Merge pull request #126 from corretto/develop

Merge v1.5.0 to master in preparation for release
corretto · Sep 2, 2020 · 130ceaa · 130ceaa
2 parents 31e7e92 + 68737e0
commit 130ceaa
Show file tree

Hide file tree

Showing 50 changed files with 1,944 additions and 1,868 deletions.
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,9 @@
 /.project
 /.settings/
 /.vscode/
+/.idea/
 *~
+\#*#
 *.ipr
 *.iws
+*.iml
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,7 +1,64 @@
 # Changelog
 
-## 1.4.0
+## 1.5.0
+### Breaking Change Warning
+In accordance with our [versioning policy](https://github.com/corretto/amazon-corretto-crypto-provider/blob/master/VERSIONING.rst),
+we post warnings of upcoming changes that might cause compatibility issues.
+As always, we expect that these changes will not impact the vast majority of consumers and can be picked up automatically provided you have good unit and integration changes.
+
+Starting in ACCP version 1.6.0, EC key pair generation will throw an `InvalidParameterException` if initialized to a keysize that is not in the following list.
+For these explicit sizes (only), ACCP behavior is unchanged. ACCP selects the the "secp*r1" curve that corresponds to the value. (For these values, its also the corresponding NIST prime curve).
+
+**Supported keysize values:**
+* 192
+* 224
+* 256
+* 384
+* 521
+
+This means that the following code will start failing because it requests a keysize that is not on the list.
+```java
+KeyPairGenerator kg = KeyPairGenerator.getInstance("EC");
+kg.initialize(160); // Throws an InvalidParameterException
+```
+
+We are making this change because the "SunEC" provider does not document its curve selection process for sizes other than those listed above and does not promise that it will continue to use the same curve selection process.
+Without a consistency guarantee, developers can't use
+[KeyPairGenerator.initialize(int keysize)](https://docs.oracle.com/javase/8/docs/api/java/security/KeyPairGenerator.html#initialize-int-)
+safely (regardless of whether ACCP is used or not).
+
+**We strongly recommend using**
+**[KeyPairGenerator.initialize(AlgorithmParameterSpec params)](https://docs.oracle.com/javase/8/docs/api/java/security/KeyPairGenerator.html#initialize-java.security.spec.AlgorithmParameterSpec-)**
+**with**
+**[ECGenParameterSpec](https://docs.oracle.com/javase/8/docs/api/java/security/spec/ECGenParameterSpec.html)**
+**to generate EC keys.**
+
+From versions 1.2.0 through 1.5.0, ACCP selects the corresponding "secp*r1" curve for any keysize requested.
+For the explicit sizes listed above this matches the SunEC behavior.
+For other sizes, there are no documented guarantees of the SunEC behavior.
+
+### Improvements
+* Now uses [OpenSSL 1.1.1g](https://www.openssl.org/source/openssl-1.1.1g.tar.gz). [PR #108](https://github.com/corretto/amazon-corretto-crypto-provider/pull/108)
+* Adds support for running a single test from the command line with the following syntax: [PR #113](https://github.com/corretto/amazon-corretto-crypto-provider/pull/113)
+
+  `./gradlew single_test -DSINGLE_TEST=<Fully Qualified Classname>`
+
+  For example: `./gradlew single_test -DSINGLE_TEST=com.amazon.corretto.crypto.provider.test.EcGenTest`
+
+  You may need to do a clean build when changing tests.
 
+### Patches
+* Ensure unauthenticated plaintext is not released through either [Cipher.doFinal(byte[], int, int, byte[], int)](https://docs.oracle.com/javase/9/docs/api/javax/crypto/Cipher.html#doFinal-byte:A-int-int-byte:A-int-) or [Cipher.doFinal(ByteBuffer, ByteBuffer)](https://docs.oracle.com/javase/9/docs/api/javax/crypto/Cipher.html#doFinal-java.nio.ByteBuffer-java.nio.ByteBuffer-). [PR #123](https://github.com/corretto/amazon-corretto-crypto-provider/pull/123)
+* Better handle HMAC keys with a `null` format. [PR #124](https://github.com/corretto/amazon-corretto-crypto-provider/pull/124)
+* Throw `IllegalBlockSizeException` when attempting RSA encryption/decryption on data larger than the keysize. [PR #122](https://github.com/corretto/amazon-corretto-crypto-provider/pull/122)
+
+### Maintenance
+* Upgrade tests to JUnit5. [PR #111](https://github.com/corretto/amazon-corretto-crypto-provider/pull/111)
+* Upgrade BouncyCastle test dependency 1.65. [PR #110](https://github.com/corretto/amazon-corretto-crypto-provider/pull/110)
+* Add version gating to P1363 Format tests. [PR #112](https://github.com/corretto/amazon-corretto-crypto-provider/pull/112)
+* Re-add support for very old x86_64 build-chains. [PR #112](https://github.com/corretto/amazon-corretto-crypto-provider/pull/112)
+
+## 1.4.0
 ### Improvements
 * Now uses [OpenSSL 1.1.1f](https://www.openssl.org/source/openssl-1.1.1f.tar.gz). [PR #97](https://github.com/corretto/amazon-corretto-crypto-provider/pull/97)
 * **EXPERIMENTAL** support for aarch64 added. [PR #99](https://github.com/corretto/amazon-corretto-crypto-provider/pull/99)
@@ -23,7 +80,7 @@
 * Now allows cloning of `Mac` objects. [PR #78](https://github.com/corretto/amazon-corretto-crypto-provider/pull/78)
 
 ### Maintenance
-* You can disable parallel execution of tests by setting the `ACCP_TEST_PARALLEL` environment variable to `false` 
+* You can disable parallel execution of tests by setting the `ACCP_TEST_PARALLEL` environment variable to `false`
 
 ## 1.2.0
 

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -53,6 +53,7 @@ if (NOT DEFINED TEST_JAVA_HOME)
 else()
   set(TEST_JAVA_EXECUTABLE ${TEST_JAVA_HOME}/bin/java)
 endif()
+
 # Translate from the java colon-delimited paths to cmake ';' delimited lists
 string(REPLACE ":" ";" BUILD_CLASSPATH_LIST "${BUILD_CLASSPATH}")
 string(REPLACE ":" ";" TEST_CLASSPATH_LIST "${TEST_CLASSPATH}")
@@ -119,7 +120,6 @@ set(ACCP_SRC
         src/com/amazon/corretto/crypto/provider/Loader.java
         src/com/amazon/corretto/crypto/provider/AmazonCorrettoCryptoProvider.java
         src/com/amazon/corretto/crypto/provider/NativeResource.java
-        src/com/amazon/corretto/crypto/provider/PrivilegedTestHooks.java
         src/com/amazon/corretto/crypto/provider/ReflectiveTools.java
         src/com/amazon/corretto/crypto/provider/RsaCipher.java
         src/com/amazon/corretto/crypto/provider/RsaGen.java
@@ -542,7 +542,6 @@ add_jar(
         tst/com/amazon/corretto/crypto/provider/test/NativeTestHooks.java
         tst/com/amazon/corretto/crypto/provider/test/NativeTest.java
         tst/com/amazon/corretto/crypto/provider/test/RecursiveInitializationTest.java
-        tst/com/amazon/corretto/crypto/provider/test/RdrandTest.java
         tst/com/amazon/corretto/crypto/provider/test/RsaCipherTest.java
         tst/com/amazon/corretto/crypto/provider/test/RsaGenTest.java
         tst/com/amazon/corretto/crypto/provider/test/SecurityPropertyTester.java
@@ -555,6 +554,7 @@ add_jar(
         tst/com/amazon/corretto/crypto/provider/test/SelfTestSuiteTest.java
         tst/com/amazon/corretto/crypto/provider/test/ServiceSelfTestMetaTest.java
         tst/com/amazon/corretto/crypto/provider/test/TestProviderInstallation.java
+        tst/com/amazon/corretto/crypto/provider/test/TestResultLogger.java
         tst/com/amazon/corretto/crypto/provider/test/TestUtil.java
         tst/com/amazon/corretto/crypto/provider/test/ThrowingRunnable.java
         tst/com/amazon/corretto/crypto/provider/test/UtilsTest.java
@@ -568,7 +568,6 @@ add_jar(
         tst/com/amazon/corretto/crypto/provider/test/AESBench.java
         tst/com/amazon/corretto/crypto/provider/test/Benchmark.java
         tst/com/amazon/corretto/crypto/provider/coverage/ReportGenerator.java
-        tst/com/amazon/corretto/crypto/provider/test/TestRunner.java
         tst/com/amazon/corretto/crypto/provider/test/RspTestEntry.java
         tst/com/amazon/corretto/crypto/provider/test/SecureRandomGenerator.java
 
@@ -589,31 +588,63 @@ add_custom_command(
 add_custom_target(tests-jar DEPENDS ${TESTS_JAR})
 set_property(TARGET tests-jar PROPERTY JAR_FILE ${TESTS_JAR})
 
+set(TEST_RUNNER_ARGUMENTS
+    -javaagent:${JACOCO_AGENT_JAR}=destfile=coverage/jacoco.exec,classdumpdir=coverage/classes
+    -Djava.library.path=$<TARGET_FILE_DIR:amazonCorrettoCryptoProvider>
+    -Dcom.amazon.corretto.crypto.provider.inTestSuite=hunter2
+    -Dtest.data.dir=${TEST_DATA_DIR}
+    -Djunit.jupiter.execution.parallel.enabled=true
+    -Djunit.jupiter.execution.parallel.mode.default=concurrent
+    -Djunit.jupiter.execution.parallel.mode.classes.default=concurrent
+    -XX:+HeapDumpOnOutOfMemoryError
+    ${TEST_JAVA_ARGS}
+    -jar ${TEST_RUNNER_JAR}
+    -cp $<TARGET_PROPERTY:accp-jar,JAR_FILE>:$<TARGET_PROPERTY:tests-jar,JAR_FILE>:${TEST_CLASSPATH}
+    --details=summary
+    --details-theme=ascii
+    --fail-if-no-tests
+)
+
+if("$ENV{ACCP_TEST_COLOR}" STREQUAL "false")
+    set(TEST_RUNNER_ARGUMENTS ${TEST_RUNNER_ARGUMENTS} --disable-ansi-colors)
+endif()
+
 ## Note: We can't use the 'test' target as it's reserved by cmake's own test subsystem.
 add_custom_target(check-junit
     COMMAND ${TEST_JAVA_EXECUTABLE}
-        -javaagent:${JACOCO_AGENT_JAR}=destfile=coverage/jacoco.exec,classdumpdir=coverage/classes
-        -cp $<TARGET_PROPERTY:accp-jar,JAR_FILE>:$<TARGET_PROPERTY:tests-jar,JAR_FILE>:${TEST_CLASSPATH}
-        -Djava.library.path=$<TARGET_FILE_DIR:amazonCorrettoCryptoProvider>
-        -Dcom.amazon.corretto.crypto.provider.inTestSuite=hunter2
-        -Dtest.data.dir=${TEST_DATA_DIR}
-        -XX:+HeapDumpOnOutOfMemoryError
-        ${TEST_JAVA_ARGS}
-        com.amazon.corretto.crypto.provider.test.TestRunner --suite unit
+        ${TEST_RUNNER_ARGUMENTS}
+        --reports-dir=unit-tests
+        --select-package=com.amazon.corretto.crypto.provider.test
+        --exclude-package=com.amazon.corretto.crypto.provider.test.integration
+        --exclude-classname=com.amazon.corretto.crypto.provider.test.SecurityManagerTest
+
+    DEPENDS accp-jar tests-jar)
+
+if (DEFINED SINGLE_TEST)
+    add_custom_target(check-junit-single
+        COMMAND ${TEST_JAVA_EXECUTABLE}
+            ${TEST_RUNNER_ARGUMENTS}
+            --select-class=${SINGLE_TEST}
+
+        DEPENDS accp-jar tests-jar)
+endif() # SINGLE_TEST
+
+add_custom_target(check-junit-SecurityManager
+    COMMAND ${TEST_JAVA_EXECUTABLE}
+        ${TEST_RUNNER_ARGUMENTS}
+        --select-class=com.amazon.corretto.crypto.provider.test.AesTest # Force loading ciphers
+        --select-class=com.amazon.corretto.crypto.provider.test.SHA1Test # Force loading digests
+        --select-class=com.amazon.corretto.crypto.provider.test.SecurityManagerTest
 
     DEPENDS accp-jar tests-jar)
 
 add_custom_target(check-junit-extra-checks
     COMMAND ${TEST_JAVA_EXECUTABLE}
-        -javaagent:${JACOCO_AGENT_JAR}=destfile=coverage/jacoco.exec,classdumpdir=coverage/classes
-        -cp $<TARGET_PROPERTY:accp-jar,JAR_FILE>:$<TARGET_PROPERTY:tests-jar,JAR_FILE>:${TEST_CLASSPATH}
-        -Djava.library.path=$<TARGET_FILE_DIR:amazonCorrettoCryptoProvider>
-        -Dcom.amazon.corretto.crypto.provider.inTestSuite=hunter2
-        -Dtest.data.dir=${TEST_DATA_DIR}
         -Dcom.amazon.corretto.crypto.provider.extrachecks=ALL
-        -XX:+HeapDumpOnOutOfMemoryError
-        ${TEST_JAVA_ARGS}
-        com.amazon.corretto.crypto.provider.test.TestRunner --suite unit
+        ${TEST_RUNNER_ARGUMENTS}
+        --select-package=com.amazon.corretto.crypto.provider.test
+        --exclude-package=com.amazon.corretto.crypto.provider.test.integration
+        --exclude-classname=com.amazon.corretto.crypto.provider.test.SecurityManagerTest
 
     DEPENDS accp-jar tests-jar)
 
@@ -666,7 +697,7 @@ add_custom_target(check-install-via-properties-with-debug
     DEPENDS accp-jar tests-jar)
 
 add_custom_target(check
-    DEPENDS check-recursive-init check-install-via-properties check-install-via-properties-with-debug check-junit)
+    DEPENDS check-recursive-init check-install-via-properties check-install-via-properties-with-debug check-junit check-junit-SecurityManager)
 
 if(ENABLE_NATIVE_TEST_HOOKS)
     if (CMAKE_SYSTEM_PROCESSOR STREQUAL "x86_64")
@@ -694,21 +725,20 @@ add_custom_target(coverage
     DEPENDS check)
 
 add_custom_target(check-integration-extra-checks
-    COMMAND ${TEST_JAVA_EXECUTABLE} -cp $<TARGET_PROPERTY:accp-jar,JAR_FILE>:$<TARGET_PROPERTY:tests-jar,JAR_FILE>:${TEST_CLASSPATH}
-        -Djava.library.path=$<TARGET_FILE_DIR:amazonCorrettoCryptoProvider>
+    COMMAND ${TEST_JAVA_EXECUTABLE}
         -Dcom.amazon.corretto.crypto.provider.extrachecks=ALL
-        ${TEST_JAVA_ARGS}
-        com.amazon.corretto.crypto.provider.test.TestRunner --suite integration
+        ${TEST_RUNNER_ARGUMENTS}
+        --select-package=com.amazon.corretto.crypto.provider.test.integration
 
     DEPENDS accp-jar tests-jar)
 
 set_target_properties(check-integration-extra-checks PROPERTIES EXCLUDE_FROM_ALL 1)
 
 add_custom_target(check-integration
-    COMMAND ${TEST_JAVA_EXECUTABLE} -cp $<TARGET_PROPERTY:accp-jar,JAR_FILE>:$<TARGET_PROPERTY:tests-jar,JAR_FILE>:${TEST_CLASSPATH}
-        -Djava.library.path=$<TARGET_FILE_DIR:amazonCorrettoCryptoProvider>
-        ${TEST_JAVA_ARGS}
-        com.amazon.corretto.crypto.provider.test.TestRunner --suite integration
+    COMMAND ${TEST_JAVA_EXECUTABLE}
+        ${TEST_RUNNER_ARGUMENTS}
+        --reports-dir=integration-tests
+        --select-package=com.amazon.corretto.crypto.provider.test.integration
 
     DEPENDS accp-jar tests-jar)
 

diff --git a/README.md b/README.md
@@ -1,7 +1,10 @@
 # Amazon Corretto Crypto Provider
 The Amazon Corretto Crypto Provider (ACCP) is a collection of high-performance cryptographic implementations exposed via the standard [JCA/JCE](https://docs.oracle.com/en/java/javase/11/security/java-cryptography-architecture-jca-reference-guide.html) interfaces.
 This means that it can be used as a drop in replacement for many different Java applications.
-Currently algorithms are primarily backed by OpenSSL's implementations (1.1.1f as of ACCP 1.4.0) but this may change in the future.
+Currently algorithms are primarily backed by OpenSSL's implementations (1.1.1g as of ACCP 1.5.0) but this may change in the future.
+
+[Security issue notifications](./CONTRIBUTING.md#security-issue-notifications)
+
 
 ## Build Status
 Please be aware that "Overkill" tests are known to be flakey