search

corretto / amazon-corretto-crypto-provider

The Amazon Corretto Crypto Provider is a collection of high-performance cryptographic implementations exposed via standard JCA/JCE interfaces.
Apache License 2.0
233 stars 54 forks source link

TLS Support #98

Closed hyperxpro closed 4 years ago

hyperxpro commented 4 years ago

How to use this library for TLS (old name: SSL) operations?

Right now, I use this library for AES GCM like this: Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", AmazonCorrettoCryptoProvider.INSTANCE); and it works perfectly.

But when I try to use it for TLS like this: SSLContext.getInstance("TLSv1.3", AmazonCorrettoCryptoProvider.INSTANCE);, it throws the following exception.

Exception in thread "main" java.security.NoSuchAlgorithmException: no such algorithm: TLSv1.3 for provider AmazonCorrettoCryptoProvider
    at java.base/sun.security.jca.GetInstance.getService(GetInstance.java:101)
    at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
    at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:251)
    at GG.main(GG.java:13)

It seems Corretto Crypto Provider does not support TLS yet. Do we have plans to add it?

SalusaSecondus commented 4 years ago

There are no current plans to provide TLS through the Amazon Corretto Crypto Provider.

If you install it at the highest priority (as in our Readme), then the default implementation of TLS provided by Java will use ACCP for its underlying cryptographic operations.

Please let us know if you have any other questions.

hyperxpro commented 4 years ago

Can you please help me in building ACCP with the FIPS version of OpenSSL? I tried compiling it with OpenSSL 1.0.2u but it failed.

SalusaSecondus commented 4 years ago

We do not support the OpensSSL FIPS Object Module. It only backs OpenSSL 1.0.2 which is sufficiently old that we do not have plans to support it.

We will re-evaluate our support for the OpenSSL FIPS Object Module once OpenSSL 3.x is released and we can look at migrating to it.

If you need FIPS cryptography for Java, you may want to look at BouncyCastle FIPS. (This is not an official endorsement.)

hyperxpro commented 4 years ago

I really appreciate your help, effort, and contribution to ACCP. Thanks a lot for everything!

detro commented 4 years ago

Hello, I'm also interested in FIPS compliance of this project, but I totally understand the argument of avoiding trying to build backward compatibility with 1.0.2.

I did a quick search on the NIST website, to see which vendors built certified crypto modules based on OpenSSL and there are many recent ones: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Advanced&ModuleName=openssl&Standard=140-2&ModuleType=Software&CertificateStatus=Active&ValidationYear=0

Unfortunately, the "version" fields seem to refer to the module/wrapper, not the version of OpenSSL. And even for versions from companies like Canonical, the implementation seems to be behind a paywall.

Looking forward to a solution from AWS. :)

hyperxpro commented 4 years ago

@detro I'm pretty sure I've explored all Crypto solutions in Java. The link which you posted, I checked. I'm sure those OpenSSL are built on 1.0.2. Making ACCP compatible with 1.0.2 just for FIPS compliance is not worth the effort. We do have Bouncy Castle FIPS library but performance is just terrible. Even bad than JCE. I hope Bouncy Castle team does something about performance.

If you're good with build systems, try Conscrypt with FIPS module. They'll give very good performance than JCE and you'll get FIPS compliance too.

detro commented 4 years ago

If you're good with build systems, try Conscrypt with FIPS module. They'll give very good performance than JCE and you'll get FIPS compliance too.

That's exactly where we are at the moment. But a bit stuck on a version based on Conscrypt 2.4.

Given how much we use AWS, and that they also would gain in compliancy and certification, I was hoping for ACCP to get to FIPS-2 (or maybe 3?) soon-ish.

I'm sure they have a lot of other things to work on. But would be surprised if, eventually, this doesn't get on the main radar at AWS ;)

detro commented 4 years ago

They (AWS) includes you @hyperxpro: jut read the "Author" tag in your comment ;)

BTW, appreciate the feedback: Conscrypt folks are nowhere near this responsive.

hyperxpro commented 3 years ago

@SalusaSecondus Anything about FIPS? BouncyCastle FIPS performance is seriously terrible.

https://github.com/bcgit/bc-java/issues/652

sesponda commented 2 years ago

@SalusaSecondus

We will re-evaluate our support for the OpenSSL FIPS Object Module once OpenSSL 3.x is released and we can look at migrating to it.

Given that OpenSSL just started the review process (2/15/2022 as per https://csrc.nist.gov/projects/cryptographic-module-validation-program/modules-in-process/modules-in-process-list), are there any plans to release a FIPS "friendly" (I'm being intentionally vague) flavour of Corretto?

jwslh commented 1 year ago

There are no current plans to provide TLS through the Amazon Corretto Crypto Provider.

If you install it at the highest priority (as in our Readme), then the default implementation of TLS provided by Java will use ACCP for its underlying cryptographic operations.

Please let us know if you have any other questions.

@SalusaSecondus So if I want to use my own openssl library on Android, how do I use it with ACCP?