search

canonical / openssl-fips-java

A Java security provider based on FIPS-compliant openssl
GNU General Public License v3.0
0 stars 0 forks source link

readme

Introduction

The OpenSSL FIPS Java project is a Java FIPS security provider module layered on top of the OpenSSL library and its FIPS module. Complying with the Java Cryptography Architecture, it implements the Java security SPI classes for security functions including Deterministic Random Bit Generators, Ciphers, Key Agreements, Key Derivations, Key Encapsulation, Message Digests, Message Authentication Codes and Signatures.

Under the covers, OpenSSL FIPS Java is quite tightly coupled with OpenSSL through the Java Native Interface and the OpenSSL EVP API. Only FIPS-approved algorithms, offered by the OpenSSL FIPS module are registered with this provider. The binaries produced from this source should be generally considered FIPS-compliant if the underlying OpenSSL module is FIPS 140-2/140-3 certified.

Structure of the source code

Directory Functionality
src/main/java/com/canonical/openssl Java classes, including SPI implementations
src/main/native/c C code that invokes OpenSSL EVP API, JNI code
src/main/native/include JNI headers and library header files
src/test C and Java tests

Instructions to build and test the provider

Install and configure OpenSSL FIPS

You should skip this step if you have OpenSSL and OpenSSL FIPS module installed. Here are the commands for Ubuntu/Debian installations:

git clone https://github.com/openssl/openssl && cd openssl
git checkout openssl-3.0.2
sudo apt update && sudo apt install build-essential -y
./Configure enable-fips && make && sudo make install && sudo make install_fips

Create a FIPS module configuration file which will be loaded by the provider. Please keep this file under /usr/local/ssl only.

sudo mkdir -p /usr/local/ssl
sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib64/ossl-modules/fips.so

Install OpenJDK v21

This project needs OpenJDK 21 or a later release of it. On Ubuntu/Debian systems, you may install the OpenJDK from the archive.

sudo apt update
sudo apt install openjdk-21-jdk-headless

Clone the project, build and test

This set of commands may be used on Ubuntu/Debian systems.

git clone https://github.com/canonical/openssl-fips-java
cd openssl-fips-java
export JAVA_HOME=/usr/lib/jvm/java-21-openjdk-amd64/
mvn -B package --file pom.xml

Refer to this GitHub Action for more details.