The Amazon Corretto Crypto Provider (ACCP) is a collection of high-performance cryptographic implementations exposed via the standard JCA/JCE interfaces. This means that it can be used as a drop in replacement for many different Java applications. (Differences from the default OpenJDK implementations are documented here.) As of 2.0.0, algorithms exposed by ACCP are primarily backed by AWS-LC's implementations.
Build Name | main branch |
---|---|
Linux x86_64 | |
Linux aarch64 |
MessageDigest algorithms:
Mac algorithms:
Cipher algorithms:
Signature algorithms:
KeyPairGenerator:
KeyGenerator:
KeyAgreement:
SecretKeyFactory:
SecureRandom:
KeyFactory:
AlgorithmParameters:
ACCP-FIPS is a variation of ACCP which uses AWS-LC-FIPS 2.x as its cryptographic module. This version of AWS-LC-FIPS has completed FIPS validation testing by an accredited lab and has been submitted to NIST for certification. Refer to the NIST Cryptographic Module Validation Program's Modules In Progress List for the latest status of the AWS-LC Cryptographic Module. We will also update our release notes and documentation to reflect any changes in FIPS certification status. We provide ACCP-FIPS for experimentation and performance testing in the interim.
Version 2.3.0 is the first release of ACCP-FIPS. The Maven coordinates for
ACCP-FIPS are the same as ACCP with one difference that ACCP-FIPS's
artifact ID is AmazonCorrettoCryptoProvider-FIPS
.
Notable differences between ACCP and ACCP-FIPS:
-DFIPS=1
when configuring AWS-LC's build.ACCP-FIPS is only supported on the following platforms:
Platform | FIPS support since version |
---|---|
linux-x86_64 |
2.3.0 |
linux-aarch_64 |
2.3.0 |
ACCP has the following requirements:
ACCP comes bundled with AWS-LC's libcrypto.so
, so it is not necessary to install AWS-LC on the host or container where you run your application.
If ACCP is used/installed on a system it does not support, it will disable itself and the JVM will behave as if ACCP weren't installed at all.
Installing via Maven or Gradle is the easiest way to get ACCP and ensure you will always have the most recent version. We strongly recommend you always pull in the latest version for best performance and bug-fixes.
Whether you're using Maven, Gradle, or some other build system that also pulls packages from Maven Central, it's important to specify a classifier, otherwise, one would get an empty package. The possible classifiers are as follows:
Classifier | Support since version | FIPS support since version |
---|---|---|
linux-x86_64 |
1.0.0 | 2.3.0 |
linux-aarch_64 |
2.0.0 | 2.3.0 |
osx-x86_64 |
2.3.2 | Not supported |
osx-aarch_64 |
2.3.3 | Not supported |
Regardless of how you acquire ACCP (Maven, manual build, etc.) you will still need to follow the guidance in the Configuration section to enable ACCP in your application.
Add the following to your pom.xml
or wherever you configure your Maven dependencies.
This will instruct it to use the latest 2.x
version of ACCP for Linux x86-64 platform.
For more information, please see VERSIONING.rst.
<dependency>
<groupId>software.amazon.cryptools</groupId>
<artifactId>AmazonCorrettoCryptoProvider</artifactId>
<version>[2.0, 3.0)</version>
<classifier>linux-x86_64</classifier>
</dependency>
The artifactId for FIPS builds is AmazonCorrettoCryptoProvider-FIPS
.
ACCP artifacts on Maven can be verified using the following PGP keys:
ACCP Version | PGP Key ID | Key Server |
---|---|---|
1.x | 6F189046CEE0B2C1 | keyserver.ubuntu.com |
2.x | 5EFEEFE6BD0BD916 | keyserver.ubuntu.com |
Add the following to your build.gradle
file. If you already have a
dependencies
block in your build.gradle
, you can add the ACCP line to your
existing block.
For more information, please see VERSIONING.rst.
dependencies {
implementation 'software.amazon.cryptools:AmazonCorrettoCryptoProvider:2.+:linux-x86_64'
}
For Gradle builds, the os-detector plugin could be used so that one does not have to explicitly specify the platform. Here is an example.
We provide two scripts that allow one to add ACCP to their JDKs: one for JDK8 and one for JDKs 11+. Please note that these scripts are provided as examples and for testing only.
These scripts take the version of ACCP and the classifier as input. Optionally, one can pass -FIPS
as the third argument to bundle the FIPS artifacts. To use these scripts, please set JAVA_HOME
to
the path of your desired JDK.
Usage example:
./bin/bundle-accp.sh 2.3.3 linux-x86_64
To find the available versions and classifiers, please checkout Maven central.
Some notes on the bundling scripts:
Manual installation requires acquiring the provider and adding it to your classpath. You can either download a prebuilt version of the provider or build it yourself. Adding a jar to your classpath is highly application and build-system dependent and we cannot provide specific guidance.
The most recent version of our provider will always be on our official releases page.
Please be aware that if you build the provider yourself then it will NOT work with OracleJDK. The OracleJDK requires that JCA providers be cryptographically signed by a trusted certificate. The JARs we publish via Maven and our official releases are signed by our private key, but yours will not be.
Building this provider requires a 64 bit Linux or MacOS build system with the following prerequisites installed:
GO_EXECUTABLE
.git clone --recurse-submodules
./gradlew release
build/lib
Please be aware that repackaging ACCP's published Jar files from Maven into your own "uber" or "fat" JAR file may not work on OracleJDK. The OracleJDK requires that JCE providers be cryptographically signed by a trusted certificate. The JARs we publish via Maven and our official releases are signed by our private key, but yours will not be.
Depending on how ACCP is repackaged, ACCP's existing signature may be invalidated, and you may receive one of the following exceptions:
java.util.jar.JarException: The JCE Provider file is not signed.
java.lang.SecurityException: JCE cannot authenticate the provider
java.security.NoSuchProviderException: JCE cannot authenticate the provider
If you receive one of these exceptions, then you will need to evaluate if any of the following options will work for your application and environment:
FIPS builds are still experimental and are not yet ready for production use.
By providing -DFIPS=true
to gradlew
you will cause the entire build to be for a "FIPS mode" build.
The FIPS builds use a different version of AWS-LC along with FIPS=1
build flag. Not all releases of
AWS-LC will have FIPS certification. As a result, ACCP in FIPS mode only uses a version of AWS-LC
that has FIPS certification or it will have in future.
By providing -DEXPERIMENTAL_FIPS=true
to gradlew
you will cause the entire build to be for a "FIPS mode"
build, and it uses the same version of AWS-LC as non-FIPS builds. This allows one to experiment with APIs
and features in AWS-LC that have not yet made it into a FIPS branch/release of AWS-LC, but built in FIPS mode.
When changing between FIPS and non-FIPS builds, be sure to do a full clean
of your build environment.
build/
directory including build artifacts from AWS-LC dependenciestest
and collect both Java and C++ coverage metrics (saved in build/reports
).classpath
file which is understandable by Eclipse and VS Code to make development easier. (This should ideally be run prior to opening ACCP in your IDE.)SINGLE_TEST
. For example: ./gradlew single_test -DSINGLE_TEST=com.amazon.corretto.crypto.provider.test.EcGenTest
(You may need to do a clean build when switching between selected tests.)There are several ways to configure the ACCP as the highest priority provider in Java.
Run the following method early in program start up: com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider.install()
Add the following Java property to your programs command line: -Djava.security.properties=/path/to/amazon-corretto-crypto-provider.security
where amazon-corretto-crypto-provider.security is downloaded from
amazon-corretto-crypto-provider.security (for JDK versions older than JDK15)
or amazon-corretto-crypto-provider-jdk15.security (for JDK15 or newer)
in our repository.
Modify the java.security
file provided by your JVM so that the highest priority provider is the Amazon Corretto Crypto Provider.
Look at amazon-corretto-crypto-provider.security (JDKs 11 and older)
or amazon-corretto-crypto-provider-jdk15.security (for JDKs newer than 11)
for an example of what this change will look like.
If you want to check to verify that ACCP is properly working on your system, you can do any of the following:
if (Cipher.getInstance("AES/GCM/NoPadding").getProvider().getName().equals(AmazonCorrettoCryptoProvider.PROVIDER_NAME)) {
// Successfully installed
}
if (AmazonCorrettoCryptoProvider.INSTANCE.getLoadingError() == null && AmazonCorrettoCryptoProvider.INSTANCE.runSelfTests().equals(SelfTestStatus.PASSED)) {
// Successfully installed
}
RuntimeCryptoException
if it isn't.
We generally do not recommend this solution as we believe that gracefully falling back to other providers is usually the better option.
AmazonCorrettoCryptoProvider.INSTANCE.assertHealthy();
ACCP can be configured via several system properties.
None of these should be needed for standard deployments, and we recommend not touching them.
They are of most use to developers needing to test ACCP or experiment with benchmarking.
These are all read early in the load process and may be cached so any changes to them made from within Java may not be respected.
Thus, these should all be set on the JVM command line using -D
.
com.amazon.corretto.crypto.provider.extrachecks
Adds extra cryptographic consistency checks which are not necessary on standard systems.
These checks may be computationally expensive and are not normally relevant.
See ExtraCheck.java
for values and more information.
(Also accepts "ALL" as a value to enable all flags and "help" to print out all flags to STDERR.)com.amazon.corretto.crypto.provider.debug
Enables extra debugging behavior.
These behaviors may be computationally expensive, produce additional output, or otherwise change the behavior of ACCP.
No values here will lower the security of ACCP or cause it to give incorrect results.
See DebugFlag.java
for values and more information.
(Also accepts "ALL" as a value to enable all flags and "help" to print out all flags to STDERR.)com.amazon.corretto.crypto.provider.useExternalLib
Takes in true
or false
(defaults to false
).
If true
then ACCP skips trying to load the native library bundled within its JAR and goes directly to the system library path.com.amazon.corretto.crypto.provider.janitor.stripes
Takes positive integer value which is the requested minimum number of "stripes" used by the Janitor
for dividing cleaning tasks (messes) among its workers.
(Current behavior is to default this value to 4 times the CPU core count and then round the value up to the nearest power of two.)
See Janitor.java
for more information.com.amazon.corretto.crypto.provider.cacheselftestresults
Takes in true
or false
(defaults to true
). If set to true
, the results of running tests are cached,
and the subsequent calls to AmazonCorrettoCryptoProvider::runSelfTests
would avoid re-running tests; otherwise, each call to AmazonCorrettoCryptoProvider::runSelfTests
re-run the tests.com.amazon.corretto.crypto.provider.registerEcParams
Takes in true
or false
(defaults to false
).
If true
, then ACCP will register its EC-flavored AlgorithmParameters implementation on startup.
Else, the JCA will get the implementation from another registered provider (usually stock JCE).
Using JCE's implementation is generally recommended unless using ACCP as a standalone provider
Callers can choose to register ACCP's implementation at runtime with a call to AmazonCorrettoCryptoProvider.registerEcParams()
com.amazon.corretto.crypto.provider.registerSecureRandom
Takes in true
or false
(defaults to true
).
If true
, then ACCP will register a SecureRandom implementation (LibCryptoRng
) backed by AWS-LC
Else, ACCP will not register a SecureRandom implementation, meaning that the JCA will source SecureRandom instances from another registered provider. AWS-LC will still use its internal DRBG for key generation and other operations requiring secure pseudo-randomness.com.amazon.corretto.crypto.provider.nativeContextReleaseStrategy
Takes in HYBRID
, LAZY
, or EAGER
(defaults to HYBRID
). This property only affects
AES-GCM cipher for now. AES-GCM associates a native object of type EVP_CIPHER_CTX
to each Cipher
object. This property allows users to control the strategy for releasing
the native object.
HYBRID
(default): the structure is released eagerly, unless the same AES key is used. This is the
default behavior, and it is consistent with prior releases of ACCP.LAZY
: preserve the native object and do not release while the Cipher
object is not garbage collected.EAGER
: release the native object as soon as possible, regardless of using the same key or not.
Our recommendation is to set this property to EAGER
if Cipher
objects are discarded
after use and caching of Cipher
objects is not needed. When reusing the same Cipher
object, it would be beneficial to set this system property to LAZY
so that different
encryption/decryption operations would not require allocation and release of EVP_CIPHER_CTX
structure. A common use case would be having long-running threads that each would get its
own instance of Cipher
class.com.amazon.corretto.crypto.provider.tmpdir
Allows one to set the temporary directory used by ACCP when loading native libraries.
If this system property is not defined, the system property java.io.tmpdir
is used.This library is licensed under the Apache 2.0 license although portions of this product include software licensed under the dual OpenSSL and SSLeay license. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org), as well as cryptographic software written by Eric Young (eay@cryptsoft.com).
As of version 2.0.0, our backing native cryptographic library (now AWS-LC) also
has some code published under
MIT, Google's
ISC, and 3-clause
BSD licenses (among
others). Please see AWS-LC's LICENSE
file for full details.