From c85e3ba7038130ae98fdbd64ebe0c63320624a63 Mon Sep 17 00:00:00 2001
From: Tim Vernum <tim@adjective.org>
Date: Tue, 26 Aug 2025 12:26:03 +1000
Subject: [PATCH] Bump bc-fips to 1.0.2.6 (#133290)

Bump BC-JFA (bc-fips) to version 1.0.2.6

Backport of: #133198
---
 .../src/main/groovy/elasticsearch.fips.gradle        |  4 ++--
 distribution/docker/build.gradle                     |  2 +-
 .../src/docker/dockerfiles/cloud_ess_fips/Dockerfile |  2 +-
 distribution/tools/plugin-cli/build.gradle           |  2 +-
 docs/changelog/133198.yaml                           |  5 +++++
 gradle/verification-metadata.xml                     | 12 ++++++------
 x-pack/plugin/core/build.gradle                      |  2 +-
 7 files changed, 17 insertions(+), 12 deletions(-)
 create mode 100644 docs/changelog/133198.yaml

diff --git a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
index 3c9cf121813c9..6281e542930c6 100644
--- a/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
+++ b/build-tools-internal/src/main/groovy/elasticsearch.fips.gradle
@@ -25,11 +25,11 @@ if (buildParams.inFipsJvm) {
     File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)
     File fipsPolicy = new File(fipsResourcesDir, 'fips_java.policy')
     File fipsTrustStore = new File(fipsResourcesDir, 'cacerts.bcfks')
-    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.5')
+    def bcFips = dependencies.create('org.bouncycastle:bc-fips:1.0.2.6')
     def bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19')
     def manualDebug = false; //change this to manually debug bouncy castle in an IDE
     if(manualDebug) {
-      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.5')
+      bcFips = dependencies.create('org.bouncycastle:bc-fips-debug:1.0.2.6')
       bcTlsFips = dependencies.create('org.bouncycastle:bctls-fips:1.0.19'){
         exclude group: 'org.bouncycastle', module: 'bc-fips'  // to avoid jar hell
       }
diff --git a/distribution/docker/build.gradle b/distribution/docker/build.gradle
index 202ade7ad81e8..316888bdaffdc 100644
--- a/distribution/docker/build.gradle
+++ b/distribution/docker/build.gradle
@@ -129,7 +129,7 @@ dependencies {
   metricbeat_fips_aarch64 "beats:metricbeat-fips:${VersionProperties.elasticsearch}:linux-arm64@tar.gz"
   metricbeat_fips_x86_64 "beats:metricbeat-fips:${VersionProperties.elasticsearch}:linux-x86_64@tar.gz"
 
-  fips "org.bouncycastle:bc-fips:1.0.2.5"
+  fips "org.bouncycastle:bc-fips:1.0.2.6"
   fips "org.bouncycastle:bctls-fips:1.0.19"
 }
 
diff --git a/distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile b/distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile
index 94fb70b251755..7751137cbdca9 100644
--- a/distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile
+++ b/distribution/docker/src/docker/dockerfiles/cloud_ess_fips/Dockerfile
@@ -162,7 +162,7 @@ RUN printf "\\n" | jdk/bin/keytool -importkeystore \
   -deststorepass passwordcacert \
   -deststoretype BCFKS \
   -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider \
-  -providerpath lib/bc-fips-1.0.2.5.jar \
+  -providerpath lib/bc-fips-1.0.2.6.jar \
   -destprovidername BCFIPS
 
 
diff --git a/distribution/tools/plugin-cli/build.gradle b/distribution/tools/plugin-cli/build.gradle
index becdfbdb4d5e5..b330397c6693f 100644
--- a/distribution/tools/plugin-cli/build.gradle
+++ b/distribution/tools/plugin-cli/build.gradle
@@ -30,7 +30,7 @@ dependencies {
   implementation 'org.ow2.asm:asm-tree:9.7.1'
 
   api "org.bouncycastle:bcpg-fips:1.0.7.1"
-  api "org.bouncycastle:bc-fips:1.0.2.5"
+  api "org.bouncycastle:bc-fips:1.0.2.6"
   testImplementation project(":test:framework")
   testImplementation "com.google.jimfs:jimfs:${versions.jimfs}"
   testRuntimeOnly "com.google.guava:guava:${versions.jimfs_guava}"
diff --git a/docs/changelog/133198.yaml b/docs/changelog/133198.yaml
new file mode 100644
index 0000000000000..8e664e571122c
--- /dev/null
+++ b/docs/changelog/133198.yaml
@@ -0,0 +1,5 @@
+pr: 133198
+summary: Bump bc-fips to 1.0.2.6
+area: FIPS
+type: upgrade
+issues: []
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
index 453d893a096dd..5205f41885d6e 100644
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
@@ -3378,14 +3378,14 @@
             <sha256 value="5b8a26205f6d5ea60ad9ce65ce4a40a2afe4c48abeec61bd0740a088c24e89f5" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.bouncycastle" name="bc-fips" version="1.0.2.5">
-         <artifact name="bc-fips-1.0.2.5.jar">
-            <sha256 value="50e4c7a0d0c68413d3d8587560d56945ac09e7c89c41bd971cd22d76be6f1085" origin="Generated by Gradle"/>
+      <component group="org.bouncycastle" name="bc-fips" version="1.0.2.6">
+         <artifact name="bc-fips-1.0.2.6.jar">
+            <sha256 value="ae2a1ece67e86d0c5b852765a9d04cdb05abc4ed7aa90b3bf3fbab786d3fedbc" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="org.bouncycastle" name="bc-fips-debug" version="1.0.2.5">
-         <artifact name="bc-fips-debug-1.0.2.5.jar">
-            <sha256 value="5cfda7e020c5c1a3b1724386f139957472e551494254b8fc74e34f73590fc605" origin="Generated by Gradle"/>
+      <component group="org.bouncycastle" name="bc-fips-debug" version="1.0.2.6">
+         <artifact name="bc-fips-debug-1.0.2.6.jar">
+            <sha256 value="6ac85ac9a5fa5e4a003cadf5cae8e4e586deb4ac9b3209b87aa353f7c2b93379" origin="Generated by Gradle"/>
          </artifact>
       </component>
       <component group="org.bouncycastle" name="bcpg-fips" version="1.0.7.1">
diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle
index ad3a18a7cb723..dcb5e9f12ed91 100644
--- a/x-pack/plugin/core/build.gradle
+++ b/x-pack/plugin/core/build.gradle
@@ -65,7 +65,7 @@ dependencies {
   testImplementation project(path: ':modules:rest-root')
   testImplementation project(path: ':modules:health-shards-availability')
   // Needed for Fips140ProviderVerificationTests
-  testCompileOnly('org.bouncycastle:bc-fips:1.0.2.5')
+  testCompileOnly('org.bouncycastle:bc-fips:1.0.2.6')
 
   testImplementation(project(':x-pack:license-tools')) {
     transitive = false