OpenSAML with BC-FIPS Compatiblity Issue

[sumeetpri]

Hello Team,

I'm currently using spring security 6.2 which internally uses OpenSAML 4.3 Java library to handle the SAML assertion received from the IDP. However, I've encountered an issue where OpenSAML relies on the bcprov-jdk18on library, which is not compliant with FIPS standards. To align with my project's requirements for FIPS-compliant libraries, I integrated bc-fips version 1.0.2.4. However, this change has led to numerous "class not found" errors, and the system is not functioning correctly. Could you advise on how to effectively use bc-fips with OpenSAML? Additionally, is it possible for bcprov and bc-fips to coexist within the same JVM environment?

Does bc-fips have all implementation of bcprov ? In what case we can assume bc-fips work as a replacement of bcprov?

[dghgit]

I've answered this elsewhere, but the two providers cannot be used together (and yes it's a requirement...) The OpenSAML API relies on some parts of the BC low level API which is not available in the BC FIPS API, there are equivalent classes in BCFIPS, but that section of the code would need to be rewritten to support the FIPS API.

[janhavee-git]

@dghgit : Is this issue relevant with bc-fips 2.0.1 version as well? Asking as we have bc-fips and bcprov jars in classpath but still no issue is observed? Can you help me understand the reason?

[peterdettman]

@janhavee-git It is relevant to all versions of bc-fips so far; whether you "observe an issue" is not relevant.

See these other issues:
#714
#1287

The basic reason is that classes might be loaded from bcprov instead of bc-fips, which - besides leading almost certainly to errors - would be non-compliant usage of bc-fips.