I am experimenting on enabling FIPS 180-3 on my java application. FIPS 180-3 allows only usage of 5 secure [hashes] (http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf) , MD5 is not one among them. Hence i am trying to programatically remove MD5 algorithms from the Sun provider. This is the sample code.

public static void main(String[] args) throws Exception {
    Security.removeProvider("SUN");
    Sun sun = new Sun();
    sun.remove("MessageDigest.MD5"); //Comment and it will work !!!
    Security.addProvider(sun);
    Cipher ciph = Cipher.getInstance("AES");                
}   

But this is throwing the following exception. If you comment "sun.remove(.." the program works fine. If i remove MD2, instead of MD5 then also it works fine.

To me it looks like the jre libs are using MD5 for their signing, but i checked jre/lib/ext/sunjce_provider.jar signer and its using sha1.

Any idea why my code is failing with this error?

Exception in thread "main" java.lang.ExceptionInInitializerError at javax.crypto.Cipher.getInstance(DashoA13*..) at TestRemoveMD5.main(TestRemoveMD5.java:20)

Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs at javax.crypto.SunJCE_b.(DashoA13*..) ... 3 more

Caused by: java.lang.SecurityException: Signature classes have been tampered with at javax.crypto.SunJCE_b.d(DashoA13*..) at javax.crypto.SunJCE_b.c(DashoA13*..) at javax.crypto.SunJCE_b$1.run(DashoA13*..) at java.security.AccessController.doPrivileged(Native Method) ... 4 more

This is a security feature that prevents un-trusted code from removing a Sun provider. There is a way to do it which involves having proper permissions to do so. If you go to this link http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html and scroll down to the title heading The Security Class you can read up on how to remove a provider and what will happen.

EDIT

Excerpts from the docs which go over that installed providers that are not extensions may requite a policy file to perform certain actions such as adding and removing a provider. Worth a try.

The documentation from the vendor of each provider you will be using should include information as to which permissions it requires, and how to grant such permissions. For example, the following permissions may be needed by a provider if it is not an installed extension and a security manager is installed

-

The Security class manages installed providers and security-wide properties. It only contains static methods and is never instantiated. The methods for adding or removing providers, and for setting Security properties, can only be executed by a trusted program. Currently, a "trusted program" is either

• a local application not running under a security manager, or
• an applet or application with permission to execute the specified method (see below).

The determination that code is considered trusted to perform an attempted action (such as adding a provider) requires that the applet is granted the proper permission(s) for that particular action.

-

Each "grant" statement in such a file grants a specified code source a set of permissions, specifying which actions are allowed.

Here is a sample policy configuration file:

grant codeBase "file:/home/sysadmin/", signedBy "sysadmin" {
    permission java.security.SecurityPermission "insertProvider.*";
    permission java.security.SecurityPermission "removeProvider.*";
    permission java.security.SecurityPermission "putProviderProperty.*";
};

I guess i might have figured out the root cause, but still coudn't figure out from where its coming. I tried to debug X509CertImpl and i got one certificate signed by "JCE Development" which is using MD5. But all the other certificates loaded were signed correctly using SHA1withDSA. I am not sure if this should be a bug on jre.

[ [ Version: V1 Subject: CN=JCE Development, OU=Java Software, O=Sun Microsystems, L=Cupertino, ST=CA, C=US Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

Key: Sun RSA public key, 512 bits modulus: 9182591386680323574119504178341234548416270629561070323164514737894957593991212767744352158438329809500219147803751143974067780130174290713135793698837217 public exponent: 65537 Validity: [From: Thu Oct 31 20:57:44 IST 2002, To: Wed Oct 31 20:57:44 IST 2007] Issuer: CN=JCE Development, OU=Java Software, O=Sun Microsystems, L=Cupertino, ST=CA, C=US SerialNumber: [ 02]

] Algorithm: [MD5withRSA] Signature: 0000: 2F E5 9C 54 5C A3 FA 25 E5 11 53 55 41 B3 4E 39 /..T..%..SUA.N9 0010: 49 56 9A 59 97 1A 23 4A 29 79 C8 74 D7 1C D5 95 IV.Y..#J)y.t.... 0020: 32 8B E2 56 D3 39 A5 7D 9E E2 53 F7 91 62 11 04 2..V.9....S..b.. 0030: 24 1C 1D AD 4A 32 88 63 86 2E 8E E9 8B A2 73 00 $...J2.c......s.

]

So my inference from this exercise is that since jce itself needs MD5 to verify its classes for signing purposes, we cannot remove MD5 algorithm from jre and hence jre 1.6 itself cannot be made FIPS 180-3 complaint.

c# in FIPS cannot load MD5. Refer Is there an alternate hashing algorithm to MD5 for FIPS-enabled systems?. With the above test i guess java cant do that behavior.

Do let me know if anyone objects to by observation or any obvious mistakes i might have overlooked.