diff --git a/CHANGELOG.md b/CHANGELOG.md index 29e84b11..8c191ea5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,22 @@ # Changelog +# 2.3.2 + +### Overview +Starting from this version, build artifacts for MacOS X86-64 are released. +The corresponding Jar is identified by `osx-x86_64` classifier. +Please note that ACCP-FIPS does not have `osx-x86_64` artifacts and `osx-x86_64` +is only available for non-FIPS builds. + +### Patch +* Use AWS-LC [v1.16.0](https://github.com/aws/aws-lc/releases/tag/v1.16.0) for ACCP +* Use [fips-2022-11-02](https://github.com/aws/aws-lc/tree/fips-2022-11-02) branch of AWS-LC at commit ID `329d23ce93d42b9017502ac24ca073ebdaa7660f` for ACCP-FIPS +* [PR 338: Avoid buffering cipher text for one-shot AES-GCM decrypt](https://github.com/corretto/amazon-corretto-crypto-provider/pull/338) +* [PR 336: Fix ByteBuffer position handling](https://github.com/corretto/amazon-corretto-crypto-provider/pull/336) +* [PR 333: Replace MessageDigest.isEqual with our own implementation](https://github.com/corretto/amazon-corretto-crypto-provider/pull/333) +* [PR 334: Let ECDSA Signature objects accept parameters](https://github.com/corretto/amazon-corretto-crypto-provider/pull/334) +* [PR 327: Github issue 326, NPE](https://github.com/corretto/amazon-corretto-crypto-provider/pull/327) + ## 2.3.1 ### Patches diff --git a/README.md b/README.md index d6463871..23bd514b 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,13 @@ Notable differences between ACCP and ACCP-FIPS: * ACCP-FIPS does not register SecureRandom by default due to the performance of AWS-LC’s entropy source in FIPS-mode. [A system property](https://github.com/corretto/amazon-corretto-crypto-provider#other-system-properties) is available to register SecureRandom from AWS-LC if needed, and the performance differences are described in further detail under the description of that property. * Due to the fact that an older branch of AWS-LC is used in FIPS-mode, there will be performance differences between ACCP and ACCP-FIPS. We highly recommend performing detailed performance testing of your application if you choose to experiment with ACCP-FIPS. +ACCP-FIPS is only supported on the following platforms: + +| Platfrom | FIPS support since version | +|----------|----------------------------| +| `linux-x86_64` | 2.3.0 | +| `linux-aarch_64` | 2.3.0 | + # Compatibility & Requirements ACCP has the following requirements: * JDK8 or newer (This includes both OracleJDK and [Amazon Corretto](https://aws.amazon.com/corretto/)) @@ -145,6 +152,9 @@ The artifactId for FIPS builds is `AmazonCorrettoCryptoProvider-FIPS`. The classifier attribute could be set to `linux-aarch_64` to use ACCP on Linux ARM64 platforms. +Starting from verions 2.3.2, the classifier attribute could be set to `osx-x86_64` to use ACCP +on MacOS X86 platforms. The FIPS artifacts do not support MacOS X86. + ACCP artifacts on Maven can be verified using the following PGP keys: | ACCP Version | PGP Key ID | Key Server | diff --git a/aws-lc b/aws-lc index aa90e509..e42a4ef2 160000 --- a/aws-lc +++ b/aws-lc @@ -1 +1 @@ -Subproject commit aa90e509f2e940916fbe9fdd469a4c90c51824f6 +Subproject commit e42a4ef2270c4873e98101098edd1f0aaece966d diff --git a/build.gradle b/build.gradle index 9a462254..bc69d238 100644 --- a/build.gradle +++ b/build.gradle @@ -13,7 +13,7 @@ plugins { } group = 'software.amazon.cryptools' -version = '2.3.1' +version = '2.3.2' ext.isFips = Boolean.getBoolean('FIPS') ext.isLegacyBuild = Boolean.getBoolean('LEGACY_BUILD') @@ -222,6 +222,35 @@ task buildAwsLc { } } +def getStagedArtifact(platformClassifier, destDir) { + def projectName = isFips ? project.name + "-FIPS" : project.name + def prebuiltJarFileName = "${projectName}-${version}-${platformClassifier}.jar" + + println "Platform " + platformClassifier + def stagingProperties = new Properties() + if (isFips) { + stagingProperties.load(new java.io.FileInputStream("${System.env.CODEBUILD_SRC_DIR_Stage_FIPS}/fake_maven/staging.properties")); + } else { + stagingProperties.load(new java.io.FileInputStream("${System.env.CODEBUILD_SRC_DIR_Stage}/fake_maven/staging.properties")); + } + + println "Loaded staging id is " + stagingProperties['staging.id'] + def repoBase = "https://aws.oss.sonatype.org/content/repositories/" + stagingProperties['staging.id'] + mkdir "${destDir}" + exec { + workingDir "${destDir}" + commandLine 'wget', "${repoBase}/software/amazon/cryptools/${projectName}/${version}/${prebuiltJarFileName}" + } + + return assertJceSigned("${destDir}/${prebuiltJarFileName}") +} + +task downloadStagedJar() { + doLast { + getStagedArtifact(project.property('platform'), project.property('destDir')) + } +} + task executeCmake(type: Exec) { outputs.dir("${buildDir}/cmake") inputs.dir("${buildDir}/awslc/bin/") @@ -241,22 +270,7 @@ task executeCmake(type: Exec) { def projectName = isFips ? project.name + "-FIPS" : project.name def prebuiltJarFileName = "${projectName}-${version}-${osdetector.classifier}.jar" if (System.properties['stagingProperties'] != null) { - def stagingProperties = new Properties() - if (isFips) { - stagingProperties.load( - new java.io.FileInputStream("${System.env.CODEBUILD_SRC_DIR_Stage_FIPS}/fake_maven/staging.properties")); - } else { - stagingProperties.load( - new java.io.FileInputStream("${System.env.CODEBUILD_SRC_DIR_Stage}/fake_maven/staging.properties")); - } - println "Loaded staging id is " + stagingProperties['staging.id'] - def repoBase = "https://aws.oss.sonatype.org/content/repositories/" + stagingProperties['staging.id'] - mkdir "${buildDir}/tmp" - exec { - workingDir "${buildDir}/tmp" - commandLine 'wget', "${repoBase}/software/amazon/cryptools/${projectName}/${version}/${prebuiltJarFileName}" - } - prebuiltJar = assertJceSigned("${buildDir}/tmp/${prebuiltJarFileName}") + prebuiltJar = getStagedArtifact(osdetector.classifier, "${buildDir}/tmp") } else if (System.properties['prebuiltJar'] != null) { prebuiltJar = "${projectDir}/" + System.properties['prebuiltJar'] } else if (System.properties['fakeMaven'] != null) { @@ -268,6 +282,8 @@ task executeCmake(type: Exec) { } fakeMavenBase = "${fakeMavenBase}/fake_maven" prebuiltJar = "${fakeMavenBase}/${prebuiltJarFileName}" + } else if (System.properties['downloadedStagedJar'] != null) { + prebuiltJar = "${System.properties['downloadedStagedJar']}/${prebuiltJarFileName}" } executable cmakeBin @@ -558,19 +574,26 @@ task fakePublish { def x64Base = "${System.env.CODEBUILD_SRC_DIR_Linux_x64_Artifacts}/lib" def aarch64Base = "${System.env.CODEBUILD_SRC_DIR_Linux_aarch64_Artifacts}/lib" + def osxX64Base = "${System.env.CODEBUILD_SRC_DIR_Osx_x64_Artifacts}/lib" def newPrefix = "AmazonCorrettoCryptoProvider-${version}" if (isFips) { x64Base = "${System.env.CODEBUILD_SRC_DIR_Linux_x64_Artifacts_FIPS}/lib" aarch64Base = "${System.env.CODEBUILD_SRC_DIR_Linux_aarch64_Artifacts_FIPS}/lib" + osxX64Base = null newPrefix = "AmazonCorrettoCryptoProvider-FIPS-${version}" } def x86Jar = "${x64Base}/AmazonCorrettoCryptoProvider.jar" def aarch64Jar = "${aarch64Base}/AmazonCorrettoCryptoProvider.jar" + def osxX64Jar = "${osxX64Base}/AmazonCorrettoCryptoProvider.jar" def sourceJar = "${x64Base}/AmazonCorrettoCryptoProvider-sources.jar" def javadocJar = "${x64Base}/AmazonCorrettoCryptoProvider-javadoc.jar" doLast { println "Running on " + osdetector.classifier + if (!isFips) { + println osxX64Jar + println file(osxX64Jar).file + } println aarch64Jar println file(aarch64Jar).file println x86Jar @@ -581,6 +604,13 @@ task fakePublish { println file(javadocJar).file def destinationDir = "${buildDir}/fake_maven" + if (!isFips) { + copy { + from osxX64Jar + rename 'AmazonCorrettoCryptoProvider.jar', "${newPrefix}-osx-x86_64.jar" + into "${destinationDir}" + } + } copy { from aarch64Jar rename 'AmazonCorrettoCryptoProvider.jar', "${newPrefix}-linux-aarch_64.jar" @@ -598,6 +628,15 @@ task fakePublish { into "${destinationDir}" } if (project.hasProperty('jcecertAlias')) { + if (!isFips) { + ant.signjar( + alias: jcecertAlias, + jar: "${destinationDir}/${newPrefix}-osx-x86_64.jar", + storepass: jcecertPassword, + keystore: "${project.gradle.gradleUserHomeDir}/${jcecertJks}", + tsaurl: "http://timestamp.digicert.com" + ) + } ant.signjar( alias: jcecertAlias, jar: "${destinationDir}/${newPrefix}-linux-aarch_64.jar", @@ -632,10 +671,14 @@ if (project.hasProperty('mavenUser') && project.hasProperty('jcecertAlias')) { def fakeMavenBase = "${buildDir}/fake_maven/${artifactId}-${version}-" def x86Jar = "${fakeMavenBase}linux-x86_64.jar" def aarch64Jar = "${fakeMavenBase}linux-aarch_64.jar" + def osxX64Jar = "${fakeMavenBase}osx-x86_64.jar" def sourceJar = "${fakeMavenBase}sources.jar" def javadocJar = "${fakeMavenBase}javadoc.jar" artifact source: file(x86Jar),classifier:"linux-x86_64",extension:"jar" artifact source: file(aarch64Jar),classifier:"linux-aarch_64",extension:"jar" + if (!isFips) { + artifact source: file(osxX64Jar),classifier:"osx-x86_64",extension:"jar" + } artifact emptyJar artifact source: file(javadocJar),classifier:"javadoc",extension:"jar" artifact source: file(sourceJar),classifier:"sources",extension:"jar" diff --git a/examples/gradle-kt-dsl/lib/build.gradle.kts b/examples/gradle-kt-dsl/lib/build.gradle.kts index ffef1dfe..36d0b571 100644 --- a/examples/gradle-kt-dsl/lib/build.gradle.kts +++ b/examples/gradle-kt-dsl/lib/build.gradle.kts @@ -1,4 +1,4 @@ -val accpVersion = "2.3.1" +val accpVersion = "2.3.2" val accpLocalJar: String by project val fips: Boolean by project @@ -29,8 +29,9 @@ dependencies { // Use the Kotlin JUnit integration. testImplementation("org.jetbrains.kotlin:kotlin-test-junit") + // for OSX-x86_64, we do not have FIPS artifacts val accpArtifactId = - if (project.hasProperty("fips")) + if (project.hasProperty("fips") && osdetector.classifier != "osx-x86_64") "AmazonCorrettoCryptoProvider-FIPS" else "AmazonCorrettoCryptoProvider"