We are pleased to announce Oracle Jipher 10.36, the latest update of Oracle Jipher, a Java Cryptographic Service Provider for customers deploying Java applications in FIPS-regulated environments.

Jipher 10.36 brings FIPS 140-3 validated cryptography to Java applications by packaging an OpenSSL 3.5.4 cryptographic module.

What is new in Jipher 10.36

This release updates Jipher to comply with the additional FIPS 140-3 requirements and introduces algorithm and usage restrictions. The most relevant changes are to DSA, TLS 1.2 key derivation, Triple DES, RSA ciphering without optimal asymmetric encryption padding, RSA-PSS signatures, and PBKDF2.

These include:

• DSA key and signature generation are no longer supported. Existing DSA keys can still be imported, and DSA signature verification remains available when the FIPS enforcement policy is set to the default value.
• TLS 1.2 key derivation now requires Extended Master Secret. The (standard) Master Secret is no longer allowed.
• Triple DES key generation and encryption are no longer supported. Existing Triple DES keys can still be imported, and Triple DES decryption remains available when the FIPS enforcement policy is set to the default value.
• RSA-PSS salt lengths larger than the message digest size are no longer allowed, and support for the RSA/ECB/NoPadding and RSA/ECB/PKCS1Padding Cipher transformations have been removed.
• PBKDF2 now enforces configurable limits for maximum iteration count and minimum password length. If unset, the default maximum iteration count is ten million, and the default minimum password length is 8.
• PBKDF2 parameters with a salt length below 128 bits or an iteration count below 1,000 now result in java.security.spec.InvalidKeySpecException.
• com.oracle.jipher.provider.DHFIPSParameterSpec is terminally deprecated in this release. Support for this class will be removed in a future release.
• com.oracle.jipher.provider.JipherJCE.isFipsValid() is terminally deprecated in this release. Support for this method will be removed in a future release.

The release notes provide the complete list of behavior changes and compatibility considerations.

Supported runtimes and platforms

Jipher 10.36 supports Oracle JDK 17 and 21, GraalVM for JDK 17 and GraalVM for JDK 21 on Oracle Linux 8, 9, and 10 and Red Hat Linux 8, 9, and 10 on x86-64 and aarch64 platforms.

Jipher 10.36 is the last planned update release that supports GraalVM for JDK 17 and GraalVM for JDK 21. Oracle Java SE customers using GraalVM for workloads requiring FIPS certification should transition to Oracle JDK. Contact Oracle Support for migration-related assistance.

Additional Information

• Jipher Release Notes
• Oracle Jipher Documentation
• Download Jipher from Java Tools and Resources
• Oracle Java SE Universal Subscription