We currently only run our tests in a Java 8 FIPS 140-2 JVM in CI using BouncyCastle FIPS Security Provider. We need to also run our tests with JDK 11.

A complication is that BouncyCastle FIPS Security Provider is not certified yet for JDK 11. This is an ongoing effort , details should be available at https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/iut-list) but there is no concrete timeline. This leaves us with the option of SunPKCS11-NSS and its limitations