Skip to content

Remove hard cryptographic dependency on BouncyCastle #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
5 tasks done
SalusaSecondus opened this issue Nov 28, 2017 · 4 comments
Closed
5 tasks done

Remove hard cryptographic dependency on BouncyCastle #41

SalusaSecondus opened this issue Nov 28, 2017 · 4 comments
Assignees
@SalusaSecondus @WesleyRosenblum
Labels
doc_update_required enhancement good first issue

Comments

@SalusaSecondus
Copy link
Contributor

SalusaSecondus commented Nov 28, 2017
edited by WesleyRosenblum
Loading

Right now this code depends on BouncyCastle for several cases:

  • EC Key generation (to support next point)
  • EC Key (de)serialization with point-compression
  • RSA encryption/decryption (due to default java JCE problems with OAEP not using SHA-1)
  • ECDSA signatures
  • HMAC-based Extract-and-Expand Key Derivation Function

To make this library more portable, we should remove all of these hard dependencies. This will require:

  • Implementing point (de)compression
  • Properly using AlgorithmParameterSpec to configure the JCE provider to do the right OAEP padding
  • Replace HKDFBytesGenerator with Hkdf.java from aws-dynamodb-encryption-java
  • Remove all other references to BouncyCastle.
@mattsb42-aws mattsb42-aws mentioned this issue Feb 12, 2019
Closed
@fieldju
Copy link

fieldju commented Oct 1, 2019

@mattsb42-aws what is the status of this issue?

@mattsb42-aws
Copy link
Member

Adding here for reference: when we do the point decompression, we need to make sure that we cover this too: aws/aws-encryption-sdk-python#113

@ragona
Copy link

ragona commented Oct 4, 2019

@fieldju We're taking a look at this one right now. I'll post again when we have a more concrete update, but I wanted to let you know that we're on it!

@SalusaSecondus SalusaSecondus self-assigned this Oct 4, 2019
@SalusaSecondus SalusaSecondus mentioned this issue Oct 8, 2019
Merged
1 task
@SalusaSecondus SalusaSecondus changed the title Remove hard dependency on BouncyCastle Remove hard cryptographic dependency on BouncyCastle Oct 8, 2019
@WesleyRosenblum WesleyRosenblum self-assigned this Oct 10, 2019
WesleyRosenblum added a commit that referenced this issue Oct 15, 2019
@WesleyRosenblum
Remove use BouncyCastle for EC key generation and point (de)compression
6cd9fda 
*Issue #, if available:* #41

*Description of changes:*

Removes explicit use of BouncyCastle from the `ECDSASignatureAlgorithm` implementation of `TrailingSignatureAlgorithm`.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

# Check any applicable:
- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
@WesleyRosenblum WesleyRosenblum mentioned this issue Oct 15, 2019
Merged
1 task
WesleyRosenblum added a commit that referenced this issue Oct 15, 2019
@WesleyRosenblum
Remove use BouncyCastle for EC key generation and point (de)compression
9842559 
*Issue #, if available:* #41

*Description of changes:*

Removes explicit use of BouncyCastle from the `ECDSASignatureAlgorithm` implementation of `TrailingSignatureAlgorithm`.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

# Check any applicable:
- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
WesleyRosenblum added a commit that referenced this issue Oct 16, 2019
@WesleyRosenblum
Remove use of BouncyCastle for EC key generation and point (de)compre…
4ebbbcc 
…ssion (#129)

*Issue #, if available:* #41

*Description of changes:*

Removes explicit use of BouncyCastle from the `ECDSASignatureAlgorithm` implementation of `TrailingSignatureAlgorithm`.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

# Check any applicable:
- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
WesleyRosenblum added a commit that referenced this issue Oct 17, 2019
@WesleyRosenblum
Remove use of BouncyCastle for HMAC key derivation
af0e969 
*Issue #, if available:* #41

*Description of changes:*

Removes explicit use of BouncyCastle for deriving an HMAC in
`CryptoAlgorithm`.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

# Check any applicable:
- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
@WesleyRosenblum WesleyRosenblum mentioned this issue Oct 17, 2019
Merged
1 task
WesleyRosenblum added a commit that referenced this issue Oct 18, 2019
@WesleyRosenblum
Remove use of BouncyCastle for HMAC key derivation (#130)
18377b6 
* Remove use of BouncyCastle for HMAC key derivation

*Issue #, if available:* #41

*Description of changes:*

Removes explicit use of BouncyCastle for deriving an HMAC in
`CryptoAlgorithm`.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

# Check any applicable:
- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
WesleyRosenblum added a commit that referenced this issue Oct 18, 2019
@WesleyRosenblum
*Issue #, if available:* #41
d36235f 
*Description of changes:*

Remaining fixes to allow BouncyCastle to be swapped out with other implementations.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

# Check any applicable:
- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
@WesleyRosenblum WesleyRosenblum mentioned this issue Oct 18, 2019
Merged
1 task
WesleyRosenblum added a commit that referenced this issue Oct 21, 2019
@WesleyRosenblum
Remaining fixes to allow BouncyCastle to be swapped out with other im…
713bcd2 
…plementations. (#131)

* *Issue #, if available:* #41

*Description of changes:*

Remaining fixes to allow BouncyCastle to be swapped out with other implementations.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

# Check any applicable:
- [ ] Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.
@SalusaSecondus
Copy link
Contributor Author

Confirmed that all hard cryptographic dependencies on BouncyCastle have been removed. This means that while BouncyCastle is still being used, it is only for parsing and support logic.

Critically, it means that it can also be swapped out for the FIPS validated provider. The following diff still passes all tests:

diff --git a/pom.xml b/pom.xml
index 3a2f2d3..ce56b08 100644
--- a/pom.xml
+++ b/pom.xml
@@ -48,8 +48,8 @@

         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-ext-jdk15on</artifactId>
-            <version>1.61</version>
+            <artifactId>bc-fips</artifactId>
+            <version>1.0.1</version>
         </dependency>

         <dependency>

Excellent work @WesleyRosenblum !

texastony added a commit that referenced this issue May 27, 2021
@texastony
fix: version number (#41)
7fff014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SalusaSecondus SalusaSecondus

@WesleyRosenblum WesleyRosenblum

Labels
doc_update_required enhancement good first issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@bdonlan @ragona @fieldju @SalusaSecondus @juneb @mattsb42-aws @WesleyRosenblum