Merge pull request #81 from cconlon/1.7release

Prep for 1.7 Release

Author: JacobBarthelmeh

ChangeLog.md

@@ -1,3 +1,27 @@
+### wolfCrypt JNI Release 1.7.0 (11/11/2024)
+
+Release 1.7.0 of wolfCrypt JNI and JCE has bug fixes and new features including:
+
+**New JCE Functionality:**
+- New WolfSSLKeyStore (WKS) KeyStore implementation for FIPS 140-2/3 compliance (PR 67)
+
+**JNI and JCE Changes:**
+- Remove call to BigInteger.longValueExact(), not available on some Java versions (PR 76)
+- Detect `RSA_MIN_SIZE` in tests, add `Rsa.RSA_MIN_SIZE` helper (PR 77)
+- Fix pointer use in native `X509CheckPrivateKey()` (PR 80)
+
+**Example Changes:**
+- Set keytool path correctly in `system-cacerts-to-wks.sh` (PR 78)
+- Add example Android Studio project (IDE/Android) (PR 79)
+
+**Testing Changes:**
+- Run Facebook Infer on pull requests with GitHub Actions (PR 74)
+- Add Android Gradle build with GitHub Actions to run on all pull requests (PR 79)
+
+The wolfCrypt JNI/JCE Manual is available at:
+https://www.wolfssl.com/documentation/manuals/wolfcryptjni/. For build
+instructions and more details comments, please check the manual.
+
 ### wolfCrypt JNI Release 1.6.0 (4/17/2024)
 
 Release 1.6.0 of wolfCrypt JNI and JCE has bug fixes and new features including:

IDE/WIN/README.md

@@ -137,8 +137,12 @@ section titled `/* Configuration */`:
 ```
 #define WOLFSSL_KEY_GEN
 #define HAVE_CRL
+#define OPENSSL_ALL
 ```
 
+If also building wolfSSL JNI/JSSE, additional defines may be needed. Please
+reference the Windows build documentation for wolfSSL JNI/JSSE if so.
+
 After editing and saving the `user_settings.h` file, select one of the following
 DLL Library configurations and build the wolfSSL library solution:
 
@@ -204,8 +208,12 @@ and set the values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and
 ```
 #define WOLFSSL_KEY_GEN
 #define HAVE_CRL
+#define OPENSSL_ALL
 ```
 
+If also building wolfSSL JNI/JSSE, additional defines may be needed. Please
+reference the Windows build documentation for wolfSSL JNI/JSSE if so.
+
 6. Build the `wolfssl-fips` project, which will create a DLL in one of the
 following locations:
 
@@ -230,28 +238,33 @@ in the wolfCrypt tests successfully running.
 See the FIPS User Guide for more details on the FIPS verifyCore hash, or
 email [email protected].
 
-## wolfSSL FIPS 140-3 (Upcoming)
+## wolfSSL FIPS 140-3 (Certificate #4718)
 
-To build a version of wolfSSL that has been submitted for FIPS 140-3, use
-the Visual Studio solution file under the `IDE\WIN10` directory inside the
-wolfSSL package:
+To build a wolfSSL FIPS 140-3 variant for use with FIPS 140-3 certificate
+#4718, use the Visual Studio solution file located in the `IDE/WIN10`
+directory inside the wolfSSL package:
 
 ```
 <wolfssl>\IDE\WIN10\wolfssl-fips.sln
 ```
 
 Follow instructions in the above section for 140-2 / 3389, except use the
-following values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`, and
-`HAVE_FIPS_VERSION_MINOR` in `user_settings.h`:
+following values for `HAVE_FIPS`, `HAVE_FIPS_VERSION`,
+`HAVE_FIPS_VERSION_MAJOR`, `HAVE_FIPS_VERSION_MINOR`, and
+`HAVE_FIPS_VERSION_PATCH` in `user_settings.h`:
 
 ```
 #if 1
 #undef HAVE_FIPS
 #define HAVE_FIPS
 #undef HAVE_FIPS_VERSION
 #define HAVE_FIPS_VERSION 5
+#undef HAVE_FIPS_VERSION_MAJOR
+#define HAVE_FIPS_VERSION_MAJOR 5
 #undef HAVE_FIPS_VERSION_MINOR
-#define HAVE_FIPS_VERSION_MINOR 1
+#define HAVE_FIPS_VERSION_MINOR 2
+#undef HAVE_FIPS_VERSION_PATCH
+#define HAVE_FIPS_VERSION_PATCH 0
 #endif
 ```
 
@@ -261,8 +274,12 @@ The following additional defines will also need to be added to
 ```
 #define WOLFSSL_KEY_GEN
 #define HAVE_CRL
+#define OPENSSL_ALL
 ```
 
+If also building wolfSSL JNI/JSSE, additional defines may be needed. Please
+reference the Windows build documentation for wolfSSL JNI/JSSE if so.
+
 For additional help, contact [email protected].
 
 # Building wolfCrypt JNI/JCE Library

IDE/WIN/wolfcryptjni.vcxproj

@@ -78,6 +78,7 @@
     <ClCompile Include="..\..\jni\jni_feature_detect.c" />
     <ClCompile Include="..\..\jni\jni_fips.c" />
     <ClCompile Include="..\..\jni\jni_hmac.c" />
+    <ClCompile Include="..\..\jni\jni_jce_wolfsslkeystore.c" />
     <ClCompile Include="..\..\jni\jni_logging.c" />
     <ClCompile Include="..\..\jni\jni_md5.c" />
     <ClCompile Include="..\..\jni\jni_native_struct.c" />

IDE/WIN/wolfcryptjni.vcxproj.filters

@@ -170,5 +170,8 @@
     <ClCompile Include="..\..\jni\jni_wolfssl_cert_manager.c">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\jni\jni_jce_wolfsslkeystore.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>

README.md

@@ -208,7 +208,7 @@ on the current release):
         <dependency>
             <groupId>com.wolfssl</groupId>
             <artifactId>wolfcrypt-jni</artifactId>
-            <version>1.6.0-SNAPSHOT</version>
+            <version>1.7.0-SNAPSHOT</version>
         </dependency>
     </dependencies>
     ...

build.xml

@@ -19,7 +19,7 @@
     <!-- versioning/manifest properties -->
     <property name="implementation.vendor"  value="wolfSSL Inc." />
     <property name="implementation.title"   value="wolfCrypt JNI" />
-    <property name="implementation.version" value="1.6" />
+    <property name="implementation.version" value="1.7" />
 
     <!-- set properties for this build -->
     <property name="src.dir" value="src/main/java/" />

examples/WindowsConfig.bat

@@ -9,7 +9,7 @@
 :: included by other example .bat files.
 
 :: wolfSSL Normal non-FIPS (DLL Debug x64)
-SET WOLFSSL_DLL_DIR=..\..\..\wolfssl\IDE\WIN10\DLL Debug\x64
+SET WOLFSSL_DLL_DIR=..\..\..\wolfssl\DLL Debug\x64
 SET WOLFCRYPTJNI_DLL_DIR=..\..\IDE\WIN\DLL Debug\x64
 
 :: wolfSSL Normal non-FIPS (DLL Release x64)

examples/certs/systemcerts/system-cacerts-to-wks.sh

@@ -29,9 +29,19 @@ export DYLD_LIBRARY_PATH=../../../lib:$DYLD_LIBRARY_PATH
 
 OUTDIR=`pwd`
 
+# First argument can be passed in to represent path to
+# wolfcrypt-jni.jar provider JAR. If not given, use default.
+if [ -z "$1" ]; then
+    # default wolfcrypt-jni.jar path
+    PROVIDER_PATH="../../../lib/wolfcrypt-jni.jar"
+else
+    # use custom provider path
+    PROVIDER_PATH=$1
+fi
+
 # ARGS: <input-keystore-name> <output-keystore-name> <in-password> <out-password> <java home>
 jks_to_wks() {
-    ${5}/bin/keytool -importkeystore -srckeystore ${1} -destkeystore ${2}.wks -srcstoretype JKS -deststoretype WKS -srcstorepass "$3" -deststorepass "$3" -deststorepass "$4" -provider com.wolfssl.provider.jce.WolfCryptProvider --providerpath ../../../lib/wolfcrypt-jni.jar &> /dev/null
+    ${5}/bin/keytool -importkeystore -srckeystore ${1} -destkeystore ${2}.wks -srcstoretype JKS -deststoretype WKS -srcstorepass "$3" -deststorepass "$3" -deststorepass "$4" -provider com.wolfssl.provider.jce.WolfCryptProvider --providerpath "$PROVIDER_PATH"
     if [ $? -ne 0 ]; then
         printf "Failed to convert JKS to WKS!"
         exit 1
@@ -58,6 +68,8 @@ else
     javaHome="$JAVA_HOME"
 fi
 
+echo "PROVIDER_PATH: $PROVIDER_PATH"
+
 # Set up Java include and library paths for OS X and Linux
 # NOTE: you may need to modify these if your platform uses different locations
 if [ "$OS" == "Darwin" ]; then

jni/jni_ecc.c

@@ -338,7 +338,9 @@ Java_com_wolfssl_wolfcrypt_Ecc_wc_1ecc_1export_1private(
     }
 
     if (ret == 0) {
+        PRIVATE_KEY_UNLOCK();
         ret = wc_ecc_export_private_only(ecc, output, &outputSz);
+        PRIVATE_KEY_LOCK();
     }
 
     if (ret == 0) {
@@ -1054,7 +1056,9 @@ JNIEXPORT jbyteArray JNICALL Java_com_wolfssl_wolfcrypt_Ecc_wc_1ecc_1private_1ke
     }
 
     if (ret == 0) {
+        PRIVATE_KEY_UNLOCK();
         ret = wc_EccPrivateKeyToDer(ecc, derKey, derKeySz);
+        PRIVATE_KEY_LOCK();
         if (ret >= 0) {
             derKeySz = ret;
             ret = 0;