"restricted method in java.lang.System has been called" after moving from bc-fips 1.x to 2.1.1

[EFM-Bobby]

Hi all,

In our product, we use the bc-fips library for encrypting/decrypting a password so it isn't stored in clear text in a settings file. After moving up to version 2.1.1, a customer is getting this warning when running our encryption utility with openjdk 24:

WARNING: A restricted method in java.lang.System has been called
WARNING: java.lang.System::load has been called by org.bouncycastle.crypto.fips.NativeLoader$1 in an unnamed module (file:/usr/edb/efm-5.1/lib/bc-fips-2.1.1.jar)
WARNING: Use --enable-native-access=ALL-UNNAMED to avoid a warning for callers in this module
WARNING: Restricted methods will be blocked in a future release unless native access is enabled

They can use the workaround provided here to avoid this output (which happens in the middle of our product's output), but I wanted to ask:

1. Is this something that could cause a real problem later? I'm guessing this is from one of the two System.load calls in NativeLoader#loadDriver, and the related catch blocks set nativeInstalled.set(false) -- could that be a problem at some point?
2. I can't reproduce this myself, and it might just be a java security setting that I never learned about or forgot decades ago. Is there some setting the customer might have set (that I don't) that could be turned off as another option?

Thank you. I can share more information if needed. In case it's related, we don't import bouncy castle directly in the java code, but load it with reflection -- this is just so someone can remove the library if needed for some reason (and they're not running in FIPS mode)

    static {
        Provider provider;
        try {
             provider = (Provider) Class.forName("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider")
                .getDeclaredConstructor()
                .newInstance();
            Security.addProvider(provider);
        } catch (ClassNotFoundException e) {
            [log a warning but otherwise continue]
        }
    }

Thank you,
Bobby Bissett

[vhbcm]

We will be moving to Java 25 in near future as well. We get the same message with 2.1.2.

[theit]

I don't know what bc-fips is doing (I don't use it), but I guess I read somewhere that it uses native libraries/code, right?
If yes, the message you're seeing is because of https://openjdk.org/jeps/472

The message is simply a warning that you could suppress by starting your application with the corresponding command line flags; see the JEP for more details.