Java FIPS Roadmap

Current FIPS Overview

The BC FIPS Java Description contains a broad overview of the motivations and design of the BC FIPS Java module.

As of BC Java 1.54 from a JCA/JCE point of view the module is largely a drop in replacement and can be used with the other BC APIs for certificate generation, CMS, TSP, S/MIME, OpenPGP and other protocols. Owing to the requirements of FIPS, particularly in respect to boundary issues the lightweight API is quite different, however the ASN.1 packages and the EC math package are the same.

Releases

Name: bc-fips-1.0.0.jar

Status: Released 11 November, 2016.

The module is currently tested against the JRE 1.7 and the JRE 1.8. The module is source and byte code compatible back to JDK 1.5.

Patch Release

Name: bc-fips-1.0.1.jar

Patch release of bc-fips-1.0.0 (bug fixes, some improvements)
 - Lab Code Review completed: 7th June 2017
 - CAVP Lab Testing completed: 8th June 2017
 - Release Certified: 15th March 2018

1.0.1 is now available.

Planned Retests

We expect to do a retest of BC FIPS Java 1.0.1 against JDK 1.11 when it is finalised.

 

Planned Releases

1.0.0 Stream

Name: bc-fips-1.0.2.jar

Patch release of bc-fips-1.0.1 (bug fixes, some improvements) and also continue to extend the life of 1.0.0 API past the initial 5 year archive date for the 1.0.0 certification.

Expecting testing to commence October, 2018. 1.0.2 is now available for early access.

Scheduled Additions for BC FIPS 1.0.2

Approved Mode Algorithms

SHA-3 HMAC*

SHA-3 Signature Algorithms: PKCS#1.5, RSA PSS, ECDSA, DSA*

X9.31 Addition of revised tag for SHA-512/256*

Additional KAS modes for ephemeral keys.

Update of RSA maximum key sizes.*

Other

Support for the SunTlsExtendedMasterSecret KeyGenerator.

* Now in early access release.

1.1.0 Stream

Name: bc-fips-1.1.0.jar

Expecting testing to commence October, 2019. 1.1.0 is now available for early access.

Scheduled Additions for BC FIPS 1.1.0

Support for PKIXRevocationChecker in the CertPath implementation.

Option for SOFT_FAIL style revocation checking flag for the extended PKIXParameters class.

Approved Mode Algorithms

SHA-3 HMAC*

SHA-3 Signature Algorithms: PKCS#1.5, RSA PSS, ECDSA, DSA*

X9.31 Addition of revised tag for SHA-512/256*

Additional KAS modes for ephemeral keys.

Update of RSA maximum key sizes.*

SP 800-38G: Methods for format preserving encryption*

Non-approved Mode Algorithms

NewHope

SPHINCS-256

ChaCha20

Poly1305

GOST R 34.11-2012

Possible Additions for BC FIPS 1.1.0

CSHAKE

KMAC

* Now in early access release.