Oracle Jipher 10.36
Oracle Jipher is a Java Cryptographic Service Provider that packages a FIPS 140-3 validated OpenSSL cryptographic module, enabling deployment of Java applications in FIPS regulated environments. The Jipher provider makes the cryptographic services available for Java developers using the standard Java Cryptography Architecture (JCA) framework.
Oracle Jipher is offered as part of the Oracle Java SE Universal Subscription and to Oracle customers running Java workloads in Oracle Cloud Infrastructure (OCI). Note that the Jipher feature included in the Java SE Subscription has a shorter support lifecycle than the corresponding supported JDK feature versions. Please refer to the Java SE Support Roadmap for more information.
Supported Runtimes
- Oracle JDK 17
- GraalVM for JDK 17
- Oracle JDK 21
- GraalVM for JDK 21
Note:
Jipher 10.36 is the last planned release that supports GraalVM for JDK 17 and GraalVM for JDK 21. Oracle Java SE customers using GraalVM are encouraged to transition to Oracle JDK for future Jipher-related needs. Contact Oracle Support for migration-related assistance.Supported Platforms
- Oracle Linux 10, 9, and 8 on x86-64 and aarch64
- Red Hat Linux 10, 9, and 8 on x86-64 and aarch64
Update from FIPS 140-2 to FIPS 140-3
Jipher versions prior to 10.36 wrap FIPS 140-2 certified FIPS modules. For example, Jipher 10.35 wraps a FIPS module with certificate #4506. See Cryptographic Module Validation Program (CMVP): Certificate #4506.
On September 22, 2026, all FIPS 140-2 certificates will be placed on the historical list. This will mark the end of the FIPS 140-3 Transition Effort.
Jipher 10.36 wraps a FIPS module submitted to the CMVP by Oracle Corporation for certification against FIPS 140-3. It is currently listed in the Modules In Process List.
New Restrictions Required by FIPS 140-3
The following new restrictions are applied in Jipher 10.36 to comply with FIPS 140-3:
- DSA keys:
- DSA key generation is no longer supported.
- Importing existing DSA keys (through the KeyFactory service) is supported.
- DSA signature generation is not allowed.
- DSA signature verification is allowed when the FIPS enforcement policy is set to the default value.
- If the FIPS enforcement policy is set to
FIPS_STRICT, then Jipher does not support DSA keys for any operation. - See Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program, section C.K, "Transition from FIPS 186-4 to FIPS 186-5 and SP 800-186."
- TLS 1.2 KDF:
- The (standard) Master secret is no longer allowed.
- The Extended Master Secret (see RFC 7627: Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension) is allowed.
- See Implementation Guidance for FIPS 140-3 and the Cryptographic Module Validation Program, section D.Q, "Transition of the TLS 1.2 KDF to Support the Extended Master Secret."
Additional Restrictions Enforced
- DES keys:
- Triple DES key generation is no longer supported.
- Importing existing Triple DES keys (through the SecretKeyFactory service) is supported.
- Triple DES encryption is not allowed.
- Triple DES decryption is allowed when the FIPS enforcement policy is set to the default value.
- If the FIPS enforcement policy is set to FIPS_STRICT, then Jipher does not support Triple DES keys for any operation.
- See NIST SP 800-131A Rev. 2: Transitioning the Use of Cryptographic Algorithms and Key Lengths, section 2, "Encryption and Decryption Using Block Cipher Algorithms."
- RSA keys:
- RSA PSS salt lengths larger than the message digest size are not allowed. See FIPS 186-5: Digital Signature Standard (DSS), section 5.4, "PKCS #1," item (g).
- Support for the RSA/ECB/NoPadding and RSA/ECB/PKCS1Padding Cipher transformations have been removed. See NIST SP 800-131A Rev. 2: Transitioning the Use of Cryptographic Algorithms and Key Lengths, Table 5, "Approval Status for the RSA-based Key Agreement and Key Transport Schemes."
- PBKDF2:
- A maximum iteration count for PBKDF2 operations is enforced:
- Configure the limit by setting the system property
jipher.pbkdf2.maximumIterationCount. - The default limit is 10,000,000 if this system property is unspecified.
- Configure the limit by setting the system property
- A minimum password length for PBKDF2 operations is enforced:
- Configure the limit by setting the system property
jipher.pbkdf2.minimumPasswordLength. - The default limit is 8 if this system property is unspecified.
- Configure the limit by setting the system property
- A maximum iteration count for PBKDF2 operations is enforced:
Changed Exceptions
Table - Changed Exceptions in Jipher 10.36
| Circumstance | Exception Thrown in This Version | Exception Thrown in Previous Versions |
|---|---|---|
| Attempting to use a PBKDF2 salt length less than 128 bits or an iteration count less than 1,000 iterations | java.security.spec.InvalidKeySpecException | java.security.ProviderException |
Deprecated APIs, Features, and Options
- The class com.oracle.jipher.provider.DHFIPSParameterSpec is deprecated in this release. Support for this class will be removed in a future release.
- The method boolean com.oracle.jipher.provider.JipherJCE.isFipsValid() is deprecated in this release. Support for this method will be removed in a future release.
Additional Information
- Oracle Jipher Documentation
- Download Jipher from Java Tools and Resources
- For support, refer to My Oracle Support
Oracle Jipher 10.35
Oracle Jipher is a Java Cryptographic Service Provider that packages a FIPS 140 validated OpenSSL cryptographic module, enabling deployment of Java applications in FIPS regulated environments. The Jipher provider makes the cryptographic services available for Java developers using the standard Java Cryptography Architecture (JCA) framework.
Oracle Jipher is offered as part of the Oracle Java SE Universal Subscription and to Oracle customers running Java workloads in Oracle Cloud Infrastructure (OCI). Note that the Jipher feature included in the Java SE Subscription has a shorter support lifecycle than the corresponding supported JDK feature versions. Please refer to the Java SE Support Roadmap for more information.
Oracle Jipher was initially released as version 10.35.
Supported Runtimes
- Oracle JDK 17
- GraalVM for JDK 17
- Oracle JDK 21
- GraalVM for JDK 21
Supported Platforms
- Oracle Linux 9 and 8 on x86-64 and aarch64
- Red Hat Linux 9 and 8 on x86-64 and aarch64
Additional Information
- Oracle Jipher Documentation
- Download Jipher from Java Tools and Resources
- For support, refer to My Oracle Support
Oracle Jipher Release Notes, Release 10
G19530-06