hanicz opened a new pull request, #1299:
URL: https://github.com/apache/knox/pull/1299

   [KNOX-3361](https://issues.apache.org/jira/browse/KNOX-3361) - Route 
OpenSAML off BouncyCastle in FIPS mode
   
   ## What changes were proposed in this pull request?
   
   New `gateway-shim-opensaml-security-api` module: a shaded drop-in for 
`org.opensaml:opensaml-security-api` that swaps upstream's 
GlobalNamedCurveRegistryInitializer for a Knox-owned wrapper. When Knox is 
running on a FIPS cluster, the wrapper short-circuits SPI-driven EC curve 
registration so `AbstractNamedCurve.initialize()` never invokes 
`org.bouncycastle.jce.ECNamedCurveTable` — preventing BouncyCastle EC code from 
executing. In non-FIPS deployments the wrapper delegates to the upstream 
initializer, preserving unmodified OpenSAML behavior.
   
   ECDH-ES-encrypted SAML assertion decryption is not supported in FIPS mode 
(empty NamedCurveRegistry). RSA-signed and RSA-OAEP-encrypted SAML flows work 
identically in FIPS and non-FIPS.
   
   This solution builds on what 
[elasticsearch](https://github.com/elastic/elasticsearch/pull/98199) did, 
however for Knox it acts based on being on FIPS cluster or not.
   
   ## How was this patch tested?
   
   - Unit tests
       `KnoxNamedCurveRegistryInitializerTest` covers both branches:
       FIPS mode → registry empty, `ECSupport.getNamedCurve` returns null
       Non-FIPS mode → registry populated by upstream, 
`ECSupport.getNamedCurve` resolves `secp256r1` 
   - Tested classpath for installed Knox
   - Tested RSA SAML with Keycloak for both FIPS and non-FIPS
   
   ## Integration Tests
   N/A
   
   ## UI changes
   N/A


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to