FIPS

The project is not in a position to make any official statements or assurances regarding compliance (or lack thereof) with the US Federal Information Processing Standards. However, there are some clarifying points that may help others to reach useful conclusions about this.

Java

The Java products we produce, including the Identity Provider and OpenSAML libraries, rely on the Java Cryptograpy Extensions service APIs for virtually all encryption, decryption, signing, and verification operations involving the core protocols we support.

However, within the OpenSAML stack, a version of the Bouncy Castle library provides:

• An ASN.1 parser and some certificate and key parsing functionality to one of our dependencies

• KeyInfo support for Elliptic Curve keys with Named Curves

• Our implementation of ConcatKDF key derivation for encryption using Elliptic Curve Diffie-Hellman (ECDH) key agreement

It is NOT possible with ordinary effort to switch the code base to rely on the Bouncy Castle FIPS version, as its API is not compatible with the full version to a sufficient enough degree. Until such time as we remove the dependency on it altogether, which is a goal of the project, the situation isn’t going to improve.

C++

The C++ products we produce, including the Service Provider and OpenSAML libraries, rely solely on OpenSSL for all underlying cryptographic operations. We do not have any specific knowledge as to the compatibility of the FIPS version with our code but would be willing to consider patches necessary to allow for this. We have no plans to do such work ourselves, or to test it.