Hello Team,
I'm currently spring security 6.2 which internally uses OpenSAML 4.3 Java library to handle the SAML assertion received from the IDP. However, I've encountered an issue where OpenSAML relies on the bcprov-jdk18on library, which is not compliant with FIPS standards. I integrated bc-fips version 1.0.2.4. However, this change has led to numerous "class not found" errors, and the system is not functioning correctly.
Spring Security SAML uses OpenSAML 4.3 which has hard dependency with non FIPS library which makes Spring Security SAML as not useable for federal projects .
Comment From: sumeetpri
Hi @jzheaux , looking forward for your input as software like spring security SAML becoming non fips compliance is major blocker to be used in federal project
Comment From: sumeetpri
Please suggest if there is any alternative option available
Comment From: rwinch
@sumeetpri Can you put together a minimal sample that reproduces the errors that you are seeing?
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.
Comment From: alla-gofman
Hello Team,
We encounter the same issue.
The class org.opensaml.security.crypto.ec.curves.AbstractNamedCurve has
import to org.bouncycastle.jce.ECNamedCurveTable
You force to import the bcprov-jdk18on library, but we need to work with FIPS compliant library bc-fips instead.
Refer to AbstractNamedCurve.buildParameterSpec method documentation: ```Build an instance of ECParameterSpec corresponding to this curve. The default implementation here is that it first attempts to resolve the curve from Bouncy Castle's ECNamedCurveTable. If that is unsuccessful then it attempts a brute force approach by generating a key pair using a ECGenParameterSpec based on the curve's name from getName(), returning the parameter instance from the resulting ECPublicKey. Returns: the parameter spec instance, or null if can not be built Maven: org.opensaml:opensaml-security-api:4.3.1 (opensaml-security-api-4.3.1-sources.jar)
So you should also treat ClassNotFoundException in case of unsuccessful attempt to resolve the curve from Bouncy Castle's ECNamedCurveTable.
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.ECNamedCurveTable
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) ~[?:?]
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) ~[?:?]
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525) ~[?:?]
at org.opensaml.security.crypto.ec.curves.AbstractNamedCurve.buildParameterSpec(AbstractNamedCurve.java:84) ~[opensaml-security-api-4.3.1.jar:?]
at org.opensaml.security.crypto.ec.curves.AbstractNamedCurve.doInitialize(AbstractNamedCurve.java:62) ~[opensaml-security-api-4.3.1.jar:?]
at net.shibboleth.utilities.java.support.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:65) ~[java-support-8.4.1.jar:?]
at org.opensaml.security.config.GlobalNamedCurveRegistryInitializer.init(GlobalNamedCurveRegistryInitializer.java:60) ~[opensaml-security-api-4.3.1.jar:?]
at org.opensaml.core.config.InitializationService.initialize(InitializationService.java:57) ~[opensaml-core-4.3.1.jar:?]
at org.springframework.security.saml2.core.OpenSamlInitializationService.initialize(OpenSamlInitializationService.java:122) ~[spring-security-saml2-service-provider-6.2.4.jar:6.2.4]
at org.springframework.security.saml2.core.OpenSamlInitializationService.initialize(OpenSamlInitializationService.java:97) ~[spring-security-saml2-service-provider-6.2.4.jar:6.2.4]
at org.springframework.security.saml2.provider.service.registration.OpenSamlMetadataRelyingPartyRegistrationConverter.
**Comment From: rahul-mishra-sp**
Is there a fix planned for this? This is a major issue.
**Comment From: jzheaux**
Hi, @rahul-mishra-sp; sorry this was closed due to inactivity a while back and it fell off my radar.
There isn't very much that Spring Security can do to address transitive dependencies of third-party projects. I'd be open to looking into making Spring Security compatible with a FIPS-compliant SAML library, should one exist.
One thing that I think could be an option is to allow applications to do their own OpenSAML initialization. For example, if you don't need `GlobalNamedCurveRegistryInitializer` (your application is not using EC, for example), then you could do:
```java
public static MyOpenSamlInitializationService {
public static void initialize() {
if (!OpenSamlInitializationService.externalInitialize()) {
Properties props = ConfigurationService.getConfigurationProperties();
props.put(CONFIG_PROPERTY_ECDH_DEFAULT_KDF,
DefaultSecurityConfigurationBootstrap.PBKDF2);
Class<?> toSkip = GlobalNamedCurveRegistryInitializer.class;
ServiceLoader.load(Initializer.class).stream()
.filter((provider) -> provider.type() != toSkip)
.forEach((provider) -> init(provider));
}
}
private static void init(Provider<Initalizer> provider) {
try {
provider.get().init();
} catch (InitializationException ex) {
throw new Saml2Exception(ex);
}
}
}
And then at the beginning of your application, you would do:
static {
MyOpenSamlInitializationService.initialize();
}
which would take the place of Spring Security initializing OpenSAML.
Adding this externalInitialize method wouldn't make your app FIPS-compliant. It would simply allow you the flexibility to be more selective about the parts of OpenSAML that you care to load.
Comment From: jzheaux
Also, I've logged https://shibboleth.atlassian.net/browse/OSJ-423 to see if some of the above code can be rendered unnecessary.
Comment From: jzheaux
Note that after having a brief conversation with the OpenSAML developers, they added some helpful information to their explanation regarding FIPS support in Java: https://shibboleth.atlassian.net/wiki/spaces/DEV/pages/1159627167/FIPS
You can also follow the above issue to other issues that are needed before OpenSAML would be able to use BC FIPS.
As I believe the ability to externally initialize will be helpful anyway, I'm repurposing this ticket for that and would invite anyone wanting to improve OpenSAML to coordinate over there.