Add AES/GCM-SIV/NoPadding cipher support (RFC 8452)#533
Open
jmcrawford45 wants to merge 4 commits intocorretto:mainfrom
Open
Add AES/GCM-SIV/NoPadding cipher support (RFC 8452)#533jmcrawford45 wants to merge 4 commits intocorretto:mainfrom
jmcrawford45 wants to merge 4 commits intocorretto:mainfrom
Conversation
Implements GitHub issue corretto#323. Registers three algorithm names: - AES/GCM-SIV/NoPadding - AES_128/GCM-SIV/NoPadding - AES_256/GCM-SIV/NoPadding New files: - csrc/aes_gcm_siv.cpp: JNI implementation using EVP_AEAD_CTX_seal/open - src/.../AesGcmSivSpi.java: CipherSpi — one-shot AEAD, 12-byte nonce, 128-bit tag, 128/256-bit keys only; nonce reuse does not throw - src/.../NativeEvpAeadCtx.java: NativeResource wrapper for EVP_AEAD_CTX Modified files: - csrc/util.cpp: add releaseEvpAeadCtx JNI function - src/.../Utils.java: declare releaseEvpAeadCtx native method - src/.../AmazonCorrettoCryptoProvider.java: register the three aliases - CMakeLists.txt: add csrc/aes_gcm_siv.cpp to the build Tests: 40 cases covering RFC 8452 Appendix C KAT vectors, round-trips, streaming buffering, auth failure (AEADBadTagException), parameter validation, nonce-reuse tolerance, and algorithm name variants. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add AES/GCM-SIV/NoPadding and AES_<n>/GCM-SIV/NoPadding to README supported algorithms list - Document GCM-SIV behavioral differences in DIFFERENCES.md: rejects IvParameterSpec, enforces fixed nonce/tag length, tolerates nonce reuse - Add AesGcmSivOneShot JMH benchmark (128/256-bit, 1 MiB, encrypt+decrypt) - Expand AesGcmSivTest with 8 behavioral tests: ByteBuffer (heap+direct), getOutputSize (encrypt+decrypt), large 1 MiB round-trip, rekey changes output, AAD-after-update throws IllegalStateException, concurrent 16-thread encrypt/decrypt correctness Closes corretto#323 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Mirrors AesGcmOneShot structure: extends AesBase, uses provider @param with ACCP and BouncyCastle (both support AES/GCM-SIV/NoPadding). SunJCE is excluded because JDK-8256530 (add GCM-SIV to SunJCE) is still open. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available: #323
Description of changes:
Implements AES-GCM-SIV (
AES/GCM-SIV/NoPadding,AES_128/GCM-SIV/NoPadding,AES_256/GCM-SIV/NoPadding) backed by the AWS-LCEVP_AEADAPI (EVP_aead_aes_128_gcm_siv/EVP_aead_aes_256_gcm_siv).AES-GCM-SIV is a nonce-misuse-resistant AEAD cipher defined in
[RFC 8452](https://www.rfc-editor.org/rfc/rfc8452). Unlike AES-GCM, reusing a key+nonce pair does not compromise authenticity, only (some) confidentiality.
New files
csrc/aes_gcm_siv.cppJNI implementation using
EVP_AEAD_CTX_seal/EVP_AEAD_CTX_open. Context cachingavoids redundant key schedule computation across calls with the same key.
src/.../AesGcmSivSpi.javaCipherSpiimplementation. Supports one-shot (doFinal) and streaming(
update+doFinal) modes, heap and directByteBuffer, and AAD viaupdateAAD.src/.../NativeEvpAeadCtx.javaNativeResourcewrapper for safe GC cleanup of nativeEVP_AEAD_CTXpointers.benchmarks/.../AesGcmSivOneShot.javaJMH benchmark for 1 MiB encrypt and decrypt with 128-bit and 256-bit keys.
Modified files
AmazonCorrettoCryptoProvider.javaRegisters the three algorithm aliases.
Utils.java/csrc/util.cppAdds
releaseEvpAeadCtxJNI teardown.CMakeLists.txtAdds
aes_gcm_siv.cppto the native source list.tst/.../AesGcmSivTest.javaFull test suite:
getOutputSize, 1 MiB round-trip, rekey,nonce-reuse tolerance, AAD ordering, tag authentication, algorithm name variants,
16-thread concurrency)
README.md/DIFFERENCES.mdDocuments the new algorithm and its behavioral differences from
AES/GCM/NoPadding(no
IvParameterSpec, fixed 12-byte nonce, 128-bit tag only, 128/256-bit keys only,nonce reuse does not throw).
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute
this contribution, under the terms of your choice.