We are trying to replace bc-fips (https://www.bouncycastle.org/fips-java/) with a JSP that is based on a cryptographic module that is 1) a native library and 2) is certified for FIPS 140-2 ( https://csrc.nist.gov/pubs/fips/140-2/upd2/final).
A native library is faster, plus it doesn't entangle the Java classpath with restrictions on Java versions or load order the way bc-fips does. The two available native libraries we're aware of are BoringSSL and OpenSSL. For various reasons, we want to use OpenSSL. OpenSSL 1.1.1 was only FIPS-certified on RedHat (and they had to modify it to add FIPS support), and the certification expires soon. OpenSSL 1.1.1 is the version commons-crypto is currently based on. OpenSSL 3.0.8 is FIPS-certified on a variety of platforms, supports FIPS mode natively, and its successor (3.1.x) will be certified for FIPS 140-3. We're very interested in https://github.com/garydgregory/commons-crypto/tree/openssl3, which adds support for OpenSSL 3.0.8 to commons-crypto, per https://issues.apache.org/jira/browse/CRYPTO-164. But that PR was never merged, hasn't been touched since December 20, 2022, and is currently 92 commits behind the main branch. What would it take to update that PR with all of the commits since then, and get it merged? Once that's done, we'd be happy to submit a PR to add FIPS mode, per https://issues.apache.org/jira/browse/CRYPTO-136. Also, commons-crypto doesn't support message digests or HMAC. We're in the process of adding HMAC and FIPS mode to https://github.com/sfuhrm/openssl4j, which has message digests, and targets OpenSSL 3.0.8. It seems like the message digests and HMAC from openssl4j could be merged into commons-crypto, to bring it closer to being a full JCE implementation. Is there any interest in seeing that happen?
