Why adopt native openssl library for Java please？

corretto / amazon-corretto-crypto-provider

The Amazon Corretto Crypto Provider is a collection of high-performance cryptographic implementations exposed via standard JCA/JCE interfaces.

Apache License 2.0

238 stars 56 forks source link

Why adopt native openssl library for Java please？ #254

Closed superajun-wsj closed 2 years ago

superajun-wsj commented 2 years ago

Why does corretto adopt native openssl for Java while not adopting jca or third library boucy castle? Is the performance of openssl much better than bouncy castle?

WillChilds-Klein commented 2 years ago

Yes, for ACCP 1.x (backed by OpenSSL's libcrypto), the primary advantage of ACCP over Bouncy Castle is performance.

In 2.0, ACCP drops its dependency on OpenSSL and uses AWS-LC as its native backing crypto library. performance benchmarks of ACCP 2.0 against Bouncy Castle show as much as an order of magnitude speedup for most algorithms. Benchmarks against SunJCE providers (many of which also use native code for hardware acceleration) show some speedups, but not as pronounced as those over Bouncy Castle.

stanpalatnik commented 1 year ago

@WillChilds-Klein Is it possible to swap out AWS-LC for OpenSSL3 since OpenSSL3 is already FIPS validated?

WillChilds-Klein commented 1 year ago

There are currently no plans to support OpenSSL 3 as a backing crypto library in ACCP.

Stay tuned for ACCP's upcoming 2.3.0 release, which will provide ACCP artifacts using AWS-LC built in FIPS mode on Maven Central. Please note that AWS-LC is still awaiting its FIPS certificate, so we recommend consulting your team's compliance expert regarding the implications of that for your projects.