elastic · richard-dennehy · Aug 13, 2025 · Oct 2, 2025
@@ -23,12 +23,12 @@ if (buildParams.inFipsJvm) {
     File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)
     File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy')
     File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
-    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.5')
-    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19')
+    def bcFips = dependencies.create('org.bouncycastle:bc-fips:2.1.1')
+    def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:2.1.20')
     def manualDebug = false; //change this to manually debug bouncy castle in an IDE
     if(manualDebug) {
-      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.5')
-      bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19'){
+      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:2.1.1')
+      bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:2.1.20'){
         exclude group: 'org.bouncycastle', module: 'bc-fips'  // to avoid jar hell
       }
     }

diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle
@@ -129,8 +129,8 @@ dependencies {
   metricbeat_fips_aarch64 "beats:metricbeat-fips:${VersionProperties.elasticsearch}:[email protected]"
   metricbeat_fips_x86_64 "beats:metricbeat-fips:${VersionProperties.elasticsearch}:[email protected]"
 
-  fips "org.bouncycastle:bc-fips:1.0.2.5"
-  fips "org.bouncycastle:bctls-fips:1.0.19"
+  fips "org.bouncycastle:bc-fips:2.1.1"
+  fips "org.bouncycastle:bctls-fips:2.1.20"
 }
 
 ext.expansions = { Architecture architecture, DockerBase base, String publicationContext = '' ->

@@ -29,8 +29,8 @@ dependencies {
   implementation 'org.ow2.asm:asm:9.7.1'
   implementation 'org.ow2.asm:asm-tree:9.7.1'
 
-  api "org.bouncycastle:bcpg-fips:1.0.7.1"
-  api "org.bouncycastle:bc-fips:1.0.2.5"
+  api "org.bouncycastle:bcpg-fips:2.1.11"
+  api "org.bouncycastle:bc-fips:2.1.1"
   testImplementation project(":test:framework")
   testImplementation "com.google.jimfs:jimfs:${versions.jimfs}"
   testRuntimeOnly "com.google.guava:guava:${versions.jimfs_guava}"
@@ -50,32 +50,3 @@ tasks.named("test").configure {
     systemProperty 'java.security.egd', 'file:/dev/urandom'
   }
 }
-
-/*
- * these two classes intentionally use the following JDK internal APIs in order to offer the necessary
- * functionality
- *
- * sun.security.internal.spec.TlsKeyMaterialParameterSpec
- * sun.security.internal.spec.TlsKeyMaterialSpec
- * sun.security.internal.spec.TlsMasterSecretParameterSpec
- * sun.security.internal.spec.TlsPrfParameterSpec
- * sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec
- * sun.security.provider.SecureRandom
- *
- */
-tasks.named("thirdPartyAudit").configure {
-  ignoreViolations(
-          'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$BaseTLSKeyGeneratorSpi',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSKeyMaterialGenerator$2',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSMasterSecretGenerator$2',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSPRFKeyGenerator',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSRsaPreMasterSecretGenerator$2',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator',
-          'org.bouncycastle.jcajce.provider.ProvSunTLSKDF$TLSExtendedMasterSecretGenerator$2'
-  )
-}
diff --git a/docs/changelog/132817.yaml b/docs/changelog/132817.yaml
@@ -0,0 +1,5 @@
+pr: 132817
+summary: Bump bc-fips to the latest version
+area: FIPS
+type: upgrade
+issues: []
@@ -3491,16 +3491,31 @@
             <sha256 value="50e4c7a0d0c68413d3d8587560d56945ac09e7c89c41bd971cd22d76be6f1085" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.bouncycastle" name="bc-fips" version="2.1.1">
+         <artifact name="bc-fips-2.1.1.jar">
+            <sha256 value="a430d935ad6cec6d045930758457740f5a5f8f9715894e347f6800f7926a7321" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.bouncycastle" name="bc-fips-debug" version="1.0.2.5">
          <artifact name="bc-fips-debug-1.0.2.5.jar">
             <sha256 value="5cfda7e020c5c1a3b1724386f139957472e551494254b8fc74e34f73590fc605" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.bouncycastle" name="bc-fips-debug" version="2.1.1">
+         <artifact name="bc-fips-debug-2.1.1.jar">
+            <sha256 value="53719461ff7f00a2d6a50c8ac06093e82830c091610285e1725212041b783abb" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.bouncycastle" name="bcpg-fips" version="1.0.7.1">
          <artifact name="bcpg-fips-1.0.7.1.jar">
             <sha256 value="fea1a096c098395eb67d48700c349d5f75321ef0c7c6af9198bc38f4cc836622" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.bouncycastle" name="bcpg-fips" version="2.1.11">
+         <artifact name="bcpg-fips-2.1.11.jar">
+            <sha256 value="ea51efee825bd0d61c3d22cff5a127898edc7ca62ba454fbcf4789801031d850" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.bouncycastle" name="bcpg-jdk15on" version="1.69">
          <artifact name="bcpg-jdk15on-1.69.jar">
             <sha256 value="a3984ff7fd9518d00094e34f3d3e714a4823f2505ada1c19b35c129e26f63934" origin="Generated by Gradle"/>
@@ -3536,6 +3551,16 @@
             <sha256 value="a0bbad2eb5268f1baa08f0e2e69cb61cd292e19e73595c620d586d335d97d1a8" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.bouncycastle" name="bctls-fips" version="2.1.20">
+         <artifact name="bctls-fips-2.1.20.jar">
+            <sha256 value="c058a438442ea46d8abdefc95e581ebf2834e50504bda925a945b1f4ceb48d86" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
+      <component group="org.bouncycastle" name="bcutil-fips" version="2.1.4">
+         <artifact name="bcutil-fips-2.1.4.jar">
+            <sha256 value="e169519e6441fb19cabf633d44fcef211506793e5be499ac9215648bd20634e0" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.bouncycastle" name="bcutil-jdk18on" version="1.78.1">
          <artifact name="bcutil-jdk18on-1.78.1.jar">
             <sha256 value="d9fa56f97b0f761ce3bc8d9d74c5d7137a987bf5bd3abfe1003f9bafa45a1d2f" origin="Generated by Gradle"/>

diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle
@@ -70,7 +70,7 @@ dependencies {
   testImplementation project(path: ':modules:rest-root')
   testImplementation project(path: ':modules:health-shards-availability')
   // Needed for Fips140ProviderVerificationTests
-  testCompileOnly('org.bouncycastle:bc-fips:1.0.2.5')
+  testCompileOnly('org.bouncycastle:bc-fips:2.1.1')
 
   testImplementation(project(':x-pack:license-tools')) {
     transitive = false