JCE: register default FIPS error callback in WolfCryptProvider

cconlon · cconlon · commit 25723c326f65 · 2026-03-30T16:21:27.000-06:00
diff --git a/src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java b/src/main/java/com/wolfssl/provider/jce/WolfCryptProvider.java
@@ -25,6 +25,7 @@
 import java.security.Security;
 import com.wolfssl.wolfcrypt.FeatureDetect;
 import com.wolfssl.wolfcrypt.Fips;
+import com.wolfssl.wolfcrypt.WolfCryptError;
 import com.wolfssl.wolfcrypt.WolfSSLX509StoreCtx;
 
 /**
@@ -34,6 +35,51 @@ public final class WolfCryptProvider extends Provider {
 
     private static final long serialVersionUID = 1L;
 
+    /**
+     * Default FIPS error callback for wolfJCE provider.
+     *
+     * Logs FIPS errors to aid in debugging module failures. Registered
+     * automatically when wolfJCE provider is instantiated with FIPS wolfCrypt.
+     */
+    private static class JCEFIPSErrorCallback implements Fips.ErrorCallback {
+
+        /* Track last error code to suppress duplicate messages. Native
+         * wolfCrypt may call the callback with different error codes during
+         * a failure sequence. We log each unique code once. */
+        private static volatile int lastErr = 0;
+
+        /**
+         * Called by native wolfCrypt when FIPS error occurs.
+         *
+         * @param ok 1 if verification passed, otherwise 0
+         * @param err wolfCrypt FIPS error code
+         * @param hash expected verifyCore hash value
+         */
+        @Override
+        public void errorCallback(int ok, int err, String hash) {
+
+            if (err == lastErr) {
+                return;
+            }
+            lastErr = err;
+
+            String errStr = WolfCryptError.fromInt(err).getDescription();
+
+            System.err.println("wolfJCE FIPS error: ok = " + ok + ", err = " +
+                err + " (" + errStr + "), hash = " + hash);
+
+            if (err == WolfCryptError.IN_CORE_FIPS_E.getCode()) {
+                System.err.println("wolfJCE FIPS: in core integrity hash " +
+                    "check failure. Copy hash above into verifyCore[] in " +
+                    "fips_test.c and rebuild");
+            }
+
+            WolfCryptDebug.log(JCEFIPSErrorCallback.class, WolfCryptDebug.ERROR,
+                () -> "FIPS error: ok = " + ok + ", err = " + err + " (" +
+                errStr + "), hash = " + hash);
+        }
+    }
+
     /**
      * Create new WolfCryptProvider object
      */
@@ -45,6 +91,14 @@ public WolfCryptProvider() {
         WolfCryptDebug.refreshDebugFlags();
 
         registerServices();
+
+        /* Register default FIPS error callback if FIPS enabled. */
+        if (Fips.enabled) {
+            Fips.wolfCrypt_SetCb_fips(new JCEFIPSErrorCallback());
+
+            WolfCryptDebug.log(getClass(), WolfCryptDebug.INFO,
+                () -> "Registered wolfCrypt FIPS error callback");
+        }
     }
 
     /**
