You can configure C/C++test so that it is FIPS compliant.
In this section:
Prerequisites
You will need to download the following BouncyCastle FIPS libraries from https://www.bouncycastle.org/download/bouncy-castle-java-fips/:
- bc-fips-<VERSION>.jar (tested with version 1.0.2.5)
- bctls-fips-<VERSION>.jar (tested with version 1.0.19)
Configuring FIPS Mode in C/C++test
Copy bc-fips-<VERSION>.jar and bctls-fips-<VERSION>.jar into the
<CPPTEST_INSTALL_DIR>/bin/jars
directory.- Use
keytool
to convert the cacerts file to the FIPS-compliant BCFKS format.- Open the console and execute the following commands:
cd <CPPTEST_INSTALL_DIR> mv bin/jre/lib/security/cacerts bin/jre/lib/security/cacerts.pkcs12 ./bin/jre/bin/keytool -importkeystore -srckeystore bin/jre/lib/security/cacerts.pkcs12 -srcstoretype PKCS12 -destkeystore bin/jre/lib/security/cacerts -deststoretype BCFKS -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bin/jars/bc-fips-<VERSION>.jar -srcstorepass changeit -deststorepass changeit
- Open the
cpptestcli.jvm
file in the<CPPTEST_INSTALL_DIR>/etc
directory, and insert the following line:java.arg=-Djavax.net.ssl.trustStorePassword=changeit
- Open the console and execute the following commands:
- Save your changes.
Open the java.security file in the
<CPPTEST_INSTALL_DIR>/bin/jre/conf/security/
directory and make the following changes:Set the list of security providers by commenting out all existing properties named
security.provider.<number>
. and inserting the following lines:security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN
Change key and trust manager factory algorithms for the javax.net.ssl package to PKIX.
ssl.KeyManagerFactory.algorithm=PKIX ssl.TrustManagerFactory.algorithm=PKIX
Change the default keystore type to fips and disable the compatibility mode for JKS and PKCS12 keystore types.
keystore.type=fips keystore.type.compat=false
(Linux only) Add the NativePRNGNonBlocking algorithm to the list of known strong SecureRandom implementations:
securerandom.strongAlgorithms=NativePRNGNonBlocking:SUN,NativePRNGBlocking:SUN,DRBG:SUN
Allow only FIPS-approved algorithms:
org.bouncycastle.fips.approved_only=true
- Save your changes.
Open the java.policy file in the
<CPPTEST_INSTALL_DIR>/bin/jre/conf/security/
directory and insert the following permissions into the default domain:permission java.lang.RuntimePermission "accessClassInPackage.sun.security.internal.spec"; permission org.bouncycastle.crypto.CryptoServicesPermission "tlsAlgorithmsEnabled";
- Save your changes.
Open the logging.properties file in the
<CPPTEST_INSTALL_DIR>/bin/jre/conf/
directory and insert the following Bouncy Castle logger configuration:org.bouncycastle.jsse.provider.DisabledAlgorithmConstraints.level=SEVERE org.bouncycastle.jsse.provider.PropertyUtils.level=SEVERE org.bouncycastle.jsse.provider.ProvTlsClient.level=SEVERE
Save your changes.