7 Jipher Diagnostics
Confirming That a Java Application Is Using Jipher
If you set the system property java.security.debug to
provider, the JVM will print trace messages (typically to stderr) while
your application is running that indicate which provider is being used to provide each
service and algorithm. The output is similar to the following:
Provider: MessageDigest.SHA-256 algorithm from: JipherJCE
Provider: Signature.SHA256withRSA verification algorithm from: JipherJCE
Provider: KeyGenerator.SunTls12Prf algorithm from: JipherJCEIf you set the system property java.security.debug to
jipher, Jipher will print some
additional debugging information, including logging of library loading steps on first
usage. The output is similar to the following:
jipher: Libraries found in classpath JAR, loading from jar.
jipher: Attempting to locate libraries in classpath JAR file
jipher: Found jar:file:/usr/local/lib/jipher-jce-10.35-se.jar!/libs/linux_x64/libjipher.so
jipher: Found jar:file:/usr/local/lib/jipher-jce-10.35-se.jar!/libs/linux_x64/patched-fips.so
jipher: Found jar:file:/usr/local/lib/jipher-jce-10.35-se.jar!/libs/linux_x64/patched-openssl.cnf
jipher: Creating temporary directory to store libraries: /tmp/jiphertmp-10.35-1510124983029925122
jipher: Copying jar:file:/usr/local/lib/jipher-jce-10.35-se.jar!/libs/linux_x64/libjipher.so contents to file /tmp/jiphertmp-10.35-1510124983029925122/libjipher.so
jipher: Copying jar:file:/usr/local/lib/jipher-jce-10.35-se.jar!/libs/linux_x64/patched-fips.so contents to file /tmp/jiphertmp-10.35-1510124983029925122/fips.so
jipher: Copying jar:file:/usr/local/lib/jipher-jce-10.35-se.jar!/libs/linux_x64/patched-openssl.cnf contents to file /tmp/jiphertmp-10.35-1510124983029925122/openssl.cnf
jipher: Loading /tmp/jiphertmp-10.35-1510124983029925122/libjipher.so...
jipher: ...Done
jipher: Configuring openssl to load FIPS module from dir: /tmp/jiphertmp-10.35-1510124983029925122
jipher: Configuring openssl using configuration in file: /tmp/jiphertmp-10.35-1510124983029925122/openssl.cnf
jipher: FIPS ctx: fips available = 1, default available = 1; NULL ctx: fips available = 0, default available = 0
jipher: Setting FIPS enforcement policy = FIPSSee The java.security.debug System Property in Java Platform, Standard Edition Security Developer's Guide for more information.
Keeping Track of Security Provider Usage with the jdk.SecurityProviderService Java Flight Recorder (JFR) Event
In JDK 20 and later, the Java Flight Recorder (JFR) event
jdk.SecurityProviderService records the details of
java.security.Provider.getService(String type, String algorithm)
calls. This event contains the following fields:
Table 7-1 JFR Event jdk.SecurityProviderService Fields
| Field Name | Description |
|---|---|
| type | Type of service |
| algorithm | Algorithm name |
| provider | Security provider |
You can use the JFR event jdk.SecurityProviderService to confirm that a
Java application is using Jipher. This JFR event
is disabled by default. You can enable it through JFR configuration files or standard
JFR options.
Reporting the Enforcement of FIPS 140 Restrictions
When enforcing FIPS 140 restrictions, Jipher throws an InvalidParameterException if directed to generate the following:
- A SecretKey or KeyPair with a security strength of less than 112 bits
-
A DSA AlgorithmParameters or a DSA KeyPair using domain parameters with sizes other that those allowed by FIPS 140, which are (P=2048,Q=224), (P=2048,Q=256), and (P=3072,Q=256)
-
A Diffie-Hellman KeyPair using domain parameters that are not a FIPS 140 approved safe prime group (see "Appendix D: Approved ECC Curves and FFC Safe-prime Groups" in NIST SP 800-56A Rev. 3: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography)
-
An elliptic curve KeyPair using a curve that is not a FIPS 140 approved
secpcurve (see again "Appendix D: Approved ECC Curves and FFC Safe-prime Groups").
Similarly, Jipher throws a ProviderException if directed to use the following:
- A KeyPair with a security strength of less than 80 bits to process secured data, for example, to verify a signature or decrypt cipher text
- A SecretKey or KeyPair with a security strength of less than 112 bits to secure data, for example, to generate a digital signature or encrypt plaintext
- SHA-1 to generate a signature
- A DSA KeyPair that does not use domain parameters allowed by FIPS 140 (listed previously)
See "Table 2: Comparable security strengths of symmetric block cipher and asymmetric-key algorithms" in NIST SP 800-57 Part 1 Rev. 5: Recommendation for Key Management: Part 1 – General for the estimated security strengths of specific algorithms and key lengths.
Reporting Misconfiguration
If Jipher can't extract the embedded native libraries to a temporary directory in the file system and load them from there into the JVM process, then it throws a ProviderException. This can happen if the user running the JVM process does not have permission to create the temporary directory or to execute binaries stored in the encompassing file system.
If Jipher is statically registered and a ProviderException is thrown when loading the native libraries, then the provider will not be registered. Other statically registered providers will still be registered.
Reporting Abnormal Operation in OpenSSL Native Code
An error condition that arises in OpenSSL native code is reported to the application through the following:
- A java.lang.Error, such as java.lang.OutOfMemoryError
- A java.lang.RuntimeException, either java.lang.ArrayIndexOutOfBoundsException or java.lang.IllegalArgumentException, indicating a programming error
- A ProviderException whose
chained cause is an internal
OpenSslExceptionwhose detail message describes the OpenSSL error stack for use in debugging and troubleshooting