From a9233d8c3802f1203a012682c802d104baa6256a Mon Sep 17 00:00:00 2001 From: Amir Vakili <114409643+amirhosv@users.noreply.github.com> Date: Thu, 3 Aug 2023 08:08:17 -0400 Subject: [PATCH] Release candidate for ACCP 2.3.0 (#316) --- CHANGELOG.md | 12 ++++++ README.md | 45 ++++++++++++++++++--- build.gradle | 22 +++++++++- examples/gradle-kt-dsl/lib/build.gradle.kts | 11 ++++- examples/gradle-kt-dsl/run-tests.sh | 8 ++-- 5 files changed, 85 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fd992514..d96ada65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,17 @@ # Changelog +## 2.3.0 + +### Overview + +Starting from this version, build artifacts for ACCP-FIPS are also released for +experimental purposes. This version of ACCP-FIPS uses +[fips-2022-11-02](https://github.com/aws/aws-lc/tree/fips-2022-11-02) branch of +AWS-LC at commit ID `993c6ff33a2d709ddc25d1557cd96261217bf1fd`. + +### Minor changes +* Support HKDF [PR 310, 312] + ## 2.2.0 ### Minor changes diff --git a/README.md b/README.md index b494da55..421c862a 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,7 @@ Cipher algorithms: * AES_128/GCM/NoPadding * AES_256/GCM/NoPadding * AES/KWP/NoPadding +* AES/XTS/NoPadding * RSA/ECB/NoPadding * RSA/ECB/PKCS1Padding * RSA/ECB/OAEPPadding @@ -64,20 +65,52 @@ Signature algorithms: * SHA512withECDSAinP1363Format * RSASSA-PSS -KeyPairGenerator algorithms: +KeyPairGenerator: * EC * RSA +KeyGenerator: +* AES + KeyAgreement: * ECDH -SecureRandom algorithms: -* ACCP's SecureRandom uses AWS-LC's DRBG implementation, which is described [here](https://github.com/awslabs/aws-lc/blob/main/third_party/jitterentropy/README.md) and [here](https://github.com/awslabs/aws-lc/blob/725625435158150ef21e0a4dab6fa3aca1ef2d2c/crypto/fipsmodule/rand/rand.c#L36-L60). +SecretKeyFactory: +* HkdfWithHmacSHA1 +* HkdfWithHmacSHA256 +* HkdfWithHmacSHA384 +* HkdfWithHmacSHA512 + +SecureRandom: +* ACCP's SecureRandom uses AWS-LC's DRBG implementation, which is described [here](https://github.com/awslabs/aws-lc/blob/main/third_party/jitterentropy/README.md) and [here](https://github.com/awslabs/aws-lc/blob/725625435158150ef21e0a4dab6fa3aca1ef2d2c/crypto/fipsmodule/rand/rand.c#L36-L60). Please refer to [system properties](https://github.com/corretto/amazon-corretto-crypto-provider#other-system-properties) for more information. -KeyFactory algorithms: +KeyFactory: * EC * RSA -* ACCP's SecureRandom uses AWS-LC's DRBG implementation. + +AlgorithmParameters: +* EC. Please refer to [system properties](https://github.com/corretto/amazon-corretto-crypto-provider#other-system-properties) for more information. + + +# Notes on ACCP-FIPS +ACCP-FIPS is a variation of ACCP which uses AWS-LC built in FIPS-mode. +AWS-LC is undergoing FIPS validation testing by an accredited lab and, +upon completion, will be submitted to NIST for certification. +The status of FIPS certification will be reflected in our release notes +and documentations. We provide ACCP-FIPS for experimentation +and performance testing in the interim. + + +Version 2.3.0 is the first release of ACCP-FIPS. The Maven coordinates for +ACCP-FIPS are the same as ACCP with one difference that ACCP-FIPS's +artifact ID is `AmazonCorrettoCryptoProvider-FIPS`. + +Notable differences between ACCP and ACCP-FIPS: +* ACCP uses [the latest release of AWS-LC](https://github.com/aws/aws-lc/releases), whereas, ACCP-FIPS uses [the fips-2022-11-02 branch of AWS-LC](https://github.com/aws/aws-lc/tree/fips-2022-11-02). +* ACCP-FIPS builds AWS-LC in FIPS mode by passing `-DFIPS=1` when configuring AWS-LC's build. +* In FIPS-mode, RSA keys are limited to 2048, 3072, or 4096 bits in size with public exponent F4. +* ACCP-FIPS does not register SecureRandom by default due to the performance of AWS-LC’s entropy source in FIPS-mode. [A system property](https://github.com/corretto/amazon-corretto-crypto-provider#other-system-properties) is available to register SecureRandom from AWS-LC if needed, and the performance differences are described in further detail under the description of that property. +* Due to the fact that an older branch of AWS-LC is used in FIPS-mode, there will be performance differences between ACCP and ACCP-FIPS. We highly recommend performing detailed performance testing of your application if you choose to experiment with ACCP-FIPS. # Compatibility & Requirements ACCP has the following requirements: @@ -115,6 +148,8 @@ For more information, please see [VERSIONING.rst](https://github.com/corretto/am ``` +The artifactId for FIPS builds is `AmazonCorrettoCryptoProvider-FIPS`. + The classifier attribute could be set to `linux-aarch_64` to use ACCP on Linux ARM64 platforms. ACCP artifacts on Maven can be verified using the following PGP keys: diff --git a/build.gradle b/build.gradle index 88b05a3d..3b94a094 100644 --- a/build.gradle +++ b/build.gradle @@ -15,7 +15,7 @@ plugins { } group = 'software.amazon.cryptools' -version = '2.2.0' +version = '2.3.0' ext.isFips = Boolean.getBoolean('FIPS') ext.isLegacyBuild = Boolean.getBoolean('LEGACY_BUILD') @@ -24,6 +24,24 @@ if (ext.lcovIgnore == null) { ext.lcovIgnore = 'source' } +def getDescriptionForPom(isFips) { + if (!isFips) { + return [ + 'The Amazon Corretto Crypto Provider (ACCP) is a collection of', + 'high-performance cryptographic implementations exposed via the', + 'standard JCA/JCE interfaces.' + ].join(" ") + } + + return [ + 'The Amazon Corretto Crypto Provider FIPS (ACCP-FIPS) is a collection', + 'of high-performance cryptographic implementations exposed via the', + 'standard JCA/JCE interfaces. ACCP-FIPS uses AWS-LC built in FIPS mode', + 'and is provided for experimental purposes only.' + ].join(" ") + +} + jmh { //includes = ['AesXts'] // uncomment if you need to run specific benchmarks only fork = 1 @@ -684,7 +702,7 @@ if (project.hasProperty('mavenUser') && project.hasProperty('jcecertAlias')) { pom { name = pomName - description = 'The Amazon Corretto Crypto Provider (ACCP) is a collection of high-performance cryptographic implementations exposed via the standard JCA/JCE interfaces.' + description = getDescriptionForPom(isFips) url = 'https://github.com/corretto/amazon-corretto-crypto-provider' licenses { license { diff --git a/examples/gradle-kt-dsl/lib/build.gradle.kts b/examples/gradle-kt-dsl/lib/build.gradle.kts index b190456a..a55c49ce 100644 --- a/examples/gradle-kt-dsl/lib/build.gradle.kts +++ b/examples/gradle-kt-dsl/lib/build.gradle.kts @@ -1,5 +1,6 @@ -val accpVersion = "2.2.0" +val accpVersion = "2.3.0" val accpLocalJar: String by project +val fips: Boolean by project plugins { // Apply the org.jetbrains.kotlin.jvm Plugin to add support for Kotlin. @@ -28,10 +29,16 @@ dependencies { // Use the Kotlin JUnit integration. testImplementation("org.jetbrains.kotlin:kotlin-test-junit") + val accpArtifactId = + if (project.hasProperty("fips")) + "AmazonCorrettoCryptoProvider-FIPS" + else + "AmazonCorrettoCryptoProvider" + if (project.hasProperty("accpLocalJar")) { testImplementation(files(accpLocalJar)) } else { - testImplementation("software.amazon.cryptools:AmazonCorrettoCryptoProvider:$accpVersion:${osdetector.classifier}") + testImplementation("software.amazon.cryptools:${accpArtifactId}:$accpVersion:${osdetector.classifier}") } testImplementation("com.amazonaws:aws-encryption-sdk-java:2.4.0") diff --git a/examples/gradle-kt-dsl/run-tests.sh b/examples/gradle-kt-dsl/run-tests.sh index af43bb92..b10131e4 100755 --- a/examples/gradle-kt-dsl/run-tests.sh +++ b/examples/gradle-kt-dsl/run-tests.sh @@ -1,13 +1,13 @@ #!/bin/sh -# Retry the build for 30 minutes, every 10 seconds -NUMBER_OF_RETRIES=180 +# Retry the build for 5 hours, every 10 seconds +NUMBER_OF_RETRIES=1800 DELAY_BETWEEN_RETRIES=10 for i in $(seq 1 ${NUMBER_OF_RETRIES}) do echo "Iteration ${i}" - ./gradlew lib:test + ./gradlew lib:test && ./gradlew -Pfips lib:test result=$? if [[ $result -eq 0 ]] then @@ -26,4 +26,4 @@ then echo "Last status code: ${result}" fi -exit $result \ No newline at end of file +exit $result