[BUG] Current version of OpenSAML is incompatible with the Bouncy Castle FIPS library

**What is the bug?**
Current version of OpenSAML (4.3.2) does not work in FIPS mode as it has a hard dependency (`org.bouncycastle.jce.ECNamedCurveTable`) on the non-FIPS distribution of Bouncy Castle

**How can one reproduce the bug?**
Steps to reproduce the behavior:
1. Replace BC with BC-FIPS 
2. Run OpenSAML related tests
3. You will see a error due to missing the `ECNamedCurveTable` dependency

**Potential solutions**
1. Downgrade OpenSAML to 3.x
2. Downgrade OpenSAML to 4.0 (Tests seem to pass under that version, however some untested functionality might still be broken)
3. Replace OpenSAML with Keycloak as [it supports running in FIPS 140-2 compliant mode 
](https://www.keycloak.org/server/fips)

**Relevant links**
https://github.com/opensearch-project/security/issues/3420
https://github.com/elastic/elasticsearch/issues/71983
https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1159627167/FIPS
https://shibboleth.net/pipermail/dev/2023-August/011111.html
https://www.keycloak.org/server/fips




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[BUG] Current version of OpenSAML is incompatible with the Bouncy Castle FIPS library #4915

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[BUG] Current version of OpenSAML is incompatible with the Bouncy Castle FIPS library #4915

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions