search

aws / aws-sdk-java

The official AWS SDK for Java 1.x (In Maintenance Mode, End-of-Life on 12/31/2025). The AWS SDK for Java 2.x is available here: https://github.com/aws/aws-sdk-java-v2/
https://aws.amazon.com/sdkforjava
Apache License 2.0
4.13k stars 2.83k forks source link

Unable to use Bouncy Castle FIPS version with new CryptoConfigurationV2 #2523

Closed trznjak closed 4 months ago

trznjak commented 3 years ago

CryptoConfigurationV2 constructor is throwing exception when trying to initialize with BC FIPS version.

Describe the issue

The two, BC FIPS and BC non FIPS providers can not co-exist on the classpath.(for more info, read this comment)

When you try to initialize the CryptoConfigurationV2 with BC FIPS version on classpath you will get the: java.lang.UnsupportedOperationException: The Bouncy castle library jar is required on the classpath to enable authenticated encryption

Steps to Reproduce

Create a small application with AWS SDK S3 version: 1.11.970 BC FIPS version: 1.0.2 (without BC non FIPS version on the classpath) Java version: 11 Initialize the client: CryptoConfigurationV2 cryptoConfig = new CryptoConfigurationV2(); See the exception: java.lang.UnsupportedOperationException: The Bouncy castle library jar is required on the classpath to enable authenticated encryption

Workaround

Initialize the configuration with null as the CryptoMode and set the provider, mode...after. Example:

CryptoConfigurationV2 cryptoConfig = new CryptoConfigurationV2(null)
        .withAlwaysUseCryptoProvider(true)
        .withCryptoProvider(provider)
        .withSecureRandom(random)
        .withCryptoMode(AuthenticatedEncryption);

Possible fix

Create a CryptoConfigurationV2 constructor with provider argument.

debora-ito commented 3 years ago

@trznjak thank you for reaching out. I'll investigate.

debora-ito commented 3 years ago

@trznjak I've researched about CryptoConfiguration and BouncyCastle, I see how this is not a good experience if you want to use the FIPS version of Bouncy Castle with CryptoConfigurationV2.

Since it is supported in CryptoConfiguration v1 I'll change this to a bug.

debora-ito commented 4 months ago

@trznjak We apologize but this won't get fixed in v1.

We recommend you migrate to the standalone AWS Encryption SDK for Java - https://github.com/aws/aws-encryption-sdk-java

The new Encryption SDK is maintained by the Encryption Tools team, and BC FIPS is supported (see "Bouncy Castle or Bouncy Castle FIPS" section in the README). More info can be found in the Encryption SDK Developer Guide.

Reference:

github-actions[bot] commented 4 months ago

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.