You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At this time this is more of a discussion placeholder than an actual intent to implement.
FIPS is not supported at the moment. IF we want to move to supporting FIPS in our identity config we will need to spend some time understanding the different bouncy-castle libraries. This primarily impacts the x509 plugin source code, but will probably affect the other pieces as well.
At the moment we utilize the bcpg-fips library, but based on bouncy-castle documentation that also requires at least a library for FIPS algorithms and potentially also using the bc-fips general FIPS library that isn't specific to OpenPGP.
Current bouncy-castle and Keycloak crypto libraries:
All testing should pass (integration tests, plugin unit tests, etc).
The provided identity config should be FIPS compliant, regardless of the surrounding environment.
Testing Gotcha's
While testing changes to libraries be aware that sometimes the order of the libraries in the pom.xml can cause errors. @rjferguson21 and @UnicornChance experienced this behavior when importing the keycloak-crypto-defualt library after the bcpg-fips library.
Description
At this time this is more of a discussion placeholder than an actual intent to implement.
FIPS is not supported at the moment. IF we want to move to supporting FIPS in our identity config we will need to spend some time understanding the different bouncy-castle libraries. This primarily impacts the x509 plugin source code, but will probably affect the other pieces as well.
At the moment we utilize the
bcpg-fips
library, but based on bouncy-castle documentation that also requires at least a library for FIPS algorithms and potentially also using thebc-fips
general FIPS library that isn't specific to OpenPGP.Current bouncy-castle and Keycloak crypto libraries:
Libraries that should be looked into:
Describe the solution you'd like
Testing Gotcha's
keycloak-crypto-defualt
library after thebcpg-fips
library.Links
Official Keycloak FIPS140-2 Docs
Maven Repo description of bcpg-fips
The text was updated successfully, but these errors were encountered: