Package org.bouncycastle.jcajce.provider

Class BouncyCastleFipsProvider

java.lang.Object

java.util.Dictionary<K,V>

java.util.Hashtable<Object,Object>

java.util.Properties

java.security.Provider

org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

All Implemented Interfaces:

Serializable, Cloneable, Map<Object,Object>

public final class BouncyCastleFipsProvider
extends Provider

The BC FIPS provider.

If no SecureRandom has been specified using CryptoServicesRegistrar.setSecureRandom() the provider class will generate a FIPS compliant DRBG based on SHA-512. It is also possible to configure the DRBG by passing a string as a constructor argument to the provider via code, or the java.security configuration file.

At the moment the configuration string is limited to setting the DRBG.The configuration string must always start with "C:" and finish with "ENABLE{ALL};". The command for setting the actual DRBG type is DEFRND so a configuration string requesting the use of a SHA1 DRBG would look like:

         C:DEFRND[SHA1];ENABLE{ALL};
     

Possible values for the DRBG type are "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512(224)", "SHA512(256)", "HMACSHA1", "HMACSHA224", "HMACSHA256", "HMACSHA384", "HMACSHA512", "HMACSHA512(224)", "HMACSHA512(256)", "CTRAES128", "CTRAES192", CTRAES256", and "CTRDESEDE".

The default DRBG is configured to be prediction resistant. In situations where the amount of entropy is constrained the default DRBG can be configured to use an entropy pool based on a SHA-512 SP 800-90A DRBG. To configure this use:

         C:HYBRID;ENABLE{ALL};
     

or include the string "HYBRID;" in the previous command string setting the DRBG. After initial seeding the entropy pool will start a reseeding thread which it will begin polling once 20 samples have been taken since the last seeding and will do a reseed as soon as new entropy bytes are returned.

Prediction resistance can also be turned off by specifying false in the DEFRND parameters. e.g.

          C:DEFRND[SHA256,false];ENABLE{ALL};
     

or

          C:DEFRND[false];ENABLE{ALL};
     

If "local" is specified a thread local will be used to store the DRBG instead.

          C:DEFRND[SHA256,local];ENABLE{ALL};
     

or

          C:DEFRND[local];ENABLE{ALL};
     

Note: if the provider is created by an "approved mode" thread, only FIPS approved algorithms will be available from it.

See Also:

• Serialized Form

Nested Class Summary

Nested classes/interfaces inherited from class java.security.Provider

Provider.Service

Field Summary

Fields

Modifier and Type	Field	Description
static final String	PROVIDER_NAME

Fields inherited from class java.util.Properties

defaults

Constructor Summary

Constructors

Constructor	Description
BouncyCastleFipsProvider()	Base constructor - build a provider with the default configuration.
BouncyCastleFipsProvider(String config)	Constructor accepting a configuration string.
BouncyCastleFipsProvider(String config, SecureRandom entropySource)	Constructor accepting a config string and a user defined source of entropy to be used for the providers locally configured DRBG.

Method Summary

Modifier and Type	Method	Description
Provider	configure(String configArg)
int	getDefaultRandomSecurityStrength()	Return the default random security strength.
SecureRandom	getDefaultSecureRandom()
static String	getInfoString()
final Provider.Service	getService(String type, String algorithm)
final Set<Provider.Service>	getServices()

Methods inherited from class java.security.Provider

clear, compute, computeIfAbsent, computeIfPresent, elements, entrySet, forEach, get, getInfo, getName, getOrDefault, getProperty, getVersion, getVersionStr, isConfigured, keys, keySet, load, merge, put, putAll, putIfAbsent, putService, remove, remove, removeService, replace, replace, replaceAll, toString, values

Methods inherited from class java.util.Properties

clone, contains, containsKey, containsValue, equals, getProperty, hashCode, isEmpty, list, list, load, loadFromXML, propertyNames, rehash, save, setProperty, size, store, store, storeToXML, storeToXML, storeToXML, stringPropertyNames

Methods inherited from class java.lang.Object

finalize, getClass, notify, notifyAll, wait, wait, wait

Field Details

PROVIDER_NAME

public static final String PROVIDER_NAME

See Also:

• Constant Field Values

Constructor Details

BouncyCastleFipsProvider

public BouncyCastleFipsProvider()

Base constructor - build a provider with the default configuration.

BouncyCastleFipsProvider

public BouncyCastleFipsProvider(String config)

Constructor accepting a configuration string.

Parameters:

config - the config string.

BouncyCastleFipsProvider

public BouncyCastleFipsProvider(String config,
 SecureRandom entropySource)

Constructor accepting a config string and a user defined source of entropy to be used for the providers locally configured DRBG.

Parameters:

config - the config string.

entropySource - a SecureRandom which can act as an entropy source. (now ignored)

Method Details

getInfoString

public static String getInfoString()

configure

public Provider configure(String configArg)

Overrides:

configure in class Provider

getDefaultSecureRandom

public SecureRandom getDefaultSecureRandom()

getDefaultRandomSecurityStrength

public int getDefaultRandomSecurityStrength()

Return the default random security strength.

Returns:

the security strength for the default SecureRandom the provider uses.

getService

public final Provider.Service getService(String type,
 String algorithm)

Overrides:

getService in class Provider

getServices

public final Set<Provider.Service> getServices()

Overrides:

getServices in class Provider