1 What is Oracle Jipher?

Oracle Jipher is a Java Cryptographic Service Provider (CSP) that packages a Federal Information Processing Standards (FIPS) 140 validated OpenSSL cryptographic module. It enables deployment of Java applications in FIPS regulated environments. Jipher makes its cryptographic services available to Java developers using the Java Cryptography Architecture (JCA).

Jipher 10.35 supports the following runtimes:

  • Oracle JDK 17
  • GraalVM for JDK 17
  • Oracle JDK 21
  • GraalVM for JDK 21

Jipher 10.35 supports the following platforms:

  • Oracle Linux 9 and 8 on x86-64 and aarch64
  • Red Hat Linux 9 and 8 on x86-64 and aarch64

For TLS, Jipher supports the JDK JSSE provider, in particular, the SunJSSE provider for TLSv1.2 and TLSv1.3.

Jipher, also known as JipherJCE, provides FIPS 140 cryptographic services by using the Java Native Interface (JNI) to make calls into an embedded copy of an OpenSSL FIPS module. It essentially maps Java cryptography API calls to OpenSSL API calls, which call into the OpenSSL FIPS module. See FIPS-140 in the OpenSSL documentation for more information.

Jipher is distributed as a JAR file. This JAR file embeds two copies of the OpenSSL FIPS module for each supported platform:

  • A version of the OpenSSL FIPS module built from source code that has been tested by an accredited Cryptographic and Security Testing Laboratory (CSTL), validated by the Cryptographic Module Validation Program (CMVP), and issued a FIPS 140 validation certificate
  • A version of the OpenSSL FIPS module built from the FIPS 140 compliant baseline source code with additional security patches applied, which is used by default

Note:

By default, Jipher prioritizes security over compliance by using the OpenSSL FIPS module with the additional security patches. However, you can configure Jipher so that a certified OpenSSL FIPS module would be used in compliance with the Federal Information Security Modernization Act (FISMA). See Configuring Jipher Through System Properties.

The Java Cryptographic Architecture (JCA), Engine Classes, and Providers

The JCA is a framework for working with cryptographic services, such as digital signature algorithms, message digest algorithms, and key conversion services.

The JCA defines classes that provide the functionality of these cryptographic services. These classes are called engine classes. An engine class provides the interface to a specific type of cryptographic service, independent of a particular algorithm or provider.

The JCA includes both cryptographic engine classes, which support cryptographic algorithms and non-cryptographic engine classes, which support non-cryptographic algorithms.

Cryptographic engine classes that support cryptographic algorithms provide one of the following:

Non-cryptographic engine classes that support non-cryptographic algorithms provide one of the following:

A CSP, which is used interchangeably with the term "provider," is a package or set of packages that implement one or more cryptographic services. To use the JCA, an application requests a particular type of object, such as a MessageDigest, and a particular algorithm or service, such as the SHA-256 algorithm, and gets an implementation from one of the installed providers. For example, the following statement requests a SHA-256 message digest from an installed provider: 

md = MessageDigest.getInstance("SHA-256");

Alternatively, the program can request objects from a specific provider. For example, the following statement requests a SHA-256 message digest from Jipher: 

md = MessageDigest.getInstance("SHA-256", "JipherJCE");

See Java Cryptography Architecture (JCA) Reference Guide in Java Platform, Standard Edition Security Developer's Guide for more information.

FIPS 140

The Federal Information Processing Standards (FIPS) of the United States are a set of publicly announced standards published by the National Institute of Standards and Technology (NIST). The FIPS 140 standards detail security requirements for cryptographic modules. Accredited Cryptographic and Security Testing Laboratories (CSTLs) test that cryptographic modules meet FIPS 140 security requirements. Modules that meet these security requirements are issued a Cryptographic Module Validation Program (CMVP) certificate.

Organizations that must comply with the Federal Information Security Modernization Act (FISMA) include state agencies and private sector companies with government contracts. FISMA mandates the use of FIPS 140 approved or allowed cryptography provided by cryptographic modules with CMVP certificates.

You don't have to submit Jipher for testing to a CSTL nor do you need to acquire a CMVP certificate.

Jipher Artifacts

Jipher is packaged in a .tar.gz file named jipher-10.35.tar.gz. It contains the Jipher JAR file, which is named jipher-jce-10.35-se.jar.

This JAR file includes the following:

  • A single instance of the Jipher provider classes
  • For each supported platform:
    • The Jipher native library, which provides access to OpenSSL functionality through the JNI
    • Two OpenSSL FIPS modules:
      • A version of the OpenSSL FIPS module built from source code that has been tested by a CSTL, validated by the CMVP, and issued a FIPS 140 validation certificate
      • A version of the OpenSSL FIPS module built from the FIPS 140 compliant baseline source code with additional security patches applied, which is used by default
    • An OpenSSL configuration file

Independence from and Coexistence with Other Instances of OpenSSL

Jipher explicitly loads the OpenSSL native code libraries embedded in the jipher-jce-10.35-se.jar JAR file. Jipher is therefore independent of any other instance of OpenSSL present on the system, including any instance that is part of the operating system distribution. The embedded libraries do not export any symbols from the OpenSSL library, so there will be no symbol clashes in a process that uses Jipher and also loads another instance of OpenSSL.