Release candidate for ACCP 2.3.0 (#316)

corretto · Aug 3, 2023 · a9233d8 · a9233d8
1 parent cb783df
commit a9233d8
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 13 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,17 @@
 # Changelog
 
+## 2.3.0
+
+### Overview
+
+Starting from this version, build artifacts for ACCP-FIPS are also released for
+experimental purposes. This version of ACCP-FIPS uses
+[fips-2022-11-02](https://github.com/aws/aws-lc/tree/fips-2022-11-02) branch of
+AWS-LC at commit ID `993c6ff33a2d709ddc25d1557cd96261217bf1fd`.
+
+### Minor changes
+* Support HKDF [PR 310, 312]
+
 ## 2.2.0
 
 ### Minor changes

diff --git a/README.md b/README.md
@@ -40,6 +40,7 @@ Cipher algorithms:
 * AES_128/GCM/NoPadding
 * AES_256/GCM/NoPadding
 * AES/KWP/NoPadding
+* AES/XTS/NoPadding
 * RSA/ECB/NoPadding
 * RSA/ECB/PKCS1Padding
 * RSA/ECB/OAEPPadding
@@ -64,20 +65,52 @@ Signature algorithms:
 * SHA512withECDSAinP1363Format
 * RSASSA-PSS
 
-KeyPairGenerator algorithms:
+KeyPairGenerator:
 * EC
 * RSA
 
+KeyGenerator:
+* AES
+
 KeyAgreement:
 * ECDH
 
-SecureRandom algorithms:
-* ACCP's SecureRandom uses AWS-LC's DRBG implementation, which is described [here](https://github.com/awslabs/aws-lc/blob/main/third_party/jitterentropy/README.md) and [here](https://github.com/awslabs/aws-lc/blob/725625435158150ef21e0a4dab6fa3aca1ef2d2c/crypto/fipsmodule/rand/rand.c#L36-L60).
+SecretKeyFactory:
+* HkdfWithHmacSHA1
+* HkdfWithHmacSHA256
+* HkdfWithHmacSHA384
+* HkdfWithHmacSHA512
+
+SecureRandom:
+* ACCP's SecureRandom uses AWS-LC's DRBG implementation, which is described [here](https://github.com/awslabs/aws-lc/blob/main/third_party/jitterentropy/README.md) and [here](https://github.com/awslabs/aws-lc/blob/725625435158150ef21e0a4dab6fa3aca1ef2d2c/crypto/fipsmodule/rand/rand.c#L36-L60). Please refer to [system properties](https://github.com/corretto/amazon-corretto-crypto-provider#other-system-properties) for more information.
 
-KeyFactory algorithms:
+KeyFactory:
 * EC
 * RSA
-* ACCP's SecureRandom uses AWS-LC's DRBG implementation.
+
+AlgorithmParameters:
+* EC. Please refer to [system properties](https://github.com/corretto/amazon-corretto-crypto-provider#other-system-properties) for more information.
+
+
+# Notes on ACCP-FIPS
+ACCP-FIPS is a variation of ACCP which uses AWS-LC built in FIPS-mode.
+AWS-LC is undergoing FIPS validation testing by an accredited lab and,
+upon completion, will be submitted to NIST for certification.
+The status of FIPS certification will be reflected in our release notes
+and documentations. We provide ACCP-FIPS for experimentation
+and performance testing in the interim.
+
+
+Version 2.3.0 is the first release of ACCP-FIPS. The Maven coordinates for
+ACCP-FIPS are the same as ACCP with one difference that ACCP-FIPS's
+artifact ID is `AmazonCorrettoCryptoProvider-FIPS`.
+
+Notable differences between ACCP and ACCP-FIPS:
+* ACCP uses [the latest release of AWS-LC](https://github.com/aws/aws-lc/releases), whereas, ACCP-FIPS uses [the fips-2022-11-02 branch of AWS-LC](https://github.com/aws/aws-lc/tree/fips-2022-11-02).
+* ACCP-FIPS builds AWS-LC in FIPS mode by passing `-DFIPS=1` when configuring AWS-LC's build.
+* In FIPS-mode, RSA keys are limited to 2048, 3072, or 4096 bits in size with public exponent F4.
+* ACCP-FIPS does not register SecureRandom by default due to the performance of AWS-LC’s entropy source in FIPS-mode. [A system property](https://github.com/corretto/amazon-corretto-crypto-provider#other-system-properties) is available to register SecureRandom from AWS-LC if needed, and the performance differences are described in further detail under the description of that property.
+* Due to the fact that an older branch of AWS-LC is used in FIPS-mode, there will be performance differences between ACCP and ACCP-FIPS. We highly recommend performing detailed performance testing of your application if you choose to experiment with ACCP-FIPS.
 
 # Compatibility & Requirements
 ACCP has the following requirements:
@@ -115,6 +148,8 @@ For more information, please see [VERSIONING.rst](https://github.com/corretto/am
 </dependency>
 ```
 
+The artifactId for FIPS builds is `AmazonCorrettoCryptoProvider-FIPS`.
+
 The classifier attribute could be set to `linux-aarch_64` to use ACCP on Linux ARM64 platforms.
 
 ACCP artifacts on Maven can be verified using the following PGP keys:

diff --git a/build.gradle b/build.gradle
@@ -15,7 +15,7 @@ plugins {
 }
 
 group = 'software.amazon.cryptools'
-version = '2.2.0'
+version = '2.3.0'
 ext.isFips = Boolean.getBoolean('FIPS')
 ext.isLegacyBuild = Boolean.getBoolean('LEGACY_BUILD')
 
@@ -24,6 +24,24 @@ if (ext.lcovIgnore == null) {
     ext.lcovIgnore = 'source'
 }
 
+def getDescriptionForPom(isFips) {
+    if (!isFips) {
+        return [
+            'The Amazon Corretto Crypto Provider (ACCP) is a collection of',
+            'high-performance cryptographic implementations exposed via the',
+            'standard JCA/JCE interfaces.'
+        ].join(" ")
+    }
+
+    return [
+        'The Amazon Corretto Crypto Provider FIPS (ACCP-FIPS) is a collection',
+        'of high-performance cryptographic implementations exposed via the',
+        'standard JCA/JCE interfaces. ACCP-FIPS uses AWS-LC built in FIPS mode',
+        'and is provided for experimental purposes only.'
+    ].join(" ")
+
+}
+
 jmh {
     //includes = ['AesXts'] // uncomment if you need to run specific benchmarks only
     fork = 1
@@ -684,7 +702,7 @@ if (project.hasProperty('mavenUser') && project.hasProperty('jcecertAlias')) {
 
                 pom {
                     name = pomName
-                    description = 'The Amazon Corretto Crypto Provider (ACCP) is a collection of high-performance cryptographic implementations exposed via the standard JCA/JCE interfaces.'
+                    description = getDescriptionForPom(isFips)
                     url = 'https://github.com/corretto/amazon-corretto-crypto-provider'
                     licenses {
                         license {

diff --git a/examples/gradle-kt-dsl/lib/build.gradle.kts b/examples/gradle-kt-dsl/lib/build.gradle.kts
@@ -1,5 +1,6 @@
-val accpVersion = "2.2.0"
+val accpVersion = "2.3.0"
 val accpLocalJar: String by project
+val fips: Boolean by project
 
 plugins {
     // Apply the org.jetbrains.kotlin.jvm Plugin to add support for Kotlin.
@@ -28,10 +29,16 @@ dependencies {
     // Use the Kotlin JUnit integration.
     testImplementation("org.jetbrains.kotlin:kotlin-test-junit")
 
+    val accpArtifactId =
+        if (project.hasProperty("fips"))
+            "AmazonCorrettoCryptoProvider-FIPS"
+        else
+            "AmazonCorrettoCryptoProvider"
+
     if (project.hasProperty("accpLocalJar")) {
         testImplementation(files(accpLocalJar))
     } else {
-        testImplementation("software.amazon.cryptools:AmazonCorrettoCryptoProvider:$accpVersion:${osdetector.classifier}")
+        testImplementation("software.amazon.cryptools:${accpArtifactId}:$accpVersion:${osdetector.classifier}")
     }
 
     testImplementation("com.amazonaws:aws-encryption-sdk-java:2.4.0")

diff --git a/examples/gradle-kt-dsl/run-tests.sh b/examples/gradle-kt-dsl/run-tests.sh
@@ -1,13 +1,13 @@
 #!/bin/sh
 
-# Retry the build for 30 minutes, every 10 seconds
-NUMBER_OF_RETRIES=180
+# Retry the build for 5 hours, every 10 seconds
+NUMBER_OF_RETRIES=1800
 DELAY_BETWEEN_RETRIES=10
 
 for i in $(seq 1 ${NUMBER_OF_RETRIES})
 do
     echo "Iteration ${i}"
-    ./gradlew lib:test
+    ./gradlew lib:test && ./gradlew -Pfips lib:test
     result=$?
     if [[ $result -eq 0 ]]
     then
@@ -26,4 +26,4 @@ then
   echo "Last status code: ${result}"
 fi
 
-exit $result
+exit $result