[BUG] Current version of OpenSAML is incompatible with the Bouncy Castle FIPS library #4915
Comments
dancristiancecoi
added
bug
cwperks
added
triaged
|
[Triage] Thank you for filing an issue for this @dancristiancecoi. Should I assign this issue to you? |
|
@cwperks I can give it a try, thanks! Would also be great to get some feedback from the community on what potential solution would be the best way forward. |
|
@dancristiancecoi Elastic search have implemented this already, please refer to this : https://github.com/elastic/elasticsearch/pull/98199/files |
|
Excellent find @shshankvikrram, thanks! Am I correct saying that this fixes the error on start-up for Elasticsearch but the functionality that relies on EC will still be broken? In OpenSearch's case the error does not happen on start-up but when the OpenSAML code gets called. If we used this solution and we do not rely on any EC related functionality then we might be okay. Are we confident that we don't rely on any of that functionality and that the test coverage in that area is sufficient to prove this? |
|
Yes if it relies on EC then it might break but that doesn't seem to be the case here as per my understanding. Looks like OpenSearch doesn't invoke any flow which might use EC functionality in OpenSAML though I am not 100% confident. |
What is the bug?
Current version of OpenSAML (4.3.2) does not work in FIPS mode as it has a hard dependency (
org.bouncycastle.jce.ECNamedCurveTable) on the non-FIPS distribution of Bouncy CastleHow can one reproduce the bug?
Steps to reproduce the behavior:
ECNamedCurveTabledependencyPotential solutions
Relevant links
#3420
elastic/elasticsearch#71983
https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1159627167/FIPS
https://shibboleth.net/pipermail/dev/2023-August/011111.html
https://www.keycloak.org/server/fips
The text was updated successfully, but these errors were encountered: