bcgit
Integrating FIPS-Compliant Libraries with OpenSAML
Hello Team,
I'm currently using spring security 6.2 which internally uses OpenSAML 4.3 Java library to handle the SAML assertion received from the IDP. However, I've encountered an issue where OpenSAML relies on the bcprov-jdk18on library, which is not compliant with FIPS standards. To align with my project's requirements for FIPS-compliant libraries, I integrated bc-fips version 1.0.2.4. However, this change has led to numerous "class not found" errors, and the system is not functioning correctly. Could you advise on how to effectively use bc-fips with OpenSAML? Additionally, is it possible for bcprov and bc-fips to coexist within the same JVM environment?
Does bc-fips have all implementation of bcprov ? In what case we can assume bc-fips work as a replacement of bcprov?
Does bc-fips have all implementation of bcprov?
As you correctly identified @sumeetpri, it's not the case: bc-fips is not a drop-in replacement for bcprov- (although it appears to be advertised so in some examples).
OpenSAML is bad at maintaining their lib as they strictly depend on bcprov-jdk18on completely disregarding the FIPS-approved mode. Even in the latest version, and since they became more of a closed community, I'm afraid it's very unlikely to change.
Disclaimer: I'm just coming along. I'm not a maintainer of either bc-java or java-opensaml.
The same question was already answered in: https://github.com/bcgit/bc-java/discussions/1594