From 49d9f10e6c1446aa5fbca72099e793adcebbe49d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20M=C3=BCller?= Date: Wed, 23 Oct 2024 14:28:03 +0200 Subject: [PATCH] Support FIPS endpoints for AWS KMS (#245) --- README.md | 1 + docs/index.html | 7 +++++-- .../net/jsign/jca/AmazonSigningService.java | 19 +++++++++++++++++-- .../jsign/jca/AmazonSigningServiceTest.java | 17 +++++++++++++++++ 4 files changed, 40 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1ff8af26..2eccb789 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ See https://ebourg.github.io/jsign for more information. * The value of the `storetype` parameter is now case insensitive * The Azure Key Vault account no longer needs the permission to list the keys when signing with jarsigner * The DigiCert ONE host can now be specified with the `keystore` parameter +* The `AWS_USE_FIPS_ENDPOINT` environment variable is now supported to use the AWS KMS FIPS endpoints (contributed by Sebastian Müller) * On Windows the YubiKey library path is automatically added to the PATH of the command line tool * Signing more than one file with the `YUBIKEY` storetype no longer triggers a `CKR_USER_NOT_LOGGED_IN` error * MS Cabinet files with a pre-allocated reserve are now supported diff --git a/docs/index.html b/docs/index.html index 3070ea3c..7b9f3f6a 100644 --- a/docs/index.html +++ b/docs/index.html @@ -696,7 +696,9 @@

Signing with a PIV card

Signing with AWS Key Management Service

AWS Key Management Service (KMS) stores only the private key, -the certificate must be provided separately. The keystore parameter references the AWS region.

+the certificate must be provided separately. The keystore parameter references the AWS region. +Setting the AWS_USE_FIPS_ENDPOINT environment variable to true will ensure the FIPS +endpoint is used.

The AWS access key, secret key, and optionally the session token, are concatenated and used as the storepass parameter; if the latter is not provided, Jsign attempts to fetch the credentials @@ -1044,7 +1046,8 @@

Credits

MSI signing was possible thanks to the work done by the osslsigncode and Apache POI projects.

Jsign includes contributions from Emmanuel Bourg, Florent Daigniere, Michael Szediwy, Michael Peterson, Markus Kilås, -Erwin Tratar, Björn Kautler, Joseph Lee, Maria Merkel, Vincent Malmedy, Sebastian Stamm and Eatay Mizrachi.

+Erwin Tratar, Björn Kautler, Joseph Lee, Maria Merkel, Vincent Malmedy, Sebastian Müller, Sebastian Stamm +and Eatay Mizrachi.

Contact

diff --git a/jsign-crypto/src/main/java/net/jsign/jca/AmazonSigningService.java b/jsign-crypto/src/main/java/net/jsign/jca/AmazonSigningService.java index 90e519da..d6f0ff61 100644 --- a/jsign-crypto/src/main/java/net/jsign/jca/AmazonSigningService.java +++ b/jsign-crypto/src/main/java/net/jsign/jca/AmazonSigningService.java @@ -90,7 +90,7 @@ public class AmazonSigningService implements SigningService { * @since 6.0 */ public AmazonSigningService(String region, Supplier credentials, Function certificateStore) { - this(credentials, certificateStore, "https://kms." + region + ".amazonaws.com"); + this(credentials, certificateStore, getEndpointUrl(region)); } /** @@ -123,6 +123,17 @@ public AmazonSigningService(String region, String credentials, Function mock = mockStatic(AmazonSigningService.class, CALLS_REAL_METHODS)) { + when(AmazonSigningService.getenv("AWS_USE_FIPS_ENDPOINT")).thenReturn("false"); + assertEquals("https://kms.us-west-2.amazonaws.com", AmazonSigningService.getEndpointUrl("us-west-2")); + } + + // Test FIPS endpoint + try (MockedStatic mock = mockStatic(AmazonSigningService.class, CALLS_REAL_METHODS)) { + when(AmazonSigningService.getenv("AWS_USE_FIPS_ENDPOINT")).thenReturn("true"); + assertEquals("https://kms-fips.us-west-2.amazonaws.com", AmazonSigningService.getEndpointUrl("us-west-2")); + } + } }