FIPS certification - how to prove it?
I have a JAVA application that does some crypto work. And I need to make it FIPS-140 compliant. So I grabbed a FIPS-certified HSM, defined a new PKCS#11 provider in jre/lib/security/java.security and configured it to use my HSM.
I thought that I would comment out all other security providers and if my JAVA application runs, I can be sure that all crypto work is done in HSM and thus I'm FIPS-compliant. Unfortunately it turns out that I need to keep sun.security.provider.Sun and sun.security.rsa.SunRsaSign providers uncommented as well - otherwise even the simplest 3DES encryption class fails with exceptions (on X.509 and RSA code).
Now I have a strong feeling that these additional providers that I left in the java.security file don't really do any "real" crypto work. And instead of that only "wrap" basic crypto algorithms (SHA-1/MD5,DES,AES etc) into more high-level abstractions (RSA, X.509 etc) - leaving the real crypto work for my HSM provider. However I need to somehow prove it.
Is there any way that I can prove that all "real" crypto work is done in HSM and not in some other (software) provider?
Regards,
Alex
P.S. I know that I can explicitly state the provider in my crypto code. However this still doesn't work unless Sun and SunRsaSign providers are defined in java.security file. And I still need to prove that there's no other place in the code that does any crypto work that bypasses HSM.