Releases: corretto/amazon-corretto-crypto-provider
Releases · corretto/amazon-corretto-crypto-provider
AmazonCorrettoCryptoProvider 2.4.1 - 2024-06-27
AmazonCorrettoCryptoProvider 2.4.0 - 2024-06-27
2.4.0
Overview
This version of ACCP uses v1.30.1 and AWS-LC-FIPS-2.0.13 versions of AWS-LC for regular and FIPS builds respectively. These versions support Snapsafe-type uniqueness breaking event detection.
Minor
- PR 380: Support for AES-CBC with NoPadding, PKCS5Padding, PKCS7Padding
- PR 381: Support for AES-CBC with ISO10126Padding
Patch
AmazonCorrettoCryptoProvider 2.3.3 - 2024-01-12
2.3.3
Overview
Starting from this version, build artifacts for MacOS AARCH64 (Arm64) are released.
The corresponding Jar is identified by osx-aarch_64 classifier.
Please note that ACCP-FIPS does not have osx-aarch_64 artifacts and osx-aarch_64
is only available for non-FIPS builds.
Patch
- Use AWS-LC v1.17.0 for ACCP
- Use AWS-LC AWS-LC-FIPS-2.0.2 for ACCP-FIPS
- PR 335: Do not destroy linked public keys
- PR 329: Allow users to control the release of EVP context for AES-GCM
AmazonCorrettoCryptoProvider 2.3.2 - 2023-10-27
2.3.2
Overview
Starting from this version, build artifacts for MacOS X86-64 are released. The corresponding Jar is identified by osx-x86_64 classifier. Please note that ACCP-FIPS does not have osx-x86_64 artifacts and osx-x86_64 is only available for non-FIPS builds.
Patch
- Use AWS-LC v1.16.0 for ACCP
- Use fips-2022-11-02 branch of AWS-LC at commit ID
329d23ce93d42b9017502ac24ca073ebdaa7660ffor ACCP-FIPS - PR 338: Avoid buffering cipher text for one-shot AES-GCM decrypt
- PR 336: Fix ByteBuffer position handling
- PR 333: Replace MessageDigest.isEqual with our own implementation
- PR 334: Let ECDSA Signature objects accept parameters
- PR 327: Github issue 326, NPE
AmazonCorrettoCryptoProvider 2.3.1 - 2023-08-31
2.3.1
Patches
- Use AWS-LC v1.15.0 for ACCP
- RSA performance on Graviton 2 has improved in version v1.15.0 of AWS-LC.
- For more details, please refer to the release notes for v1.15.0
- Use fips-2022-11-02 branch of AWS-LC at commit ID
d780e5e025c47cd782fd3d5d70a033e59fe80166for ACCP-FIPS - Round RSA key sizes up when generating keys for ACCP PR 321
- Throwing exceptions for too-short signatures PR 320
AmazonCorrettoCryptoProvider 2.3.0 - 2023-08-09
2.3.0
Overview
Starting from this version, build artifacts for ACCP-FIPS are also released for experimental purposes. This version of ACCP-FIPS uses
fips-2022-11-02 branch of AWS-LC at commit ID 993c6ff33a2d709ddc25d1557cd96261217bf1fd.
Minor changes
- Support HKDF [PR 310, 312]
AmazonCorrettoCryptoProvider 2.2.0 - 2023-07-06
2.2.0
Minor changes
- Support AES-XTS [PR 306]
- AesXts.kt shows how AES-XTS can be used.
- Serialization for EvpKeys [PR 304]
AmazonCorrettoCryptoProvider 2.1.0 - 2023-06-09
2.1.0
- Support AlgorithmParameters for EC [PR 274]
- Support KeyGenerator for AES [PR 279]
- Register LibCryptoRng by default in non-FIPS mode [PR 286]
- Use FIPS approved API of AWS-LC for RSA key generation in FIPS mode [PR 301]
- Include AWS-LC's self tests as part of ACCP's self tests [PR 283]
Patches
- Fixed bug in output buffer size check [PR 297]
- Improved the performance of AES-GCM [PRs 296, 298, 300, 302]
- Added code formatting and style checking to the build scripts [PRs 287, 292]
- Renamed branches on GitHub
AmazonCorrettoCryptoProvider 1.6.2 - 2023-03-09
1.6.2
This is an update to ACCP 1.6.1 to use OpenSSL 1.1.1t. We recommend migrating to ACCP 2.X since there will be no new features added to ACCP 1.X.
Patches
- Update OpenSSL version used in ACCP to 1.1.1t
AmazonCorrettoCryptoProvider 2.0.0 - 2023-02-14
ACCP 2.0.0
We're pleased to announce the release of ACCP 2.0.0.
Highlights
- Added Build artifacts for Linux-x86 and Linux-aarch64. Access these from the release section on Github or on Maven Central.
- Uses to AWS-LC as the underlying cryptographic library instead of OpenSSL (version 1.1.1j). AWS-LC went through rigorous testing and formal verification in its development lifecycle, reducing the risk of security vulnerabilities. AWS-LC has optimized assembly implementations of some cryptographic algorithms which translates to better performance. These optimizations are beneficial for AWS Graviton 2 & 3 users as well as x86 based platforms;
New
- Support build and releases for Linux x86 and Linux aarch64
- Use AWS-LC (https://github.com/awslabs/aws-lc/) as the as the underlying cryptographic library
- Use SecureRandom implementation backed by AWS-LC DRBG
- Use AES key wrapping (a.k.a. KWP mode of AES)
- Use RSA OAEP cipher padding over SHA2 hashes
- Use RSA PSS signature padding over SHA1 and SHA2 hashes
Breaking Changes
This version is not backward compatible and the differences may affect your application.
- Drop support for (non-EC) DSA signatures
- Drop support for (non-EC) Diffie-Hellman key exchange
- Drop support for secp192r1, as well as most other non-NIST "legacy" curves
- Drop RDRAND-seeded, AES-CTR SecureRandom implementation
- The implementation of the SecureRandom relies on AWS-LC's DRBG and the name is changed from "NIST800-90A/AES-CTR-256" to "LibCryptoRng".
- AWS-LC and OpenSSL are not 100% compatible. We have tried to keep the incompatibilities hidden from ACCP users, and we will deal with such scenarios case by case in the future.
Improvements
- Add support for AES ciphers with specific key sizes (GCM, no padding)
- Track the AWS-LC dependency as a Git Submodule instead of downloaded tarball
- Improving the configuration (https://github.com/corretto/amazon-corretto-crypto-provider#configuration) and system properties that control ACCP's behavior
- External integration tests now skip certificate validation for expired certificates. This is to work around external sites which may have allowed their certificates to expire. PR #190 (#189)
- Allows developers to run clang-tidy against the source by passing -DUSE_CLANG_TIDY=true to gradlew
- Add KeyFactory implementations for RSA and EC keys. This also includes our own implementations of keys for the same algorithms. PR #132 (#132)
- Added amazon-corretto-crypto-provider-jdk15.security to support JDK15+
- Add support for MacOS builds for development
- Add TLS 1.3 to local integ tests
Bug Fixes
- Fix libaccp builds for GCC 4.1.2