Skip to content

[BUG] Current version of OpenSAML is incompatible with the Bouncy Castle FIPS library #4915

New issue
New issue
Closed
Closed
[BUG] Current version of OpenSAML is incompatible with the Bouncy Castle FIPS library#4915
Labels
bugSomething isn't workingtriagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.
@dancristiancecoi

Description

@dancristiancecoi
dancristiancecoi
opened on Nov 18, 2024

What is the bug?
Current version of OpenSAML (4.3.2) does not work in FIPS mode as it has a hard dependency (org.bouncycastle.jce.ECNamedCurveTable) on the non-FIPS distribution of Bouncy Castle

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Replace BC with BC-FIPS
  2. Run OpenSAML related tests
  3. You will see a error due to missing the ECNamedCurveTable dependency

Potential solutions

  1. Downgrade OpenSAML to 3.x
  2. Downgrade OpenSAML to 4.0 (Tests seem to pass under that version, however some untested functionality might still be broken)
  3. Replace OpenSAML with Keycloak as it supports running in FIPS 140-2 compliant mode

Relevant links
#3420
elastic/elasticsearch#71983
https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1159627167/FIPS
https://shibboleth.net/pipermail/dev/2023-August/011111.html
https://www.keycloak.org/server/fips

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingtriagedIssues labeled as 'Triaged' have been reviewed and are deemed actionable.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions