https://issues.apache.org/jira/browse/CRYPTO-136 asks that the
https://wiki.openssl.org/index.php/FIPS_mode_set() and FIPS_selftest()
functions be exposed in commons-crypto. (There is also
https://wiki.openssl.org/index.php/FIPS_mode(), which we'd want to
include.)
When exposed in OpenSSL, we'll want a more Java-conventional API.
The logic is not binary: there are more than two possible modes, and
more than two possible outcomes when trying to set the mode.
To preserve all available information, we could have something like this:
public enum FipsMode {
NOT_SUPPORTED,
NOT_ENABLED,
ENABLED
}
public static FipsMode getFipsMode()...
public class FipsNotSupportedException extends RuntimeException...
@return true if FIPS was enabled, false if it was already enabled
@throws FipsNotSupportedException if FIPS not supported
public boolean enableFips()...
Or, if we don't want to return just a boolean:
public enum FipsEnableResult {
ALREADY_ENABLED,
ENABLED
}
@return FipsEnableResult
@throws FipsNotSupportedException if FIPS not supported
public FipsEnableResult enableFips() throws FipsNotSupportedException...
And similarly for disableFips() (if disabling is even possible).
What do people think?
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
