Fips1402StrictCryptoProvider.java
package org.keycloak.crypto.fips;
import org.bouncycastle.crypto.CryptoServicesRegistrar;
/**
* <p>A {@link FIPS1402Provider} that forces BC to run in FIPS approve mode by default.
*
* <p>In order to set the default mode the {@code org.bouncycastle.fips.approved_only} must be set. Otherwise,
* calling {@link CryptoServicesRegistrar#setApprovedOnlyMode(boolean)} the mode is set on a per thread-basis and does not work
* well when handling requests using multiple threads.
*/
public class Fips1402StrictCryptoProvider extends FIPS1402Provider {
static {
System.setProperty("org.bouncycastle.fips.approved_only", Boolean.TRUE.toString());
}
@Override
public String[] getSupportedRsaKeySizes() {
// RSA key of 1024 bits not supported in BCFIPS approved mode
return new String[] {"2048", "4096"};
}
}