olamy commented on issue #590: URL: https://github.com/apache/mina-sshd/issues/590#issuecomment-2323100059
> (Off-topic) Just noticed: using the bc-fips JAR in an OSGi environment might be difficult. I don't see any OSGi headers in the MANIFEST.MF. Plus the version number is unrelated to the normal BC. (BC also has LTS versions of the regular bundles that again use different version numbers, which might also pose some challenges in OSGi.) > I'm not using OSGI so I can't test but agree this might be a problem. > The general idea in PR #591 is that the `BouncyCastleSecurityRegistrar` should simply work with either, normal BC or BCFIPS. > > BTW; in https://github.com/jenkinsci/mina-sshd-api-plugin/pull/114/files#diff-9f68200faaabb5a0022f5eaa9de98ae4f9136bb2b6a766d698b8bc47203ad698R48 I notice two things: > > 1. A typo in the package name. ? not sure to understand. This looks right to me according to this class https://github.com/jenkinsci/mina-sshd-api-plugin/pull/114/files#diff-5440105bdcdf53b86acce84166b9884f497eb6908da1d68b82ec974aa0fd83e1 > 2. bc-fips does not have any native code, so its AES implementation is Java-only. SunJCE has a native AES implementation that is much faster. You probably also want to enable the `org.apache.sshd.common.util.security.SunJCESecurityProviderRegistrar` (name "SunJCEWrapper") to use the SunJCE AES (if that is FIPS compliant). I would rather stay with BC FIPS which is definitely registered as FIPS compliant. I don't think `SunJCE AES` is FIPS compliant. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
