Skip to content

Add OpenJCEPlusFIPS provider to JMH benchmarks #1491

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jasonkatonica wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add OpenJCEPlusFIPS provider to JMH benchmarks #1491

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
abc4a58
Add OpenJCEPlusFIPS provider to JMH benchmarks
jasonkatonica May 22, 2026
96eeef2
Fips toleration updates observed after execution
jasonkatonica May 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion JenkinsfilePerformance
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -398,7 +398,7 @@ pipeline {
Specify the performance benchmark you would like to run.')
booleanParam(name: 'OpenJCEPlus', defaultValue: true, description: '\
Run benchmarks with OpenJCEPlus provider')
booleanParam(name: 'OpenJCEPlusFIPS', defaultValue: true, description: '\
booleanParam(name: 'OpenJCEPlusFIPS', defaultValue: false, description: '\
Run benchmarks with OpenJCEPlusFIPS provider')
booleanParam(name: 'Sun', defaultValue: true, description: '\
Run benchmarks with all Sun providers')
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/AESCipherBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ public class AESCipherBenchmark extends SymmetricCipherBase {
@Param({"1024", "32768"})
private int payloadSize;

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

@Setup
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/AESKeyGeneratorBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
@Measurement(iterations = 4, time = 30, timeUnit = TimeUnit.SECONDS)
public class AESKeyGeneratorBenchmark extends JMHBase {

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

private KeyGenerator aesKeyGenerator128 = null;
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/AESWrapBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ public class AESWrapBenchmark extends SymmetricCipherBase {
@Param({"128", "192", "256"})
private int keySize;

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

private byte[] wrappedKey;
Expand Down
4 changes: 2 additions & 2 deletions src/test/java/ibm/jceplus/jmh/DHKeyExchangeBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,10 @@
@Measurement(iterations = 4, time = 30, timeUnit = TimeUnit.SECONDS)
public class DHKeyExchangeBenchmark extends JMHBase {

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

@Param({"1024", "4096"})
@Param({"2048", "4096"})
private int keySize;

private KeyPairGenerator dhKeyPairGenerator;
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/DHKeyGeneratorBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
@Measurement(iterations = 4, time = 30, timeUnit = TimeUnit.SECONDS)
public class DHKeyGeneratorBenchmark extends JMHBase {

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

private KeyPairGenerator dhKeyPairGenerator1024 = null;
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/ECDHKeyExchangeBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
@Measurement(iterations = 4, time = 30, timeUnit = TimeUnit.SECONDS)
public class ECDHKeyExchangeBenchmark extends JMHBase {

@Param({"OpenJCEPlus", "SunEC"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunEC"})
private String provider;

@Param({"secp256r1", "secp384r1", "secp521r1"})
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/ECKeyGeneratorBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
@Measurement(iterations = 4, time = 30, timeUnit = TimeUnit.SECONDS)
public class ECKeyGeneratorBenchmark extends JMHBase {

@Param({"OpenJCEPlus", "SunEC"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunEC"})
private String provider;

private KeyPairGenerator ecKeyPairGeneratorP256 = null;
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/ECSignatureBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public class ECSignatureBenchmark extends JMHBase {
@Param({"2048", "32768"})
private int payloadSize;

@Param({"OpenJCEPlus", "SunEC"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunEC"})
private String provider;

/**
Expand Down
14 changes: 11 additions & 3 deletions src/test/java/ibm/jceplus/jmh/HMACKeyGeneratorBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import org.openjdk.jmh.annotations.Setup;
import org.openjdk.jmh.annotations.State;
import org.openjdk.jmh.annotations.Warmup;
import org.openjdk.jmh.infra.Blackhole;
import org.openjdk.jmh.runner.Runner;
import org.openjdk.jmh.runner.RunnerException;
import org.openjdk.jmh.runner.options.Options;
Expand All @@ -32,7 +33,7 @@
@Measurement(iterations = 4, time = 30, timeUnit = TimeUnit.SECONDS)
public class HMACKeyGeneratorBenchmark extends JMHBase {

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

private KeyGenerator hmacSha1KeyGenerator = null;
Expand All @@ -44,14 +45,21 @@ public class HMACKeyGeneratorBenchmark extends JMHBase {
public void setup() throws Exception {
super.setup(provider);

hmacSha1KeyGenerator = KeyGenerator.getInstance("HmacSHA1", provider);
// Skip HmacSHA1 initialization for FIPS provider as it's not FIPS-approved
if (!provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
hmacSha1KeyGenerator = KeyGenerator.getInstance("HmacSHA1", provider);
}
hmacSha256KeyGenerator = KeyGenerator.getInstance("HmacSHA256", provider);
hmacSha384KeyGenerator = KeyGenerator.getInstance("HmacSHA384", provider);
hmacSha512KeyGenerator = KeyGenerator.getInstance("HmacSHA512", provider);
}

@Benchmark
public SecretKey hmacSha1KeyGeneration() throws Exception {
public SecretKey hmacSha1KeyGeneration(Blackhole blackhole) throws Exception {
// Skip HmacSHA1 for FIPS provider as it's not FIPS-approved
if (provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
throw new RunnerException("Skipping HmacSHA1 for FIPS provider");
}
return hmacSha1KeyGenerator.generateKey();
}

Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/HmacBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ public class HmacBenchmark extends JMHBase {
@Param({"16", "2048", "32768"})
private int payloadSize;

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

private Mac mac;
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/MessageDigestBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public class MessageDigestBenchmark extends JMHBase {
@Param({"16", "2048", "32768"})
private int payloadSize;

@Param({"OpenJCEPlus", "SUN"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SUN"})
private String provider;

private MessageDigest messageDigestSHA512;
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/MessageDigestInstanceBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public class MessageDigestInstanceBenchmark extends JMHBase {
@Param({"1"})
private int payloadSize;

@Param({"OpenJCEPlus", "SUN"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SUN"})
private String provider;

private MessageDigest messageDigestSHA512;
Expand Down
20 changes: 16 additions & 4 deletions src/test/java/ibm/jceplus/jmh/PBKDF2Benchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import org.openjdk.jmh.annotations.Setup;
import org.openjdk.jmh.annotations.State;
import org.openjdk.jmh.annotations.Warmup;
import org.openjdk.jmh.infra.Blackhole;
import org.openjdk.jmh.runner.Runner;
import org.openjdk.jmh.runner.RunnerException;
import org.openjdk.jmh.runner.options.Options;
Expand All @@ -42,14 +43,17 @@ public class PBKDF2Benchmark extends JMHBase {
private byte[] salt = new byte[16];
private SecureRandom random = new SecureRandom();

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

@Setup
public void setup() throws Exception {
super.setup(provider);

pbkdf2Sha1Factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1", provider);
// Skip PBKDF2WithHmacSHA1 initialization for FIPS provider as it's not FIPS-approved
if (!provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
pbkdf2Sha1Factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1", provider);
}
pbkdf2Sha256Factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256", provider);
pbkdf2Sha512Factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512", provider);
pbkdf2Sha512_224Factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA512/224", provider);
Expand All @@ -59,13 +63,21 @@ public void setup() throws Exception {
}

@Benchmark
public byte[] pbkdf2Sha11000Iter() throws InvalidKeySpecException {
public byte[] pbkdf2Sha11000Iter(Blackhole blackhole) throws Exception {
// Skip PBKDF2WithHmacSHA1 for FIPS provider as it's not FIPS-approved
if (provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
throw new RunnerException("Skipping PBKDF2WithHmacSHA1 for FIPS provider");
}
return pbkdf2Sha1Factory.generateSecret(new PBEKeySpec(password, salt, 1000, 256))
.getEncoded();
}

@Benchmark
public byte[] pbkdf2Sha1300000Iter() throws InvalidKeySpecException {
public byte[] pbkdf2Sha1300000Iter(Blackhole blackhole) throws Exception {
// Skip PBKDF2WithHmacSHA1 for FIPS provider as it's not FIPS-approved
if (provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
throw new RunnerException("Skipping PBKDF2WithHmacSHA1 for FIPS provider");
}
return pbkdf2Sha1Factory.generateSecret(new PBEKeySpec(password, salt, 300000, 256))
.getEncoded();
}
Expand Down
35 changes: 28 additions & 7 deletions src/test/java/ibm/jceplus/jmh/RSACipherBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import org.openjdk.jmh.annotations.Setup;
import org.openjdk.jmh.annotations.State;
import org.openjdk.jmh.annotations.Warmup;
import org.openjdk.jmh.infra.Blackhole;
import org.openjdk.jmh.runner.Runner;
import org.openjdk.jmh.runner.RunnerException;
import org.openjdk.jmh.runner.options.Options;
Expand All @@ -43,16 +44,20 @@ public class RSACipherBenchmark extends AsymmetricCipherBase {
@Param({"2048"})
private int keySize;

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

@Setup
public void setup() throws Exception {
super.setup(keySize, "RSA", provider);

Map<String, Integer> paddings = new HashMap<>();
paddings.put("NoPadding", 1);
paddings.put("PKCS1Padding", 11);
// Skip NoPadding and PKCS1Padding for FIPS provider as they are not FIPS-approved
boolean isFIPS = provider.equalsIgnoreCase("OpenJCEPlusFIPS");
if (!isFIPS) {
paddings.put("NoPadding", 1);
paddings.put("PKCS1Padding", 11);
}
paddings.put("OAEPPadding", (2 * 20 + 2)); // SHA-1 size is 20 bytes
paddings.put("OAEPWithSHA-256AndMGF1Padding", (2 * 32 + 2)); // SHA-256 size is 32 bytes
paddings.put("OAEPWithSHA-512AndMGF1Padding", (2 * 64 + 2)); // SHA-512 size is 64 bytes
Expand Down Expand Up @@ -82,22 +87,38 @@ public void setup() throws Exception {
}

@Benchmark
public byte[] benchmarkEncryption_NoPadding() throws Exception {
public byte[] benchmarkEncryption_NoPadding(Blackhole blackhole) throws Exception {
// Skip NoPadding for FIPS provider as it's not FIPS-approved
if (provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
throw new RunnerException("Skipping NoPadding for FIPS provider");
}
return encryptCiphers.get("NoPadding").doFinal(plaintexts.get("NoPadding"));
}

@Benchmark
public byte[] benchmarkDecryption_NoPadding() throws Exception {
public byte[] benchmarkDecryption_NoPadding(Blackhole blackhole) throws Exception {
// Skip NoPadding for FIPS provider as it's not FIPS-approved
if (provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
throw new RunnerException("Skipping NoPadding for FIPS provider");
}
return decryptCiphers.get("NoPadding").doFinal(ciphertexts.get("NoPadding"));
}

@Benchmark
public byte[] benchmarkEncryption_PKCS1Padding() throws Exception {
public byte[] benchmarkEncryption_PKCS1Padding(Blackhole blackhole) throws Exception {
// Skip PKCS1Padding for FIPS provider as it's not FIPS-approved
if (provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
throw new RunnerException("Skipping PKCS1Padding for FIPS provider");
}
return encryptCiphers.get("PKCS1Padding").doFinal(plaintexts.get("PKCS1Padding"));
}

@Benchmark
public byte[] benchmarkDecryption_PKCS1Padding() throws Exception {
public byte[] benchmarkDecryption_PKCS1Padding(Blackhole blackhole) throws Exception {
// Skip PKCS1Padding for FIPS provider as it's not FIPS-approved
if (provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
throw new RunnerException("Skipping PKCS1Padding for FIPS provider");
}
return decryptCiphers.get("PKCS1Padding").doFinal(ciphertexts.get("PKCS1Padding"));
}

Expand Down
16 changes: 12 additions & 4 deletions src/test/java/ibm/jceplus/jmh/RSAKeyGeneratorBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import org.openjdk.jmh.annotations.Setup;
import org.openjdk.jmh.annotations.State;
import org.openjdk.jmh.annotations.Warmup;
import org.openjdk.jmh.infra.Blackhole;
import org.openjdk.jmh.runner.Runner;
import org.openjdk.jmh.runner.RunnerException;
import org.openjdk.jmh.runner.options.Options;
Expand All @@ -32,7 +33,7 @@
@Measurement(iterations = 4, time = 30, timeUnit = TimeUnit.SECONDS)
public class RSAKeyGeneratorBenchmark extends JMHBase {

@Param({"OpenJCEPlus", "SunRsaSign"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunRsaSign"})
private String provider;

private KeyPairGenerator rsaKeyPairGenerator1024 = null;
Expand All @@ -43,16 +44,23 @@ public class RSAKeyGeneratorBenchmark extends JMHBase {
public void setup() throws Exception {
super.setup(provider);

rsaKeyPairGenerator1024 = KeyPairGenerator.getInstance("RSA", provider);
rsaKeyPairGenerator1024.initialize(1024);
// Skip 1024-bit RSA key generation for FIPS provider as it's not FIPS-approved
if (!provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
rsaKeyPairGenerator1024 = KeyPairGenerator.getInstance("RSA", provider);
rsaKeyPairGenerator1024.initialize(1024);
}
rsaKeyPairGenerator2048 = KeyPairGenerator.getInstance("RSA", provider);
rsaKeyPairGenerator2048.initialize(2048);
rsaKeyPairGenerator4096 = KeyPairGenerator.getInstance("RSA", provider);
rsaKeyPairGenerator4096.initialize(4096);
}

@Benchmark
public KeyPair rsa1024KeyGeneration() throws Exception {
public KeyPair rsa1024KeyGeneration(Blackhole blackhole) throws Exception {
// Skip 1024-bit RSA key generation for FIPS provider as it's not FIPS-approved
if (provider.equalsIgnoreCase("OpenJCEPlusFIPS")) {
throw new RunnerException("Skipping 1024-bit RSA key generation for FIPS provider");
}
return rsaKeyPairGenerator1024.generateKeyPair();
}

Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/RSASignatureBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ public class RSASignatureBenchmark extends JMHBase {
@Param({"2048", "32768"})
private int payloadSize;

@Param({"OpenJCEPlus", "SunRsaSign"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunRsaSign"})
private String provider;

@Param({"2048", "4096"})
Expand Down
2 changes: 1 addition & 1 deletion src/test/java/ibm/jceplus/jmh/TLSHandshakeBenchmark.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ public class TLSHandshakeBenchmark extends JMHBase {
@Param({"cached", "non-cached"})
public String useCache;

@Param({"OpenJCEPlus", "SunJCE"})
@Param({"OpenJCEPlus", "OpenJCEPlusFIPS", "SunJCE"})
private String provider;

private SSLServerSocket serverSocket;
Expand Down
Loading