamedallia
Copy link
Contributor Author

Thanks for the quick response

@justinludwig
Copy link
Owner

With @smirandamedallia's fix for this from #39, it's now possible to swap in the Bouncy Castle FIPS implementation -- add the following to your build.gradle file:

implementation 'org.bouncycastle:bcpg-fips:1.0.5.1'
implementation('org.c02e.jpgpj:jpgpj:1.2') {
    exclude group: 'org.bouncycastle', module: 'bcpg-jdk15on'
}

And then set the securityProvider property of JPGPJ's new JcaContextHelper class to use the Bouncy Castle FIPS JCA provider in your application's initialization code (before using any JPGPJ functionality):

import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.c02e.jpgpj.JcaContextHelper;

...

JcaContextHelper.setSecurityProvider(new BouncyCastleFipsProvider());

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinludwig @smirandamedallia