diff --git a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
index 14e2323b4d14d..c8193249077e1 100644
--- a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
+++ b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
@@ -23,12 +23,12 @@ if (buildParams.inFipsJvm) {
File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)
File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy')
File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
- def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.5')
- def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19')
+ def bcFips = dependencies.create('org.bouncycastle:bc-fips:2.1.1')
+ def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:2.1.20')
def manualDebug = false; //change this to manually debug bouncy castle in an IDE
if(manualDebug) {
- bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.5')
- bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19'){
+ bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:2.1.1')
+ bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:2.1.20'){
exclude group: 'org.bouncycastle', module: 'bc-fips' // to avoid jar hell
}
}
diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle
index 90e0a9383f753..2d88465e182d0 100644
--- a/distribution/docker/build.gradle
+++ b/distribution/docker/build.gradle
@@ -129,8 +129,8 @@ dependencies {
metricbeat_fips_aarch64 "beats:metricbeat-fips:${VersionProperties.elasticsearch}:linux-arm64@tar.gz"
metricbeat_fips_x86_64 "beats:metricbeat-fips:${VersionProperties.elasticsearch}:linux-x86_64@tar.gz"
- fips "org.bouncycastle:bc-fips:1.0.2.5"
- fips "org.bouncycastle:bctls-fips:1.0.19"
+ fips "org.bouncycastle:bc-fips:2.1.1"
+ fips "org.bouncycastle:bctls-fips:2.1.20"
}
ext.expansions = { Architecture architecture, DockerBase base, String publicationContext = '' ->
diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle
index becdfbdb4d5e5..99cfb5895066f 100644
--- a/distribution/tools/plugin-cli/build.gradle
+++ b/distribution/tools/plugin-cli/build.gradle
@@ -29,8 +29,8 @@ dependencies {
implementation 'org.ow2.asm:asm:9.7.1'
implementation 'org.ow2.asm:asm-tree:9.7.1'
- api "org.bouncycastle:bcpg-fips:1.0.7.1"
- api "org.bouncycastle:bc-fips:1.0.2.5"
+ api "org.bouncycastle:bcpg-fips:2.1.11"
+ api "org.bouncycastle:bc-fips:2.1.1"
testImplementation project(":test:framework")
testImplementation "com.google.jimfs:jimfs:${versions.jimfs}"
testRuntimeOnly "com.google.guava:guava:${versions.jimfs_guava}"
@@ -50,32 +50,3 @@ tasks.named("test").configure {
systemProperty 'java.security.egd', 'file:/dev/urandom'
}
}
-
-/*
- * these two classes intentionally use the following JDK internal APIs in order to offer the necessary
- * functionality
- *
- * sun.security.internal.spec.TlsKeyMaterialParameterSpec
- * sun.security.internal.spec.TlsKeyMaterialSpec
- * sun.security.internal.spec.TlsMasterSecretParameterSpec
- * sun.security.internal.spec.TlsPrfParameterSpec
- * sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec
- * sun.security.provider.SecureRandom
- *
- */
-tasks.named("thirdPartyAudit").configure {
- ignoreViolations(
- 'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$BaseTLSKeyGeneratorSpi',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator$2',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator$2',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSPRFKeyGenerator',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator$2',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator',
- 'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2'
- )
-}
diff --git a/docs/changelog/132817.yaml b/docs/changelog/132817.yaml
new file mode 100644
index 0000000000000..7128051484fa6
--- /dev/null
+++ b/docs/changelog/132817.yaml
@@ -0,0 +1,5 @@
+pr: 132817
+summary: Bump bc-fips to the latest version
+area: FIPS
+type: upgrade
+issues: []
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 28a7d6981a4cb..a0aa4919bff5d 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -3491,16 +3491,31 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -3536,6 +3551,16 @@
+
+
+
+
+
+
+
+
+
+
diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle
index 41ff487d760da..1eb307fcf901d 100644
--- a/x-pack/plugin/core/build.gradle
+++ b/x-pack/plugin/core/build.gradle
@@ -70,7 +70,7 @@ dependencies {
testImplementation project(path: ':modules:rest-root')
testImplementation project(path: ':modules:health-shards-availability')
// Needed for Fips140ProviderVerificationTests
- testCompileOnly('org.bouncycastle:bc-fips:1.0.2.5')
+ testCompileOnly('org.bouncycastle:bc-fips:2.1.1')
testImplementation(project(':x-pack:license-tools')) {
transitive = false