diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ee78299eb..b76b89570 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,11 +4,6 @@ updates: directory: "/" schedule: interval: "daily" - - package-ecosystem: "maven" - directory: "/" - schedule: - interval: "daily" - target-branch: "mainline-1.x" - package-ecosystem: "github-actions" directory: "/" schedule: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 000000000..85fcb3d78 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,112 @@ +name: AWS CodeBuild CI +on: + pull_request: + push: + schedule: + - cron: "0 0 * * *" # Daily at 00:00 UTC (4 PM PDT) + +permissions: + id-token: write + contents: read + +jobs: + staticAnalysis: + name: Static Analysis + runs-on: ubuntu-latest + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Run Static Analysis + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/static-analysis.yml + compute-type-override: BUILD_GENERAL1_MEDIUM + image-override: aws/codebuild/amazonlinux2-x86_64-standard:3.0 + vectorTests: + name: Vector Tests + runs-on: ubuntu-latest + strategy: + fail-fast: true + matrix: + platform: + - distribution: openjdk + image: "aws/codebuild/standard:3.0" + - distribution: corretto + image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2 + version: [ 8, 11 ] + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Vector Tests ${{ matrix.platform.distribution }}${{ matrix.version }} + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/vectors-ci.yml + compute-type-override: BUILD_GENERAL1_LARGE + image-override: ${{ matrix.platform.image }} + env-vars-for-codebuild: JAVA_ENV_VERSION + env: + JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} + releaseCI: + name: Release CI + runs-on: ubuntu-latest + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Release CI + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/release-ci.yml + compute-type-override: BUILD_GENERAL1_LARGE + image-override: aws/codebuild/standard:3.0 + validateCI: + name: Validate CI + runs-on: ubuntu-latest + needs: releaseCI + strategy: + fail-fast: true + matrix: + platform: + - distribution: openjdk + image: "aws/codebuild/standard:3.0" + - distribution: corretto + image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0" # Corretto only runs on AL2 + version: [ 8, 11 ] + steps: + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: ${{ secrets.CI_AWS_ROLE_ARN }} + aws-region: us-west-2 + role-duration-seconds: 3600 + - name: Validate CI ${{ matrix.platform.distribution }}${{ matrix.version }} + uses: aws-actions/aws-codebuild-run-build@v1 + timeout-minutes: 60 + with: + project-name: AWS-ESDK-Java-CI + buildspec-override: codebuild/ci/validate-ci.yml + compute-type-override: BUILD_GENERAL1_MEDIUM + image-override: ${{ matrix.platform.image }} + env-vars-for-codebuild: | + JAVA_ENV_VERSION, + JAVA_NUMERIC_VERSION + env: + JAVA_ENV_VERSION: ${{ matrix.platform.distribution }}${{ matrix.version }} + JAVA_NUMERIC_VERSION: ${{ matrix.version }} diff --git a/.github/workflows/repo-sync.yml b/.github/workflows/repo-sync.yml index b76053544..6b1c6be3e 100644 --- a/.github/workflows/repo-sync.yml +++ b/.github/workflows/repo-sync.yml @@ -9,7 +9,7 @@ jobs: environment: repo-sync runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 - uses: repo-sync/github-sync@v2 name: Sync repo to branch with: diff --git a/CHANGELOG.md b/CHANGELOG.md index 06bc7ddfe..b6db345cc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,104 @@ # Changelog +## [2.4.1](https://github.com/aws/aws-encryption-sdk-java/compare/v2.4.0...v2.4.1) (2023-08-09) + + +### Fixes + +* **ci:** Quote commit statement to prevent errant YAML parsing ([#581](https://github.com/aws/aws-encryption-sdk-java/issues/581)) ([2166f2d](https://github.com/aws/aws-encryption-sdk-java/commit/2166f2d49c2d80e90778b66e8189a23d55608265)) +* Fix errors in the example code in README.md ([#1306](https://github.com/aws/aws-encryption-sdk-java/issues/1306)) ([b3f5b00](https://github.com/aws/aws-encryption-sdk-java/commit/b3f5b0021efeeee507c5bd3bcf2b8ec1720acfc4)) +* NOTICE.txt ([#1617](https://github.com/aws/aws-encryption-sdk-java/issues/1617)) ([6dbf436](https://github.com/aws/aws-encryption-sdk-java/commit/6dbf436b026e289f0de7b484ff807b0c496b6ef3)) + + +### Maintenance + +* **ci:** add missing @Test annotation ([#1333](https://github.com/aws/aws-encryption-sdk-java/issues/1333)) ([3f289ac](https://github.com/aws/aws-encryption-sdk-java/commit/3f289ac6b8e2f29a2e1101747bf933027af6287f)) +* **CommitmentPolicy:** Detail Commitment Policy on Enum ([#913](https://github.com/aws/aws-encryption-sdk-java/issues/913)) ([753bf7d](https://github.com/aws/aws-encryption-sdk-java/commit/753bf7dea8971bf5ca09b5512a6eb06da4eafcc7)) +* **deps-dev:** bump junit-jupiter-api from 5.8.2 to 5.9.0 ([#1022](https://github.com/aws/aws-encryption-sdk-java/issues/1022)) ([3706959](https://github.com/aws/aws-encryption-sdk-java/commit/3706959c8730058ea0d567798ab21f4201e4be76)) +* **deps-dev:** bump junit-jupiter-api from 5.9.0 to 5.9.1 ([#1073](https://github.com/aws/aws-encryption-sdk-java/issues/1073)) ([a85666c](https://github.com/aws/aws-encryption-sdk-java/commit/a85666c348ca8f329e588989f4154dedbce53486)) +* **deps-dev:** bump junit-jupiter-api from 5.9.1 to 5.9.2 ([#1313](https://github.com/aws/aws-encryption-sdk-java/issues/1313)) ([1466784](https://github.com/aws/aws-encryption-sdk-java/commit/14667842311da250ad98a74e8143a44cda886823)) +* **deps-dev:** bump junit-vintage-engine from 5.8.2 to 5.9.0 ([#1050](https://github.com/aws/aws-encryption-sdk-java/issues/1050)) ([4a1222c](https://github.com/aws/aws-encryption-sdk-java/commit/4a1222c8fb8beb64be98e9cad5a5db903e0679b8)) +* **deps-dev:** bump junit-vintage-engine from 5.9.0 to 5.9.1 ([#1074](https://github.com/aws/aws-encryption-sdk-java/issues/1074)) ([55746cf](https://github.com/aws/aws-encryption-sdk-java/commit/55746cf2e86c34a04e3d8311e689de6171ed8681)) +* **deps-dev:** bump junit-vintage-engine from 5.9.1 to 5.9.3 ([#1550](https://github.com/aws/aws-encryption-sdk-java/issues/1550)) ([14b6766](https://github.com/aws/aws-encryption-sdk-java/commit/14b6766b23c18ca59fd8309ca3d60d91ea977e91)) +* **deps-dev:** bump mockito-core from 4.10.0 to 4.11.0 ([#1283](https://github.com/aws/aws-encryption-sdk-java/issues/1283)) ([5311392](https://github.com/aws/aws-encryption-sdk-java/commit/53113926a6af4f8537a705f21a654dd34c8a509b)) +* **deps-dev:** bump mockito-core from 4.3.1 to 4.4.0 ([#625](https://github.com/aws/aws-encryption-sdk-java/issues/625)) ([3e6edf3](https://github.com/aws/aws-encryption-sdk-java/commit/3e6edf3de6e59c995b9ce7b7ef7164bbe24706a1)) +* **deps-dev:** bump mockito-core from 4.4.0 to 4.6.1 ([#918](https://github.com/aws/aws-encryption-sdk-java/issues/918)) ([bf7978b](https://github.com/aws/aws-encryption-sdk-java/commit/bf7978b23e16b706686e33c9696ac17232e0ef78)) +* **deps-dev:** bump mockito-core from 4.6.1 to 4.8.0 ([#1055](https://github.com/aws/aws-encryption-sdk-java/issues/1055)) ([d47e1de](https://github.com/aws/aws-encryption-sdk-java/commit/d47e1de49bab2d13dd146a67b988803b7f73303f)) +* **deps-dev:** bump mockito-core from 4.8.0 to 4.8.1 ([#1147](https://github.com/aws/aws-encryption-sdk-java/issues/1147)) ([e2a0f52](https://github.com/aws/aws-encryption-sdk-java/commit/e2a0f52493bf1edaa8d6ca03a2e14a66273c3f03)) +* **deps-dev:** bump mockito-core from 4.8.1 to 4.9.0 ([#1194](https://github.com/aws/aws-encryption-sdk-java/issues/1194)) ([28c2e71](https://github.com/aws/aws-encryption-sdk-java/commit/28c2e7101c1ba5581c43e3074bf932cce103cb55)) +* **deps-dev:** bump mockito-core from 4.9.0 to 4.10.0 ([#1254](https://github.com/aws/aws-encryption-sdk-java/issues/1254)) ([07e2ed2](https://github.com/aws/aws-encryption-sdk-java/commit/07e2ed2a0c525429698f247cc880db730e745aca)) +* **deps:** bump actions/checkout from 2 to 3 ([#558](https://github.com/aws/aws-encryption-sdk-java/issues/558)) ([6652268](https://github.com/aws/aws-encryption-sdk-java/commit/66522687d6e74791a33a29d3a70727c6a604cd33)) +* **deps:** bump aws-actions/configure-aws-credentials from 1 to 2 ([#1437](https://github.com/aws/aws-encryption-sdk-java/issues/1437)) ([91a5811](https://github.com/aws/aws-encryption-sdk-java/commit/91a5811e4ef14b9abbf2e12d6d8f615ec6bb84a4)) +* **deps:** bump aws-java-sdk from 1.12.162 to 1.12.186 ([#629](https://github.com/aws/aws-encryption-sdk-java/issues/629)) ([ec38abe](https://github.com/aws/aws-encryption-sdk-java/commit/ec38abe2aea13be02b5c0e666efb58d44ce65ff1)) +* **deps:** bump aws-java-sdk from 1.12.186 to 1.12.256 ([#920](https://github.com/aws/aws-encryption-sdk-java/issues/920)) ([ef4126b](https://github.com/aws/aws-encryption-sdk-java/commit/ef4126b8b4384a4e4ba70db2bc89520dbe85030f)) +* **deps:** bump aws-java-sdk from 1.12.256 to 1.12.299 ([#1047](https://github.com/aws/aws-encryption-sdk-java/issues/1047)) ([fdf0a6d](https://github.com/aws/aws-encryption-sdk-java/commit/fdf0a6d7338882e35f1a1297c203320817effce1)) +* **deps:** bump aws-java-sdk from 1.12.299 to 1.12.301 ([#1053](https://github.com/aws/aws-encryption-sdk-java/issues/1053)) ([718b3a2](https://github.com/aws/aws-encryption-sdk-java/commit/718b3a2abc2678e998100c05a060358e45ae50cc)) +* **deps:** bump aws-java-sdk from 1.12.301 to 1.12.303 ([#1059](https://github.com/aws/aws-encryption-sdk-java/issues/1059)) ([970e9db](https://github.com/aws/aws-encryption-sdk-java/commit/970e9db0689170ade369084c8cb66e2a16c54f33)) +* **deps:** bump aws-java-sdk from 1.12.303 to 1.12.304 ([#1063](https://github.com/aws/aws-encryption-sdk-java/issues/1063)) ([e8471dc](https://github.com/aws/aws-encryption-sdk-java/commit/e8471dc57f6cfbd0ec79df31261dd9b541d53c42)) +* **deps:** bump aws-java-sdk from 1.12.304 to 1.12.305 ([#1066](https://github.com/aws/aws-encryption-sdk-java/issues/1066)) ([5bc4b3b](https://github.com/aws/aws-encryption-sdk-java/commit/5bc4b3b5f18c6326bcb0cd4899aeb73b919a1e1c)) +* **deps:** bump aws-java-sdk from 1.12.305 to 1.12.306 ([#1071](https://github.com/aws/aws-encryption-sdk-java/issues/1071)) ([93c8314](https://github.com/aws/aws-encryption-sdk-java/commit/93c8314117a7907bc6015385dcb42dc72129e179)) +* **deps:** bump aws-java-sdk from 1.12.306 to 1.12.307 ([#1076](https://github.com/aws/aws-encryption-sdk-java/issues/1076)) ([88f85f4](https://github.com/aws/aws-encryption-sdk-java/commit/88f85f4427461041916000b1c50ccb8aaf1692df)) +* **deps:** bump aws-java-sdk from 1.12.307 to 1.12.308 ([#1081](https://github.com/aws/aws-encryption-sdk-java/issues/1081)) ([53345b8](https://github.com/aws/aws-encryption-sdk-java/commit/53345b8979bd31f1ce7183621ec1cc2375095e87)) +* **deps:** bump aws-java-sdk from 1.12.308 to 1.12.309 ([#1085](https://github.com/aws/aws-encryption-sdk-java/issues/1085)) ([658f9e9](https://github.com/aws/aws-encryption-sdk-java/commit/658f9e9e5d408a2b8df9ad00e373af4e5d0854ef)) +* **deps:** bump aws-java-sdk from 1.12.309 to 1.12.318 ([#1121](https://github.com/aws/aws-encryption-sdk-java/issues/1121)) ([18443d4](https://github.com/aws/aws-encryption-sdk-java/commit/18443d47b416b34dc8f634107b0dfef86ca881c7)) +* **deps:** bump aws-java-sdk from 1.12.318 to 1.12.319 ([#1124](https://github.com/aws/aws-encryption-sdk-java/issues/1124)) ([624c592](https://github.com/aws/aws-encryption-sdk-java/commit/624c592e76ae358b216381ec22b509a6b63dfbe0)) +* **deps:** bump aws-java-sdk from 1.12.319 to 1.12.323 ([#1138](https://github.com/aws/aws-encryption-sdk-java/issues/1138)) ([74b3dd3](https://github.com/aws/aws-encryption-sdk-java/commit/74b3dd325f52818f249c40b54c119b8708c808d8)) +* **deps:** bump aws-java-sdk from 1.12.323 to 1.12.335 ([#1173](https://github.com/aws/aws-encryption-sdk-java/issues/1173)) ([b8b0d53](https://github.com/aws/aws-encryption-sdk-java/commit/b8b0d5305ddf714105db1e258da25ad3973f2b13)) +* **deps:** bump aws-java-sdk from 1.12.335 to 1.12.337 ([#1176](https://github.com/aws/aws-encryption-sdk-java/issues/1176)) ([fa92676](https://github.com/aws/aws-encryption-sdk-java/commit/fa92676118ec1d5f8db97de0521bc34f0bd5b0ff)) +* **deps:** bump aws-java-sdk from 1.12.337 to 1.12.350 ([#1220](https://github.com/aws/aws-encryption-sdk-java/issues/1220)) ([35235a0](https://github.com/aws/aws-encryption-sdk-java/commit/35235a00b4ec12b9fae9a6ab76b8adb355a58ae3)) +* **deps:** bump aws-java-sdk from 1.12.350 to 1.12.366 ([#1259](https://github.com/aws/aws-encryption-sdk-java/issues/1259)) ([456a4ad](https://github.com/aws/aws-encryption-sdk-java/commit/456a4addd8c665ac68af09fec5216c01bb684f29)) +* **deps:** bump aws-java-sdk from 1.12.366 to 1.12.381 ([#1308](https://github.com/aws/aws-encryption-sdk-java/issues/1308)) ([80ed0a6](https://github.com/aws/aws-encryption-sdk-java/commit/80ed0a6f2277e1bf86b65fff55b073839f404d7e)) +* **deps:** bump aws-java-sdk from 1.12.381 to 1.12.394 ([#1351](https://github.com/aws/aws-encryption-sdk-java/issues/1351)) ([0445b9e](https://github.com/aws/aws-encryption-sdk-java/commit/0445b9e8fc16193a7e7f0b6a09f8a08dbec75094)) +* **deps:** bump BouncyCastle from 1.72 to 1.75 ([#1670](https://github.com/aws/aws-encryption-sdk-java/issues/1670)) ([61b6260](https://github.com/aws/aws-encryption-sdk-java/commit/61b6260e1df17507cd4cb01a8a7d08b05d8fd745)) +* **deps:** bump jacoco-maven-plugin from 0.8.7 to 0.8.8 ([#655](https://github.com/aws/aws-encryption-sdk-java/issues/655)) ([802946a](https://github.com/aws/aws-encryption-sdk-java/commit/802946a172fb538ffeb080b8efd0442d9717cee0)) +* **deps:** bump kms from 2.17.136 to 2.17.226 ([#916](https://github.com/aws/aws-encryption-sdk-java/issues/916)) ([6a4011e](https://github.com/aws/aws-encryption-sdk-java/commit/6a4011e7e36e5348f91c4a38d5ca7ef3f4792749)) +* **deps:** bump kms from 2.17.226 to 2.17.259 ([#1020](https://github.com/aws/aws-encryption-sdk-java/issues/1020)) ([6fc33b7](https://github.com/aws/aws-encryption-sdk-java/commit/6fc33b7a937164897336b12108a4a6ae751c5130)) +* **deps:** bump kms from 2.17.259 to 2.17.273 ([#1054](https://github.com/aws/aws-encryption-sdk-java/issues/1054)) ([d87cf16](https://github.com/aws/aws-encryption-sdk-java/commit/d87cf16813d8fe401c992cf03c8643a06723bae1)) +* **deps:** bump kms from 2.17.273 to 2.17.274 ([#1058](https://github.com/aws/aws-encryption-sdk-java/issues/1058)) ([4ab03c4](https://github.com/aws/aws-encryption-sdk-java/commit/4ab03c494c0981e9130c283243b8f8fbd8fb182a)) +* **deps:** bump kms from 2.17.274 to 2.17.275 ([#1062](https://github.com/aws/aws-encryption-sdk-java/issues/1062)) ([5a70da4](https://github.com/aws/aws-encryption-sdk-java/commit/5a70da4cb1c1c8496bdde602fc9da6cc1cf08742)) +* **deps:** bump kms from 2.17.275 to 2.17.276 ([#1065](https://github.com/aws/aws-encryption-sdk-java/issues/1065)) ([a3d1fae](https://github.com/aws/aws-encryption-sdk-java/commit/a3d1fae210285f3d32123b4ef08c489b42f9ddf2)) +* **deps:** bump kms from 2.17.276 to 2.17.277 ([#1070](https://github.com/aws/aws-encryption-sdk-java/issues/1070)) ([7ca5c11](https://github.com/aws/aws-encryption-sdk-java/commit/7ca5c11d4b18d79f83ec0ed88e9d32c5431cd8b1)) +* **deps:** bump kms from 2.17.277 to 2.17.278 ([#1075](https://github.com/aws/aws-encryption-sdk-java/issues/1075)) ([cbac0a3](https://github.com/aws/aws-encryption-sdk-java/commit/cbac0a393ba08262fe4ca515608c2f8479464b98)) +* **deps:** bump kms from 2.17.278 to 2.17.279 ([#1080](https://github.com/aws/aws-encryption-sdk-java/issues/1080)) ([558b2f4](https://github.com/aws/aws-encryption-sdk-java/commit/558b2f449c1d9904ff76615253c288ecd429f1eb)) +* **deps:** bump kms from 2.17.279 to 2.17.280 ([#1086](https://github.com/aws/aws-encryption-sdk-java/issues/1086)) ([29774ad](https://github.com/aws/aws-encryption-sdk-java/commit/29774ade298282dcac668c3afb622e6ec06fe4ab)) +* **deps:** bump kms from 2.17.280 to 2.17.288 ([#1118](https://github.com/aws/aws-encryption-sdk-java/issues/1118)) ([8d94a69](https://github.com/aws/aws-encryption-sdk-java/commit/8d94a6981838c5e01b3c1626c681e64991f35994)) +* **deps:** bump kms from 2.17.288 to 2.17.289 ([#1122](https://github.com/aws/aws-encryption-sdk-java/issues/1122)) ([d09ff99](https://github.com/aws/aws-encryption-sdk-java/commit/d09ff99714f906b46b224a4747d1c6d96b682b91)) +* **deps:** bump kms from 2.17.289 to 2.17.292 ([ff69200](https://github.com/aws/aws-encryption-sdk-java/commit/ff692006dc6ea7c5d19de6c2b93f7c1392abf95f)) +* **deps:** bump kms from 2.17.292 to 2.18.8 ([#1167](https://github.com/aws/aws-encryption-sdk-java/issues/1167)) ([fa16a2d](https://github.com/aws/aws-encryption-sdk-java/commit/fa16a2d15876a91ac59d2c45efcb3ee6e7e2f68f)) +* **deps:** bump kms from 2.18.12 to 2.18.38 ([#1252](https://github.com/aws/aws-encryption-sdk-java/issues/1252)) ([e35cf06](https://github.com/aws/aws-encryption-sdk-java/commit/e35cf06277cd4dea359ecabb96ec3a160b9a3c31)) +* **deps:** bump kms from 2.18.8 to 2.18.12 ([#1177](https://github.com/aws/aws-encryption-sdk-java/issues/1177)) ([f514633](https://github.com/aws/aws-encryption-sdk-java/commit/f514633f91ecf2df39f90e0bbcd7469097ca79ca)) +* **deps:** bump maven-compiler-plugin from 3.9.0 to 3.10.1 ([#582](https://github.com/aws/aws-encryption-sdk-java/issues/582)) ([9e24357](https://github.com/aws/aws-encryption-sdk-java/commit/9e243579269df1f3d08769abc8b11c3354e4400c)) +* **deps:** bump maven-javadoc-plugin from 3.3.1 to 3.3.2 ([#525](https://github.com/aws/aws-encryption-sdk-java/issues/525)) ([8489bd6](https://github.com/aws/aws-encryption-sdk-java/commit/8489bd6d7accf7d48d2070873fe6daefad77ca8c)) +* **deps:** bump maven-javadoc-plugin from 3.3.2 to 3.4.1 ([#998](https://github.com/aws/aws-encryption-sdk-java/issues/998)) ([44be313](https://github.com/aws/aws-encryption-sdk-java/commit/44be313eeb13236b376975290fb52a5583f21941)) +* **deps:** bump maven-surefire-plugin from 2.22.2 to 3.1.2 ([#1632](https://github.com/aws/aws-encryption-sdk-java/issues/1632)) ([ea0a848](https://github.com/aws/aws-encryption-sdk-java/commit/ea0a848c1f2e3ad42f2be7d67add9b33cafa7f4f)) +* **deps:** bump nexus-staging-maven-plugin from 1.6.12 to 1.6.13 ([#704](https://github.com/aws/aws-encryption-sdk-java/issues/704)) ([15fab9f](https://github.com/aws/aws-encryption-sdk-java/commit/15fab9fafc5ccc9e689775db3075690f9869e513)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.136 to 2.17.228 ([#925](https://github.com/aws/aws-encryption-sdk-java/issues/925)) ([ae52cef](https://github.com/aws/aws-encryption-sdk-java/commit/ae52cef6b55f753b2d6ca0909e30972ca59176d6)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.228 to 2.17.273 ([#1056](https://github.com/aws/aws-encryption-sdk-java/issues/1056)) ([e40651c](https://github.com/aws/aws-encryption-sdk-java/commit/e40651c24599ff505a0f9925063e486d5bf55af7)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.273 to 2.17.274 ([#1057](https://github.com/aws/aws-encryption-sdk-java/issues/1057)) ([35f38bd](https://github.com/aws/aws-encryption-sdk-java/commit/35f38bd85df2d919cdb40acb730380158d3fca86)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.274 to 2.17.275 ([#1061](https://github.com/aws/aws-encryption-sdk-java/issues/1061)) ([18c8172](https://github.com/aws/aws-encryption-sdk-java/commit/18c8172f83c63f539c4ebd2db29be694e79d6499)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.275 to 2.17.276 ([#1067](https://github.com/aws/aws-encryption-sdk-java/issues/1067)) ([efd340d](https://github.com/aws/aws-encryption-sdk-java/commit/efd340d713f7a1979d4d5f2f7e790a7ec15aabb1)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.276 to 2.17.277 ([#1069](https://github.com/aws/aws-encryption-sdk-java/issues/1069)) ([5721a81](https://github.com/aws/aws-encryption-sdk-java/commit/5721a8172fa62564530ec9d000372f0719269858)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.277 to 2.17.278 ([#1077](https://github.com/aws/aws-encryption-sdk-java/issues/1077)) ([49b867e](https://github.com/aws/aws-encryption-sdk-java/commit/49b867eea38e218906fa1467a896d4d1e800a1e2)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.278 to 2.17.280 ([#1084](https://github.com/aws/aws-encryption-sdk-java/issues/1084)) ([cb2a92f](https://github.com/aws/aws-encryption-sdk-java/commit/cb2a92f728a833270f8ca0c8199c2ff270718b78)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.280 to 2.17.288 ([#1116](https://github.com/aws/aws-encryption-sdk-java/issues/1116)) ([7ff4e14](https://github.com/aws/aws-encryption-sdk-java/commit/7ff4e14ff07156dd82c374af9ef16906b2e7d6a8)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.288 to 2.17.292 ([98236cd](https://github.com/aws/aws-encryption-sdk-java/commit/98236cd4ceb51d2dd3c0e62e08a1366a15a3f462)) +* **deps:** bump software.amazon.awssdk:bom from 2.17.292 to 2.18.1 ([#1148](https://github.com/aws/aws-encryption-sdk-java/issues/1148)) ([f7f6088](https://github.com/aws/aws-encryption-sdk-java/commit/f7f6088285eefe1ba513ac7c4eeab1b966e96155)) +* **deps:** bump software.amazon.awssdk:bom from 2.18.1 to 2.18.8 ([#1168](https://github.com/aws/aws-encryption-sdk-java/issues/1168)) ([12e5383](https://github.com/aws/aws-encryption-sdk-java/commit/12e53837dddd098cadeebf31e0f19124d6b4f93f)) +* **deps:** bump software.amazon.awssdk:bom from 2.18.12 to 2.18.38 ([#1251](https://github.com/aws/aws-encryption-sdk-java/issues/1251)) ([6593b98](https://github.com/aws/aws-encryption-sdk-java/commit/6593b983c42b749b2ceed64901f81ca92f32d172)) +* **deps:** bump software.amazon.awssdk:bom from 2.18.38 to 2.19.11 ([#1299](https://github.com/aws/aws-encryption-sdk-java/issues/1299)) ([cd08a3b](https://github.com/aws/aws-encryption-sdk-java/commit/cd08a3ba01ade863bd75f65dbcadb2c852b91b83)) +* **deps:** bump software.amazon.awssdk:bom from 2.18.8 to 2.18.12 ([#1178](https://github.com/aws/aws-encryption-sdk-java/issues/1178)) ([03bc7bd](https://github.com/aws/aws-encryption-sdk-java/commit/03bc7bd08c8f50f170c754e2dd802cf538a01394)) +* **deps:** bump software.amazon.awssdk:bom from 2.19.11 to 2.19.26 ([#1354](https://github.com/aws/aws-encryption-sdk-java/issues/1354)) ([7ee7f55](https://github.com/aws/aws-encryption-sdk-java/commit/7ee7f55691251c207f9667a0da899b98b4f07149)) +* **deps:** bump software.amazon.awssdk:bom from 2.19.26 to 2.20.91 ([#1667](https://github.com/aws/aws-encryption-sdk-java/issues/1667)) ([2b5f92a](https://github.com/aws/aws-encryption-sdk-java/commit/2b5f92a68d3e5304ee0fda75541c03f797b8a78f)) +* Detail AWS SDK v2 support ([#835](https://github.com/aws/aws-encryption-sdk-java/issues/835)) ([5705e1f](https://github.com/aws/aws-encryption-sdk-java/commit/5705e1f2aaa8def520b2ea73a7dd50c845cf6ed9)) +* Fix re-run CI workflows ([#1219](https://github.com/aws/aws-encryption-sdk-java/issues/1219)) ([3bec521](https://github.com/aws/aws-encryption-sdk-java/commit/3bec521ba0bf6cb8a91c1a585d3b7b6a355d095c)) +* remove mainline-1.x from dependabot ([#1120](https://github.com/aws/aws-encryption-sdk-java/issues/1120)) ([3956822](https://github.com/aws/aws-encryption-sdk-java/commit/3956822018126c03158cf7b6d9f8ea18ebee990a)) +* Run CodeBuild CI from Github Actions ([#1213](https://github.com/aws/aws-encryption-sdk-java/issues/1213)) ([ba726b5](https://github.com/aws/aws-encryption-sdk-java/commit/ba726b5037cad31c94a1e1f4fbcd53786c446d2b)) +* **SupportPolicy:** Mark 1.x End-of-Support ([#1026](https://github.com/aws/aws-encryption-sdk-java/issues/1026)) ([ff93eab](https://github.com/aws/aws-encryption-sdk-java/commit/ff93eab16c8059d0e6f11f0719cf5cb5e65050b9)) +* Update `org.bouncycastle` to `bcprov-ext-jdk18on` ([#1572](https://github.com/aws/aws-encryption-sdk-java/issues/1572)) ([c56aff3](https://github.com/aws/aws-encryption-sdk-java/commit/c56aff30471899460a7821ae97e3869b22a24612)) +* update node version in versioning cb step ([#1712](https://github.com/aws/aws-encryption-sdk-java/issues/1712)) ([a34e0ad](https://github.com/aws/aws-encryption-sdk-java/commit/a34e0add6f900575f399f332a44f573e6884a615)) +* use correct signing key for release ([#928](https://github.com/aws/aws-encryption-sdk-java/issues/928)) ([86332e4](https://github.com/aws/aws-encryption-sdk-java/commit/86332e4b895bf0cdeef0570974e5d3707db0643c)) +* use new signing keys for ci ([#840](https://github.com/aws/aws-encryption-sdk-java/issues/840)) ([6043417](https://github.com/aws/aws-encryption-sdk-java/commit/60434173026c3f6a6e268124bfebcf308d78cf2c)) + ## [2.4.0](https://github.com/aws/aws-encryption-sdk-java/compare/v2.3.3...v2.4.0) (2022-03-09) diff --git a/NOTICE.txt b/NOTICE.txt index 45ed0c46c..5d10548fb 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -1,4 +1,4 @@ -AWS KMS Encryption Client SDK +AWS Encryption SDK Copyright 2015 Amazon.com, Inc. or its affiliates. All Rights Reserved. THIRD PARTY COMPONENTS diff --git a/README.md b/README.md index 587099702..a25a7f7ff 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ For more details about the design and architecture of the AWS Encryption SDK, se [Security issue notifications](./CONTRIBUTING.md#security-issue-notifications) -See [Support Policy](./SUPPORT_POLICY.rst) for for details on the current support status of all major versions of this library. +See [Support Policy](./SUPPORT_POLICY.rst) for details on the current support status of all major versions of this library. ## Getting Started @@ -29,7 +29,7 @@ To use the AWS Encryption SDK for Java you must have: [Java Cryptography Architecture (JCA) Reference Guide](https://docs.oracle.com/javase/9/security/java-cryptography-architecture-jca-reference-guide.htm#JSSEC-GUID-2BCFDD85-D533-4E6C-8CE9-29990DEB0190). If you do not have Bouncy Castle, go to https://bouncycastle.org/latest_releases.html, then download the provider file that corresponds to your JDK. - Or, you can pick it up from Maven (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk15on`). + Or, you can pick it up from Maven (groupId: `org.bouncycastle`, artifactId: `bcprov-ext-jdk18on`). Beginning in version 1.6.1, the AWS Encryption SDK for Java also works with Bouncy Castle FIPS (groupId: `org.bouncycastle`, artifactId: `bc-fips`) as an alternative to non-FIPS Bouncy Castle. For help installing and configuring Bouncy Castle FIPS, see [BC FIPS documentation](https://www.bouncycastle.org/documentation.html), in particular, **User Guides** and **Security Policy**. @@ -37,12 +37,14 @@ To use the AWS Encryption SDK for Java you must have: ### Optional Prerequisites #### AWS Integration -You don't need an Amazon Web Services (AWS) account to use the AWS Encryption SDK, but some of the [example code][examples] require an AWS account, an AWS KMS key, and the AWS SDK for Java 1.x. (The AWS Encryption SDK for Java does not support the AWS SDK for Java 2.x.) +You don't need an Amazon Web Services (AWS) account to use the AWS Encryption SDK, but some [example code][examples] require an AWS account, an AWS KMS key, and the AWS SDK for Java (either 1.x or 2.x). Note that the `KmsAsyncClient` is not supported, only the synchronous client. * **To create an AWS account**, go to [Sign In or Create an AWS Account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) and then choose **I am a new user.** Follow the instructions to create an AWS account. * **To create a symmetric encryption KMS key in AWS KMS**, see [Creating Keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html). +* **To download and install the AWS SDK for Java 2.x**, see [Installing the AWS SDK for Java 2.x](https://docs.aws.amazon.com/sdk-for-java/v2/developer-guide/getting-started.html). + * **To download and install the AWS SDK for Java 1.x**, see [Installing the AWS SDK for Java 1.x](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/getting-started.html). #### Amazon Corretto Crypto Provider @@ -56,7 +58,7 @@ You can get the latest release from Maven: com.amazonaws aws-encryption-sdk-java - 2.4.0 + 2.4.1 ``` @@ -120,12 +122,12 @@ public class StringExample { // The AWS Encryption SDK may add information to the encryption context, so check to // ensure all of the values that you specified when encrypting are *included* in the returned encryption context. - if (!context.entrySet().stream + if (!context.entrySet().stream() .allMatch( e -> e.getValue().equals(decryptResult.getEncryptionContext().get(e.getKey())))) { throw new IllegalStateException("Wrong Encryption Context!"); } - assert Arrays.equals(decryptResult.getResult(), data.getBytes(StandardCharsets.UTF_8)); + assert Arrays.equals(decryptResult.getResult(), plaintext.getBytes(StandardCharsets.UTF_8)); // The data is correct, so return it. System.out.println("Decrypted: " + new String(decryptResult.getResult(), StandardCharsets.UTF_8)); @@ -133,7 +135,7 @@ public class StringExample { } ``` -You can find more examples in the [examples directory][examples]. +You can find more examples in the [example directory][examples]. ## Public API diff --git a/SUPPORT_POLICY.rst b/SUPPORT_POLICY.rst index a651f13a9..42dd3c360 100644 --- a/SUPPORT_POLICY.rst +++ b/SUPPORT_POLICY.rst @@ -22,9 +22,9 @@ This table describes the current support status of each major version of the AWS - Next status - Next status date * - 1.x - - Maintenance - End of Support - - 2022-07-08 + - + - * - 2.x - Generally Available - diff --git a/cfn/ci_cd.yml b/cfn/ci_cd.yml index c49c2de33..73331d03b 100644 --- a/cfn/ci_cd.yml +++ b/cfn/ci_cd.yml @@ -44,16 +44,10 @@ Resources: BuildSpec: codebuild/ci/ci.yml GitCloneDepth: 1 GitSubmodulesConfig: - FetchSubmodules: false + FetchSubmodules: true InsecureSsl: false ReportBuildStatus: false Type: GITHUB - Triggers: - BuildType: BUILD_BATCH - Webhook: true - FilterGroups: - - - Type: EVENT - Pattern: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED Artifacts: Type: NO_ARTIFACTS Cache: @@ -93,7 +87,9 @@ Resources: Source: Location: !Ref SourceLocation BuildSpec: codebuild/release/release.yml - GitCloneDepth: 1 + ## https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-codebuild-project-source.html#cfn-codebuild-project-source-gitclonedepth + ## If this value is 0, greater than 25, or not provided then the full history is downloaded with each build project. + GitCloneDepth: 0 GitSubmodulesConfig: FetchSubmodules: false InsecureSsl: false @@ -136,7 +132,7 @@ Resources: Path: /service-role/ RoleName: !Sub "codebuild-${ProjectName}-service-role-ci" AssumeRolePolicyDocument: >- - {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"}]} + {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"Service":"codebuild.amazonaws.com"},"Action":"sts:AssumeRole"},{"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::587316601012:oidc-provider/token.actions.githubusercontent.com"},"Action":"sts:AssumeRoleWithWebIdentity","Condition":{"StringEquals":{"token.actions.githubusercontent.com:aud":"sts.amazonaws.com"},"StringLike":{"token.actions.githubusercontent.com:sub":"repo:aws/aws-encryption-sdk-java:*"}}}]} MaxSessionDuration: 3600 ManagedPolicyArns: - !Ref CryptoToolsKMS @@ -144,6 +140,7 @@ Resources: - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyCI - !Ref ParameterStorePolicy + - !Ref CodeBuildBasePolicyCI - "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess" - "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess" @@ -158,6 +155,7 @@ Resources: ManagedPolicyArns: - !Ref CryptoToolsKMS - !Ref CodeBuildBatchPolicy + - !Ref CodeBuildBatchPolicyRelease - !Ref CodeBuildBasePolicy - !Ref SecretsManagerPolicyRelease - !Ref ParameterStorePolicy @@ -184,12 +182,37 @@ Resources: "Action": [ "codebuild:StartBuild", "codebuild:StopBuild", - "codebuild:RetryBuild" + "codebuild:RetryBuild", + "codebuild:BatchGetBuilds" ] } ] } + CodeBuildBatchPolicyRelease: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub >- + CodeBuildBuildBatchPolicy-${ProjectName}-Release-${AWS::Region}-codebuild-${ProjectName}-release-service-role + Path: /service-role/ + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:codebuild:us-west-2:${AWS::AccountId}:project/AWS-ESDK-Java-Release" + ], + "Action": [ + "codebuild:StartBuild", + "codebuild:StopBuild", + "codebuild:RetryBuild" + ] + } + ] + } + CodeBuildBasePolicy: Type: "AWS::IAM::ManagedPolicy" Properties: @@ -212,7 +235,8 @@ Resources: "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", - "logs:PutLogEvents" + "logs:PutLogEvents", + "logs:GetLogEvents" ] }, { @@ -244,6 +268,56 @@ Resources: ] } + CodeBuildBasePolicyCI: + Type: "AWS::IAM::ManagedPolicy" + Properties: + ManagedPolicyName: !Sub "CodeBuildBasePolicy-${ProjectName}-CI-${AWS::Region}" + Path: /service-role/ + PolicyDocument: !Sub | + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": [ + "arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI", + "arn:aws:logs:us-west-2:${AWS::AccountId}:log-group:/aws/codebuild/AWS-ESDK-Java-CI:*" + ], + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents" + ] + }, + { + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::codepipeline-us-west-2-*" + ], + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:GetObjectVersion", + "s3:GetBucketAcl", + "s3:GetBucketLocation" + ] + }, + { + "Effect": "Allow", + "Action": [ + "codebuild:CreateReportGroup", + "codebuild:CreateReport", + "codebuild:UpdateReport", + "codebuild:BatchPutTestCases", + "codebuild:BatchPutCodeCoverages" + ], + "Resource": [ + "arn:aws:codebuild:us-west-2:${AWS::AccountId}:report-group/AWS-ESDK-Java-CI-*" + ] + } + ] + } + AccountIdParameter: Type: "AWS::SSM::Parameter" Properties: @@ -264,7 +338,8 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A" + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-xjAvTM", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-CI-Credentials-eBrSNB" ], "Action": "secretsmanager:GetSecretValue" } @@ -283,8 +358,10 @@ Resources: { "Effect": "Allow", "Resource": [ - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-GC6h0A", - "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm" + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-haLIjZ", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Maven-GPG-Keys-Release-Credentials-WgJanS", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Sonatype-Team-Account-0tWvZm", + "arn:aws:secretsmanager:us-west-2:${AWS::AccountId}:secret:Github/aws-crypto-tools-ci-bot-AGUB3U" ], "Action": "secretsmanager:GetSecretValue" } diff --git a/codebuild/ci/ci.yml b/codebuild/ci/ci.yml deleted file mode 100644 index 7c64ccf1d..000000000 --- a/codebuild/ci/ci.yml +++ /dev/null @@ -1,89 +0,0 @@ -version: 0.2 - -# TODO: Replace/Augment build-graph with build-matrix -# Note: It's possible that 9 builds will be running concurrently with the current arrangement - -batch: - fast-fail: false - build-graph: - - identifier: static_analysis - buildspec: codebuild/ci/static-analysis.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### Start Vector tests ######### - - identifier: vectors_ci_openjdk8 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: openjdk8 - image: aws/codebuild/standard:3.0 - - identifier: vectors_ci_openjdk11 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: openjdk11 - image: aws/codebuild/standard:3.0 - - identifier: vectors_ci_corretto8 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: corretto8 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - - identifier: vectors_ci_corretto11 - buildspec: codebuild/ci/vectors-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - variables: - JAVA_ENV_VERSION: corretto11 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### End Vector tests ######### - - identifier: release_ci - buildspec: codebuild/ci/release-ci.yml - env: - compute-type: BUILD_GENERAL1_LARGE - image: aws/codebuild/standard:3.0 - ######### Start JAR Smoke tests ######### - - identifier: validate_ci_openjdk8 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - variables: - JAVA_ENV_VERSION: openjdk8 - JAVA_NUMERIC_VERSION: 8 - image: aws/codebuild/standard:3.0 - - identifier: validate_ci_openjdk11 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: openjdk11 - JAVA_NUMERIC_VERSION: 11 - image: aws/codebuild/standard:3.0 - - identifier: validate_ci_corretto8 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: corretto8 - JAVA_NUMERIC_VERSION: 8 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - - identifier: validate_ci_corretto11 - depend-on: - - release_ci - buildspec: codebuild/ci/validate-ci.yml - env: - compute-type: BUILD_GENERAL1_MEDIUM - variables: - JAVA_ENV_VERSION: corretto11 - JAVA_NUMERIC_VERSION: 11 - image: aws/codebuild/amazonlinux2-x86_64-standard:3.0 - ######### End JAR Smoke tests ######### diff --git a/codebuild/ci/release-ci.yml b/codebuild/ci/release-ci.yml index 412fb3223..76d85e390 100644 --- a/codebuild/ci/release-ci.yml +++ b/codebuild/ci/release-ci.yml @@ -10,8 +10,8 @@ env: parameter-store: ACCOUNT: /CodeBuild/AccountIdentity secrets-manager: - GPG_KEY: Maven-GPG-Keys-Credentials:Keyname - GPG_PASS: Maven-GPG-Keys-Credentials:Passphrase + GPG_KEY: Maven-GPG-Keys-CI-Credentials:Keyname + GPG_PASS: Maven-GPG-Keys-CI-Credentials:Passphrase phases: install: @@ -22,12 +22,23 @@ phases: - export SETTINGS_FILE=$(pwd)/codebuild/release/settings.xml - export CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain $DOMAIN --domain-owner $ACCOUNT --query authorizationToken --output text --region ${REGION}) - export CODEARTIFACT_REPO_URL=https://${DOMAIN}-${ACCOUNT}.d.codeartifact.${REGION}.amazonaws.com/maven/${REPOSITORY} - - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz + - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys-CI --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz - tar -xvf ~/mvn_gpg.tgz -C ~ build: commands: - VERSION_HASH="$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)-$CODEBUILD_RESOLVED_SOURCE_VERSION" -# See https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html + + # Remove any old artifacts with the same commit ID. This allows CI to run more than once for the same commit + - | + aws codeartifact delete-package-versions --domain $DOMAIN \ + --repository $REPOSITORY \ + --format maven \ + --namespace $NAMESPACE \ + --package $PACKAGE \ + --versions $VERSION_HASH \ + --region $REGION; + + # See https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html - echo "Setting version in POM to $VERSION_HASH" - mvn versions:set -DnewVersion="$VERSION_HASH" --no-transfer-progress - echo "Version is now $(grep version pom.xml | head -n 1 | sed -n 's/[ \t]*\(.*\)<\/version>/\1/p')" @@ -49,14 +60,5 @@ phases: - | if expr ${CODEBUILD_BUILD_SUCCEEDING} != 1; then echo "An error occured while building and uploading $REPOSITORY." - echo "Did a previous build already upload $VERSION_HASH to $REPOSITORY?" - echo "Try deleting $VERSION_HASH from $REPOSITORY and restart" - echo "Delete Package Version Command \n - aws codeartifact delete-package-versions --domain $DOMAIN \ - --repository $REPOSITORY \ - --format maven \ - --namespace $NAMESPACE \ - --package $PACKAGE \ - --versions $VERSION_HASH \ - --region $REGION"; + echo "Check logs above for error details." fi diff --git a/codebuild/release/javadoc.yml b/codebuild/release/javadoc.yml index 0a751365a..501fd28e8 100644 --- a/codebuild/release/javadoc.yml +++ b/codebuild/release/javadoc.yml @@ -22,5 +22,5 @@ phases: - git checkout $GH_PAGES - cp -r /tmp/apidocs/* . - git add . - - git commit -m "docs: updating javadocs" + - 'git commit -m "docs: updating javadocs"' - git push diff --git a/codebuild/release/release-prod.yml b/codebuild/release/release-prod.yml index ec22a30a0..1e519f392 100644 --- a/codebuild/release/release-prod.yml +++ b/codebuild/release/release-prod.yml @@ -7,8 +7,8 @@ env: variables: BRANCH: "master" secrets-manager: - GPG_KEY: Maven-GPG-Keys-Credentials:Keyname - GPG_PASS: Maven-GPG-Keys-Credentials:Passphrase + GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname + GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase SONA_USERNAME: Sonatype-Team-Account:Username SONA_PASSWORD: Sonatype-Team-Account:Password @@ -20,7 +20,7 @@ phases: commands: - git checkout $BRANCH - export SETTINGS_FILE=$(pwd)/codebuild/release/settings.xml - - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz + - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys-Release --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz - tar -xvf ~/mvn_gpg.tgz -C ~ build: commands: diff --git a/codebuild/release/release-staging.yml b/codebuild/release/release-staging.yml index f6a00238b..e9bb11421 100644 --- a/codebuild/release/release-staging.yml +++ b/codebuild/release/release-staging.yml @@ -11,8 +11,8 @@ env: parameter-store: ACCOUNT: /CodeBuild/AccountId secrets-manager: - GPG_KEY: Maven-GPG-Keys-Credentials:Keyname - GPG_PASS: Maven-GPG-Keys-Credentials:Passphrase + GPG_KEY: Maven-GPG-Keys-Release-Credentials:Keyname + GPG_PASS: Maven-GPG-Keys-Release-Credentials:Passphrase phases: install: @@ -23,7 +23,7 @@ phases: - export SETTINGS_FILE=$(pwd)/codebuild/release/settings.xml - export CODEARTIFACT_TOKEN=$(aws codeartifact get-authorization-token --domain $DOMAIN --domain-owner $ACCOUNT --query authorizationToken --output text --region ${REGION}) - export CODEARTIFACT_REPO_URL=https://${DOMAIN}-${ACCOUNT}.d.codeartifact.${REGION}.amazonaws.com/maven/${REPOSITORY} - - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz + - aws secretsmanager get-secret-value --region us-west-2 --secret-id Maven-GPG-Keys-Release --query SecretBinary --output text | base64 -d > ~/mvn_gpg.tgz - tar -xvf ~/mvn_gpg.tgz -C ~ build: commands: diff --git a/codebuild/release/version.yml b/codebuild/release/version.yml index ade257726..022912c23 100644 --- a/codebuild/release/version.yml +++ b/codebuild/release/version.yml @@ -12,13 +12,13 @@ env: phases: install: commands: + - n 18 + - node -v - npm install --save-dev semantic-release - npm install @semantic-release/changelog -d - npm install @semantic-release/exec -d - npm install @semantic-release/git -d - npm install --save conventional-changelog - runtime-versions: - nodejs: 14 pre_build: commands: - git config --global user.name "aws-crypto-tools-ci-bot" diff --git a/pom.xml b/pom.xml index d36709c88..c40659d9f 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ com.amazonaws aws-encryption-sdk-java - 2.4.0 + 2.4.1 jar aws-encryption-sdk-java @@ -43,7 +43,7 @@ software.amazon.awssdk bom - 2.17.136 + 2.20.91 true pom import @@ -55,40 +55,40 @@ com.amazonaws aws-java-sdk - 1.12.162 + 1.12.394 true software.amazon.awssdk kms - 2.17.136 + 2.18.38 true org.bouncycastle - bcprov-ext-jdk15on - 1.70 + bcprov-ext-jdk18on + 1.75 org.mockito mockito-core - 4.3.1 + 4.11.0 test org.junit.jupiter junit-jupiter-api - 5.8.2 + 5.9.2 test org.junit.vintage junit-vintage-engine - 5.8.2 + 5.9.3 test @@ -132,7 +132,7 @@ org.apache.maven.plugins maven-compiler-plugin - 3.9.0 + 3.10.1 1.8 1.8 @@ -142,7 +142,7 @@ org.apache.maven.plugins maven-javadoc-plugin - 3.3.1 + 3.4.1 128m 1024m @@ -175,7 +175,7 @@ org.jacoco jacoco-maven-plugin - 0.8.7 + 0.8.8 @@ -317,7 +317,7 @@ org.sonatype.plugins nexus-staging-maven-plugin - 1.6.12 + 1.6.13 true sonatype-nexus-staging @@ -338,7 +338,7 @@ org.apache.maven.plugins maven-surefire-plugin - 2.22.2 + 3.1.2 **/AllTestsSuite.java @@ -359,7 +359,7 @@ org.apache.maven.plugins maven-surefire-plugin - 2.22.2 + 3.1.2 **/FastTestsOnlySuite.java diff --git a/src/main/java/com/amazonaws/encryptionsdk/CommitmentPolicy.java b/src/main/java/com/amazonaws/encryptionsdk/CommitmentPolicy.java index d17c078b4..94477cb35 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/CommitmentPolicy.java +++ b/src/main/java/com/amazonaws/encryptionsdk/CommitmentPolicy.java @@ -3,11 +3,30 @@ package com.amazonaws.encryptionsdk; +/** + * Governs how a AwsCrypto behaves during configuration, encryption, and decryption, with respect to + * key commitment. + */ public enum CommitmentPolicy { + /** + * On encrypty, algorithm suite must NOT support key commitment; On decrypt, if a key commitment + * is present on the ciphertext, then the key commitment must be valid. Key commitment will NOT be + * included in ciphertext on encrypt. + */ ForbidEncryptAllowDecrypt, + /** + * On encrypt, algorithm suite must support key commitment; On decrypt, if a key commitment is + * present on the ciphertext, then the key commitment must be valid. Key commitment will be + * included in ciphertext on encrypt. + */ RequireEncryptAllowDecrypt, + /** + * Algorithm suite must support key commitment. Key commitment will be included in ciphertext on + * encrypt. Valid key commitment must be present in ciphertext on decrypt. + */ RequireEncryptRequireDecrypt; + /** Validates that an algorithm meets the Policy's On encrypt key commitment. */ public boolean algorithmAllowedForEncrypt(CryptoAlgorithm algorithm) { switch (this) { case ForbidEncryptAllowDecrypt: @@ -21,6 +40,7 @@ public boolean algorithmAllowedForEncrypt(CryptoAlgorithm algorithm) { } } + /** Validates that an algorithm meets the Policy's On decrypt key commitment. */ public boolean algorithmAllowedForDecrypt(CryptoAlgorithm algorithm) { switch (this) { case ForbidEncryptAllowDecrypt: diff --git a/src/main/java/com/amazonaws/encryptionsdk/jce/JceMasterKey.java b/src/main/java/com/amazonaws/encryptionsdk/jce/JceMasterKey.java index 3d40d0b07..fc2fe8149 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/jce/JceMasterKey.java +++ b/src/main/java/com/amazonaws/encryptionsdk/jce/JceMasterKey.java @@ -44,8 +44,9 @@ public class JceMasterKey extends MasterKey { private final JceKeyCipher jceKeyCipher_; /** - * Returns a {@code JceMasterKey} backed by {@code key} using {@code wrappingAlgorithm}. Currently - * "{@code AES/GCM/NoPadding}" is the only supported value for {@code wrappingAlgorithm}. + * Returns a {@code JceMasterKey} backed by the symmetric key {@code key} using {@code + * wrappingAlgorithm}. Currently "{@code AES/GCM/NoPadding}" is the only supported value for + * symmetric {@code wrappingAlgorithm}s. * * @param key key used to wrap/unwrap (encrypt/decrypt) {@link DataKey}s * @param provider @@ -67,10 +68,10 @@ public static JceMasterKey getInstance( } /** - * Returns a {@code JceMasterKey} backed by {@code unwrappingKey} and {@code wrappingKey} using - * {@code wrappingAlgorithm}. Currently only RSA algorithms are supported for {@code - * wrappingAlgorithm}. {@code wrappingAlgorithm}. If {@code unwrappingKey} is {@code null} then - * the returned {@link JceMasterKey} can only be used for encryption. + * Returns a {@code JceMasterKey} backed by the asymmetric key pair {@code unwrappingKey} and + * {@code wrappingKey} using {@code wrappingAlgorithm}. Currently only RSA algorithms are + * supported for asymmetric {@code wrappingAlgorithm}s. If {@code unwrappingKey} is {@code null} + * then the returned {@link JceMasterKey} can only be used for encryption. * * @param wrappingKey key used to wrap (encrypt) {@link DataKey}s * @param unwrappingKey (Optional) key used to unwrap (decrypt) {@link DataKey}s. diff --git a/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/AwsKmsMrkAwareMasterKeyProvider.java b/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/AwsKmsMrkAwareMasterKeyProvider.java index 468130db2..0fcbef2e9 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/AwsKmsMrkAwareMasterKeyProvider.java +++ b/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/AwsKmsMrkAwareMasterKeyProvider.java @@ -109,6 +109,9 @@ public Builder discoveryMrkRegion(Region discoveryMrkRegion) { * #builderSupplier(Supplier)}; if you try to use these in combination, an {@link * IllegalStateException} will be thrown. * + *

Note: The AWS Encryption SDK for Java does not support the {@code KmsAsyncClient} + * interface. + * * @see KmsMasterKeyProvider.Builder#customRegionalClientSupplier(RegionalClientSupplier) */ public Builder customRegionalClientSupplier(RegionalClientSupplier regionalClientSupplier) { @@ -125,6 +128,9 @@ public Builder customRegionalClientSupplier(RegionalClientSupplier regionalClien * KmsClientBuilder} to configure KMS clients. Note that the region set on this builder will be * ignored, but all other settings will be propagated into the regional clients. * + *

Note: The AWS Encryption SDK for Java does not support the {@code KmsAsyncClient} + * interface. + * * @see KmsMasterKeyProvider.Builder#builderSupplier(Supplier) */ public Builder builderSupplier(Supplier supplier) { diff --git a/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/KmsMasterKeyProvider.java b/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/KmsMasterKeyProvider.java index 0203a3326..50923113e 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/KmsMasterKeyProvider.java +++ b/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/KmsMasterKeyProvider.java @@ -89,6 +89,9 @@ public Builder defaultRegion(Region defaultRegion) { * #builderSupplier(Supplier)}; if you try to use these in combination, an {@link * IllegalStateException} will be thrown. * + *

Note: The AWS Encryption SDK for Java does not support the {@code KmsAsyncClient} + * interface. + * * @param regionalClientSupplier * @return */ @@ -110,6 +113,9 @@ public Builder customRegionalClientSupplier(RegionalClientSupplier regionalClien * #customRegionalClientSupplier(RegionalClientSupplier)} will cause an {@link * IllegalStateException} to be thrown. * + *

Note: The AWS Encryption SDK for Java does not support the {@code KmsAsyncClient} + * interface. + * * @param supplier Should return a new {@link KmsClientBuilder} on each invocation. * @return */ diff --git a/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/RegionalClientSupplier.java b/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/RegionalClientSupplier.java index 0716aea1e..0c5ecef8f 100644 --- a/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/RegionalClientSupplier.java +++ b/src/main/java/com/amazonaws/encryptionsdk/kmssdkv2/RegionalClientSupplier.java @@ -9,6 +9,8 @@ public interface RegionalClientSupplier { * Supplies an {@link KmsClient} instance to use for a given {@link Region}. The {@link * KmsMasterKeyProvider} will not cache the result of this function. * + *

Note: The AWS Encryption SDK for Java does not support the {@code KmsAsyncClient} interface. + * * @param region The region to get a client for * @return The client to use, or null if this region cannot or should not be used. */ diff --git a/src/test/java/com/amazonaws/encryptionsdk/internal/DecryptionHandlerTest.java b/src/test/java/com/amazonaws/encryptionsdk/internal/DecryptionHandlerTest.java index 7ed598115..728673ec7 100644 --- a/src/test/java/com/amazonaws/encryptionsdk/internal/DecryptionHandlerTest.java +++ b/src/test/java/com/amazonaws/encryptionsdk/internal/DecryptionHandlerTest.java @@ -643,6 +643,7 @@ public void withNoMaxEdks() { decryptionHandler.processBytes(header, 0, header.length, plaintext, 0); } + @Test public void validSignatureAcrossMultipleBlocks() { byte[] ciphertext = getTestMessage(