BCFips relies on the SUN provider SecureRandom, But The SUN provider makes my application non compliant

[mgrundie-r7]

I am trying to configure my Java application security providers in a FIPS compliant way. If I remove all of the default providers and include only the FIPS 2.0.0 BC JCE and JSSE providers then the application crashes with a stackoverflowerror because it relies on the SUN provider's secure random. (See #1800)

If I place the BC providers at the highest positions (1&2) then my application works. However unapproved algorithms are now available to my application and the 3rd party dependencies I rely on. One such example is MD5 being used by AWS SDK.

What is the correct way to configure my application so that BC SecureRandom doesn't crash but my application cannot access unapproved algorithms.

Example 1 - Crashes with StackOverflowError

// Remove default providers
log.debug("Removing default security providers");
for (var provider : Security.getProviders()) {
  log.trace("Removing provider {}", provider);
  Security.removeProvider(provider.getName());
}

Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
Security.insertProviderAt(new BouncyCastleJsseProvider(), 2);

Example 2 - MD5 available from SUN provider - We don't want this

assert(CryptoServicesRegistrar.isInApprovedOnlyMode() == true)

try {
    Security.insertProviderAt(new BouncyCastleFipsProvider(), 1);
    Security.insertProviderAt(new BouncyCastleJsseProvider(), 2);
    MessageDigest digest = MessageDigest.getInstance("md5");
    assert(digest.getProvider().getName().equals("SUN"));
  } catch (NoSuchAlgorithmException e) {
    throw new RuntimeException(e);
 }