27

What Java Cryptography Extension (JCE) providers are FIPS 140-2 compliant? More specifically, does the Sun/Oracle provider qualify?

skaffman
  • 398,947
  • 96
  • 818
  • 769
Rob H
  • 14,502
  • 8
  • 42
  • 45

3 Answers3

14

According to this information on this page:

  1. IBM and RSA have FIPS 140-2 validated JCE providers.
  2. BouncyCastle have FIPS 140-2 validated JCE providers for Java 7 & 8. (See The Legion of the Bouncy Castle - FIPS Resources Page. Donations are encouraged!)
  3. Sun's JCE providers are not on the list of FIPS 140-2 validated modules.

However, Oracle do have a validated module called "Oracle Cryptographic Libraries for SSL". The description does not say this is a JCE provider ... but it might be.

Also, Oracle don't appear to have any "modules in progress" for FIPS 140-2 validation.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • NIST provides a list on their website of validated modules. RSA Security, Certicom, and Entrust all have validated JCE providers from what I recall. Though they are **not** cheap! – Michael Dec 21 '11 at 14:48
  • 1
    URL seems outdated - maybe it's [here](https://csrc.nist.rip/groups/STM/cmvp/documents/140-1/140val-all.htm) now? – crusy Aug 01 '19 at 10:28
  • It is the same document. – Stephen C Aug 01 '19 at 10:48
  • Can't tell, your .gov URL doesn't open here, while the .rip (? never seen one before) does. Might be our proxy though... – crusy Aug 01 '19 at 12:02
6

According to this page, java 6 can be made FIPS 140 compliant via either NSS or SunJSSE.

Curtis P
  • 351
  • 3
  • 4
0

Actually the Sun PKCS#11 Provider does look like it is FIPS 140-2 compliant. It is based on Network Security Services. I'm pretty sure that is what certificates 1278, 1279 and 1280 are on that NIST link that @stephen-c posted. The Oracle docs are a little vague regarding compliance but this is the best I have found so far.

steinybot
  • 5,491
  • 6
  • 37
  • 55