From eb3083ed52584ef7a7a5b927d6db340c216f1a34 Mon Sep 17 00:00:00 2001 From: Greg Rubin Date: Thu, 24 Oct 2019 23:18:14 +0000 Subject: [PATCH 01/14] Update docs in prep for 1.6.1 --- CHANGELOG.md | 20 +++++++++++++++++--- README.md | 45 +++++++++++++++------------------------------ 2 files changed, 32 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ccfc619b..13ef2ebe7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,24 @@ # Changelog ## 1.6.1 -- Unreleased + +### Deprecation Warnings +* `AwsCrypto.encryptString()` and `AwsCrypto.decryptString()` are now deprecated. + Please move to `AwsCrypto.encryptData()` and `AwsCrypto.decryptData()` with manual Base64 encoding/decoding. + [PR #120](https://github.com/aws/aws-encryption-sdk-java/pull/120) + +### Patches +* Correctly validate version [PR #116](https://github.com/aws/aws-encryption-sdk-java/pull/116) +* `ParsedCiphertext` now properly handles truncated input [PR #119](https://github.com/aws/aws-encryption-sdk-java/pull/119) + ### Maintenance -* Add support for standard test vectors via `testVectorZip` system property. -* No longer require use of BouncyCastle with RSA `JceMasterKey`s -* No longer use BouncyCastle for Elliptic Curve key generation and point compression/decompression +* Add support for standard test vectors via `testVectorZip` system property. [PR #127](https://github.com/aws/aws-encryption-sdk-java/pull/127) +* Remove all explicit cryptographic dependencies on BouncyCastle. PRs + [#128](https://github.com/aws/aws-encryption-sdk-java/pull/128), + [#129](https://github.com/aws/aws-encryption-sdk-java/pull/129), + [#130](https://github.com/aws/aws-encryption-sdk-java/pull/130), + [#131](https://github.com/aws/aws-encryption-sdk-java/pull/131), + and [#132](https://github.com/aws/aws-encryption-sdk-java/pull/132). ## 1.6.0 -- 2019-05-31 diff --git a/README.md b/README.md index c8ad880d0..36cd28540 100644 --- a/README.md +++ b/README.md @@ -9,26 +9,26 @@ For more details about the design and architecture of the SDK, see the [official ### Required Prerequisites To use this SDK you must have: -* **A Java 8 development environment** +* **A Java 8 or newer development environment** - If you do not have one, go to [Java SE Downloads](https://www.oracle.com/technetwork/java/javase/downloads/index.html) on the Oracle website, then download and install the Java SE Development Kit (JDK). Java 8 or higher is required. + If you do not have one, we recommend [Amazon Corretto](https://aws.amazon.com/corretto/). **Note:** If you use the Oracle JDK, you must also download and install the [Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files](http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html). -* **Bouncy Castle** +* **Bouncy Castle** or **Bouncy Castle FIPS** - Bouncy Castle provides a cryptography API for Java. If you do not have Bouncy Castle, go to https://bouncycastle.org/latest_releases.html, then download the provider file that corresponds to your JDK. Or, you can pick it up from Maven: + Bouncy Castle provides some utilities the AWS Encryption SDK needs to handle cryptographic objects. + If you do not have Bouncy Castle, go to https://bouncycastle.org/latest_releases.html, then download the provider file that corresponds to your JDK. + Or, you can pick it up from Maven (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). - ```xml - - org.bouncycastle - bcprov-ext-jdk15on - 1.61 - - ``` + As of version 1.6.1, + the AWS Encryption SDK will also work with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). + Please follow Bouncy Castle's FIPS [documentation](https://www.bouncycastle.org/documentation.html), + including User Guides and Security Policy for proper installation and configuration. ### Optional Prerequisites +#### AWS Integration You don't need an Amazon Web Services (AWS) account to use this SDK, but some of the [example code][examples] requires an AWS account, a customer master key (CMK) in AWS KMS, and the AWS SDK for Java. * **To create an AWS account**, go to [Sign In or Create an AWS Account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) and then choose **I am a new user.** Follow the instructions to create an AWS account. @@ -37,6 +37,10 @@ You don't need an Amazon Web Services (AWS) account to use this SDK, but some of * **To download and install the AWS SDK for Java**, go to [Installing the AWS SDK for Java](https://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-install-sdk.html) in the AWS SDK for Java documentation and then follow the instructions on that page. +#### Amazon Corretto Crypto Provider +Many users find that the Amazon Corretto Crypto Provider (ACCP) significantly improves the performance of the AWS Encryption SDK. +Please see the [ACCP GitHub Respository](https://github.com/corretto/amazon-corretto-crypto-provider) for installation and use guidance. + ### Download You can get the latest release from Maven: @@ -49,25 +53,6 @@ You can get the latest release from Maven: ``` -Don't forget to enable the download of snapshot jars from Maven: - -```xml - - - allow-snapshots - true - - - snapshots-repo - https://oss.sonatype.org/content/repositories/snapshots - false - true - - - - -``` - ### Get Started The following code sample demonstrates how to get started: From 51586c97d9abeaedc16f9164bb748d57916d8dc1 Mon Sep 17 00:00:00 2001 From: Greg Rubin Date: Fri, 25 Oct 2019 17:51:54 +0000 Subject: [PATCH 02/14] Fix BC-FIPS artifactID --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 36cd28540..5314daa20 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ To use this SDK you must have: Or, you can pick it up from Maven (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). As of version 1.6.1, - the AWS Encryption SDK will also work with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). + the AWS Encryption SDK will also work with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`). Please follow Bouncy Castle's FIPS [documentation](https://www.bouncycastle.org/documentation.html), including User Guides and Security Policy for proper installation and configuration. From de5976cc4d8d54f194ce089d8e35484da9f90913 Mon Sep 17 00:00:00 2001 From: SalusaSecondus Date: Fri, 25 Oct 2019 11:55:30 -0700 Subject: [PATCH 03/14] Update CHANGELOG.md Change voice of CHANGELOG to declarative Co-Authored-By: June Blender --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 13ef2ebe7..09a6020f4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ ## 1.6.1 -- Unreleased ### Deprecation Warnings -* `AwsCrypto.encryptString()` and `AwsCrypto.decryptString()` are now deprecated. +* Deprecated `AwsCrypto.encryptString()` and `AwsCrypto.decryptString()`. Please move to `AwsCrypto.encryptData()` and `AwsCrypto.decryptData()` with manual Base64 encoding/decoding. [PR #120](https://github.com/aws/aws-encryption-sdk-java/pull/120) From 575228e1dbf63a4e085d9dbc7fcca127af9ad98d Mon Sep 17 00:00:00 2001 From: SalusaSecondus Date: Fri, 25 Oct 2019 11:56:33 -0700 Subject: [PATCH 04/14] Update CHANGELOG.md Minor language fix Co-Authored-By: June Blender --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 09a6020f4..b8a4ad8dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,7 @@ ### Patches * Correctly validate version [PR #116](https://github.com/aws/aws-encryption-sdk-java/pull/116) -* `ParsedCiphertext` now properly handles truncated input [PR #119](https://github.com/aws/aws-encryption-sdk-java/pull/119) +* `ParsedCiphertext` now handles truncated input properly [PR #119](https://github.com/aws/aws-encryption-sdk-java/pull/119) ### Maintenance * Add support for standard test vectors via `testVectorZip` system property. [PR #127](https://github.com/aws/aws-encryption-sdk-java/pull/127) From ab92b579516ac9944b1bdd762ffc042ae7823a5e Mon Sep 17 00:00:00 2001 From: SalusaSecondus Date: Fri, 25 Oct 2019 11:57:13 -0700 Subject: [PATCH 05/14] Update README.md Minor language tweak Co-Authored-By: June Blender --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5314daa20..9418ccb29 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ To use this SDK you must have: If you do not have Bouncy Castle, go to https://bouncycastle.org/latest_releases.html, then download the provider file that corresponds to your JDK. Or, you can pick it up from Maven (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). - As of version 1.6.1, + Beginning in version 1.6.1, the AWS Encryption SDK will also work with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`). Please follow Bouncy Castle's FIPS [documentation](https://www.bouncycastle.org/documentation.html), including User Guides and Security Policy for proper installation and configuration. From f8d07a0157af9c032296072e67532af1353e54fe Mon Sep 17 00:00:00 2001 From: SalusaSecondus Date: Fri, 25 Oct 2019 11:57:26 -0700 Subject: [PATCH 06/14] Update README.md Minor language tweak Co-Authored-By: June Blender --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9418ccb29..30abd8e45 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ To use this SDK you must have: Or, you can pick it up from Maven (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). Beginning in version 1.6.1, - the AWS Encryption SDK will also work with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`). + the AWS Encryption SDK also works with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`). Please follow Bouncy Castle's FIPS [documentation](https://www.bouncycastle.org/documentation.html), including User Guides and Security Policy for proper installation and configuration. From 14a68d35b1cc9f1810a429cc3c8c3876cfadae1b Mon Sep 17 00:00:00 2001 From: SalusaSecondus Date: Fri, 25 Oct 2019 11:58:23 -0700 Subject: [PATCH 07/14] Update README.md Minor language tweak Co-Authored-By: June Blender --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 30abd8e45..4db7e50df 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ You don't need an Amazon Web Services (AWS) account to use this SDK, but some of #### Amazon Corretto Crypto Provider Many users find that the Amazon Corretto Crypto Provider (ACCP) significantly improves the performance of the AWS Encryption SDK. -Please see the [ACCP GitHub Respository](https://github.com/corretto/amazon-corretto-crypto-provider) for installation and use guidance. +For help with installation and using ACCP, see the [ACCP GitHub Respository](https://github.com/corretto/amazon-corretto-crypto-provider) . ### Download From e2a8e08228fb2bba92a51c15a157a033fad9a95a Mon Sep 17 00:00:00 2001 From: SalusaSecondus Date: Fri, 25 Oct 2019 11:58:38 -0700 Subject: [PATCH 08/14] Update CHANGELOG.md Co-Authored-By: June Blender --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b8a4ad8dc..bd0fa7812 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,7 +13,7 @@ ### Maintenance * Add support for standard test vectors via `testVectorZip` system property. [PR #127](https://github.com/aws/aws-encryption-sdk-java/pull/127) -* Remove all explicit cryptographic dependencies on BouncyCastle. PRs +* Remove all explicit cryptographic dependencies on BouncyCastle. The AWS Encryption SDK for Java still uses Bouncy Castle for other tasks. PRs [#128](https://github.com/aws/aws-encryption-sdk-java/pull/128), [#129](https://github.com/aws/aws-encryption-sdk-java/pull/129), [#130](https://github.com/aws/aws-encryption-sdk-java/pull/130), From d82630a45ce1b961266bf3e7960b9e710eaadd9e Mon Sep 17 00:00:00 2001 From: SalusaSecondus Date: Fri, 25 Oct 2019 11:58:54 -0700 Subject: [PATCH 09/14] Update README.md Co-Authored-By: June Blender --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4db7e50df..0518f1f41 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ To use this SDK you must have: * **Bouncy Castle** or **Bouncy Castle FIPS** - Bouncy Castle provides some utilities the AWS Encryption SDK needs to handle cryptographic objects. +Although the AWS Encryption SDK for Java no longer depends on Bouncy Castle for cryptography, it requires Bouncy Castle for other tasks, such as handling cryptographic objects.``` If you do not have Bouncy Castle, go to https://bouncycastle.org/latest_releases.html, then download the provider file that corresponds to your JDK. Or, you can pick it up from Maven (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). From 239fa590d68d6dcd99d76b9e52c63777462e64fe Mon Sep 17 00:00:00 2001 From: Greg Rubin Date: Fri, 25 Oct 2019 19:02:47 +0000 Subject: [PATCH 10/14] More minor language tweaks --- CHANGELOG.md | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd0fa7812..02c3d1de6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,7 +31,7 @@ ## 1.5.0 -- 2019-05-30 ### Minor Changes -* Add dependency on Apache Commons Codec 1.12. +* Added dependency on Apache Commons Codec 1.12. * Use org.apache.commons.codec.binary.Base64 instead of java.util.Base64 so that the SDK can be used on systems that do not have java.util.Base64 but support Java 8 language features. diff --git a/README.md b/README.md index 0518f1f41..0126ef217 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ Although the AWS Encryption SDK for Java no longer depends on Bouncy Castle for Beginning in version 1.6.1, the AWS Encryption SDK also works with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`). - Please follow Bouncy Castle's FIPS [documentation](https://www.bouncycastle.org/documentation.html), + For help installing and configuring Bouncy Castle FIPS, see [BC FIPS documentation](https://www.bouncycastle.org/documentation.html), including User Guides and Security Policy for proper installation and configuration. ### Optional Prerequisites From ff69afa5fd911e70aa11c3bdebde66c5ebd99aaf Mon Sep 17 00:00:00 2001 From: Greg Rubin Date: Fri, 25 Oct 2019 19:18:57 +0000 Subject: [PATCH 11/14] More minor language tweaks --- README.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0126ef217..9835a2e6f 100644 --- a/README.md +++ b/README.md @@ -17,12 +17,17 @@ To use this SDK you must have: * **Bouncy Castle** or **Bouncy Castle FIPS** -Although the AWS Encryption SDK for Java no longer depends on Bouncy Castle for cryptography, it requires Bouncy Castle for other tasks, such as handling cryptographic objects.``` + The AWS Encryption SDK for Java uses Bouncy Castle for serializing and deserializing cryptographic objects. + It does not explicitly use Bouncy Castle (or any other [JCA Provider](https://docs.oracle.com/javase/8/docs/api/java/security/Provider.html)) for the underlying cryptography. + Instead, it uses the platform default, which may be configured or overridden as documented in the + [Java Cryptography Architecture (JCA) Reference Guide](https://docs.oracle.com/javase/9/security/java-cryptography-architecture-jca-reference-guide.htm#JSSEC-GUID-2BCFDD85-D533-4E6C-8CE9-29990DEB0190). + If you do not have Bouncy Castle, go to https://bouncycastle.org/latest_releases.html, then download the provider file that corresponds to your JDK. Or, you can pick it up from Maven (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). Beginning in version 1.6.1, - the AWS Encryption SDK also works with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`). + the AWS Encryption SDK also works with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`) + as an alternative to non-FIPS Bouncy Castle. For help installing and configuring Bouncy Castle FIPS, see [BC FIPS documentation](https://www.bouncycastle.org/documentation.html), including User Guides and Security Policy for proper installation and configuration. From 2dc1cc44d0d07399c5bac3eff5f2d4d2e4780322 Mon Sep 17 00:00:00 2001 From: Greg Rubin Date: Tue, 29 Oct 2019 20:58:10 +0000 Subject: [PATCH 12/14] Language tweaks --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9835a2e6f..b1eaa4cf0 100644 --- a/README.md +++ b/README.md @@ -17,9 +17,9 @@ To use this SDK you must have: * **Bouncy Castle** or **Bouncy Castle FIPS** - The AWS Encryption SDK for Java uses Bouncy Castle for serializing and deserializing cryptographic objects. + The AWS Encryption SDK for Java uses Bouncy Castle to serialize and deserialize cryptographic objects. It does not explicitly use Bouncy Castle (or any other [JCA Provider](https://docs.oracle.com/javase/8/docs/api/java/security/Provider.html)) for the underlying cryptography. - Instead, it uses the platform default, which may be configured or overridden as documented in the + Instead, it uses the platform default, which you can configure or override as documented in the [Java Cryptography Architecture (JCA) Reference Guide](https://docs.oracle.com/javase/9/security/java-cryptography-architecture-jca-reference-guide.htm#JSSEC-GUID-2BCFDD85-D533-4E6C-8CE9-29990DEB0190). If you do not have Bouncy Castle, go to https://bouncycastle.org/latest_releases.html, then download the provider file that corresponds to your JDK. @@ -28,8 +28,8 @@ To use this SDK you must have: Beginning in version 1.6.1, the AWS Encryption SDK also works with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`) as an alternative to non-FIPS Bouncy Castle. - For help installing and configuring Bouncy Castle FIPS, see [BC FIPS documentation](https://www.bouncycastle.org/documentation.html), - including User Guides and Security Policy for proper installation and configuration. + For help installing and configuring Bouncy Castle FIPS properly, see [BC FIPS documentation](https://www.bouncycastle.org/documentation.html), + in particular, **User Guides** and **Security Policy**. ### Optional Prerequisites @@ -44,7 +44,7 @@ You don't need an Amazon Web Services (AWS) account to use this SDK, but some of #### Amazon Corretto Crypto Provider Many users find that the Amazon Corretto Crypto Provider (ACCP) significantly improves the performance of the AWS Encryption SDK. -For help with installation and using ACCP, see the [ACCP GitHub Respository](https://github.com/corretto/amazon-corretto-crypto-provider) . +For help installing and using ACCP, see the [ACCP GitHub Respository](https://github.com/corretto/amazon-corretto-crypto-provider) . ### Download From cf38324794ad3b5f5d1b24ca6936bc0921f0baa1 Mon Sep 17 00:00:00 2001 From: Greg Rubin Date: Tue, 29 Oct 2019 21:02:22 +0000 Subject: [PATCH 13/14] Language tweaks --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02c3d1de6..9116d7851 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,10 @@ ### Deprecation Warnings * Deprecated `AwsCrypto.encryptString()` and `AwsCrypto.decryptString()`. - Please move to `AwsCrypto.encryptData()` and `AwsCrypto.decryptData()` with manual Base64 encoding/decoding. + Replace your calls to these methods with calls to AwsCrypto.encryptData() and AwsCrypto.decryptData(). + Unlike the deprecated methods, these methods don't perform any Base64 encoding or decoding, so they are fully compatible with other language implementations of the AWS Encryption SDK. + + If you need Base64 encoding or decoding for your application, you can add it outside of the AWS Encryption SDK. [PR #120](https://github.com/aws/aws-encryption-sdk-java/pull/120) ### Patches From e23ac0e653bb70e7e87b06643d48284c55e04c4b Mon Sep 17 00:00:00 2001 From: Greg Rubin Date: Tue, 29 Oct 2019 21:04:15 +0000 Subject: [PATCH 14/14] Actually bump version for release --- CHANGELOG.md | 2 +- README.md | 2 +- pom.xml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9116d7851..1458c3127 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ # Changelog -## 1.6.1 -- Unreleased +## 1.6.1 -- 2019-10-29 ### Deprecation Warnings * Deprecated `AwsCrypto.encryptString()` and `AwsCrypto.decryptString()`. diff --git a/README.md b/README.md index b1eaa4cf0..0387070cc 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ You can get the latest release from Maven: com.amazonaws aws-encryption-sdk-java - 1.6.0 + 1.6.1 ``` diff --git a/pom.xml b/pom.xml index 3a2f2d32c..f60680114 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ com.amazonaws aws-encryption-sdk-java - 1.6.0 + 1.6.1 jar aws-encryption-sdk-java