Remove SHA224

README.md

@@ -80,7 +80,6 @@ SecretKeyFactory:
 * HkdfWithHmacSHA256
 * HkdfWithHmacSHA384
 * HkdfWithHmacSHA512
-* ConcatenationKdfWithSHA224 (not available in FIPS builds)
 * ConcatenationKdfWithSHA256 (not available in FIPS builds)
 * ConcatenationKdfWithSHA384 (not available in FIPS builds)
 * ConcatenationKdfWithSHA512 (not available in FIPS builds)

csrc/util.cpp

@@ -53,8 +53,6 @@ EVP_MD const* digest_code_to_EVP_MD(int digestCode)
     switch (digestCode) {
     case com_amazon_corretto_crypto_provider_Utils_SHA1_CODE:
         return EVP_sha1();
-    case com_amazon_corretto_crypto_provider_Utils_SHA224_CODE:
-        return EVP_sha224();
     case com_amazon_corretto_crypto_provider_Utils_SHA256_CODE:
         return EVP_sha256();
     case com_amazon_corretto_crypto_provider_Utils_SHA384_CODE:

src/com/amazon/corretto/crypto/provider/AmazonCorrettoCryptoProvider.java

@@ -7,7 +7,6 @@
 import static com.amazon.corretto.crypto.provider.AesCbcSpi.AES_CBC_PKCS7_PADDING_NAMES;
 import static com.amazon.corretto.crypto.provider.ConcatenationKdfSpi.CKDF_WITH_HMAC_SHA256;
 import static com.amazon.corretto.crypto.provider.ConcatenationKdfSpi.CKDF_WITH_HMAC_SHA512;
-import static com.amazon.corretto.crypto.provider.ConcatenationKdfSpi.CKDF_WITH_SHA224;
 import static com.amazon.corretto.crypto.provider.ConcatenationKdfSpi.CKDF_WITH_SHA256;
 import static com.amazon.corretto.crypto.provider.ConcatenationKdfSpi.CKDF_WITH_SHA384;
 import static com.amazon.corretto.crypto.provider.ConcatenationKdfSpi.CKDF_WITH_SHA512;
@@ -96,7 +95,6 @@ private void buildServiceMap() {
     // Once these KDFs are added to a FIPS branch of AWS-LC, we can remove this check.
     if (!Loader.FIPS_BUILD) {
       final String concatenationKdfSpi = "ConcatenationKdf";
-      addService("SecretKeyFactory", CKDF_WITH_SHA224, concatenationKdfSpi, false);
       addService("SecretKeyFactory", CKDF_WITH_SHA256, concatenationKdfSpi, false);
       addService("SecretKeyFactory", CKDF_WITH_SHA384, concatenationKdfSpi, false);
       addService("SecretKeyFactory", CKDF_WITH_SHA512, concatenationKdfSpi, false);

src/com/amazon/corretto/crypto/provider/ConcatenationKdfSpec.java

@@ -13,7 +13,6 @@
  * <p>The algorithmName is the name of algorithm used to create SecretKeySpec.
  */
 public class ConcatenationKdfSpec implements KeySpec {
-  private static final byte[] EMPTY = new byte[0];
   private final byte[] secret;
   private final int outputLen;
   private final String algorithmName;
@@ -41,12 +40,12 @@ public ConcatenationKdfSpec(
 
   public ConcatenationKdfSpec(
       final byte[] secret, final int outputLen, final String algorithmName) {
-    this(secret, outputLen, algorithmName, EMPTY, EMPTY);
+    this(secret, outputLen, algorithmName, Utils.EMPTY_ARRAY, Utils.EMPTY_ARRAY);
   }
 
   public ConcatenationKdfSpec(
       final byte[] secret, final int outputLen, final String algorithmName, final byte[] info) {
-    this(secret, outputLen, algorithmName, info, EMPTY);
+    this(secret, outputLen, algorithmName, info, Utils.EMPTY_ARRAY);
   }
 
   public byte[] getSecret() {

src/com/amazon/corretto/crypto/provider/ConcatenationKdfSpi.java

@@ -78,7 +78,6 @@ private static native void nSskdfHmac(
 
   private static final String CKDF = "ConcatenationKdf";
   private static final String WITH = "With";
-  static final String CKDF_WITH_SHA224 = CKDF + WITH + "SHA224";
   static final String CKDF_WITH_SHA256 = CKDF + WITH + "SHA256";
   static final String CKDF_WITH_SHA384 = CKDF + WITH + "SHA384";
   static final String CKDF_WITH_SHA512 = CKDF + WITH + "SHA512";
@@ -87,9 +86,6 @@ private static native void nSskdfHmac(
 
   private static Map<String, ConcatenationKdfSpi> getInstances() {
     final Map<String, ConcatenationKdfSpi> kdfs = new HashMap<>();
-    kdfs.put(
-        getSpiFactoryForAlgName(CKDF_WITH_SHA224),
-        new ConcatenationKdfSpi(Utils.SHA224_CODE, true));
     kdfs.put(
         getSpiFactoryForAlgName(CKDF_WITH_SHA256),
         new ConcatenationKdfSpi(Utils.SHA256_CODE, true));

src/com/amazon/corretto/crypto/provider/Utils.java

@@ -32,7 +32,6 @@ final class Utils {
   static final int SHA256_CODE = 2;
   static final int SHA384_CODE = 3;
   static final int SHA512_CODE = 4;
-  static final int SHA224_CODE = 5;
   private static final String PROPERTY_NATIVE_CONTEXT_RELEASE_STRATEGY =
       "nativeContextReleaseStrategy";
 

tst/com/amazon/corretto/crypto/provider/test/ConcatenationKdfTest.java

@@ -2,6 +2,7 @@
 // SPDX-License-Identifier: Apache-2.0
 package com.amazon.corretto.crypto.provider.test;
 
+import static com.amazon.corretto.crypto.provider.test.TestUtil.bcDigest;
 import static com.amazon.corretto.crypto.provider.test.TestUtil.getEntriesFromFile;
 import static org.junit.jupiter.api.Assertions.assertArrayEquals;
 import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -16,13 +17,7 @@
 import java.util.stream.Stream;
 import javax.crypto.SecretKeyFactory;
 import javax.crypto.spec.PBEKeySpec;
-import org.bouncycastle.crypto.Digest;
 import org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator;
-import org.bouncycastle.crypto.digests.SHA1Digest;
-import org.bouncycastle.crypto.digests.SHA224Digest;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.digests.SHA384Digest;
-import org.bouncycastle.crypto.digests.SHA512Digest;
 import org.bouncycastle.crypto.params.KDFParameters;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -42,7 +37,6 @@ public class ConcatenationKdfTest {
   public void concatenationKdfsAreNotAvailableInFipsMode() {
     assumeTrue(TestUtil.isFips());
     Stream.of(
-            "ConcatenationKdfWithSHA224",
             "ConcatenationKdfWithSHA256",
             "ConcatenationKdfWithSHA384",
             "ConcatenationKdfWithSHA512",
@@ -111,7 +105,7 @@ public void concatenationKdfHmacWithEmptySaltIsFine() throws Exception {
   public void concatenationKdfKatTests(final RspTestEntry entry) throws Exception {
     assumeFalse(TestUtil.isFips());
     final String digest = jceDigestName(entry.getInstance("HASH"));
-    assumeFalse("SHA1".equals(digest));
+    assumeFalse("SHA1".equals(digest) || "SHA224".equals(digest));
     final boolean digestPrf = entry.getInstance("VARIANT").equals("DIGEST");
     final byte[] expected = entry.getInstanceFromHex("EXPECT");
     final byte[] secret = entry.getInstanceFromHex("SECRET");
@@ -158,21 +152,4 @@ private static byte[] bcConcatenationKdf(final String digest, final Concatenatio
     kdf.generateBytes(result, 0, result.length);
     return result;
   }
-
-  private static Digest bcDigest(final String digest) {
-    switch (digest) {
-      case "SHA1":
-        return new SHA1Digest();
-      case "SHA224":
-        return new SHA224Digest();
-      case "SHA256":
-        return new SHA256Digest();
-      case "SHA384":
-        return new SHA384Digest();
-      case "SHA512":
-        return new SHA512Digest();
-      default:
-        return null;
-    }
-  }
 }

tst/com/amazon/corretto/crypto/provider/test/TestUtil.java

@@ -34,6 +34,12 @@
 import javax.crypto.spec.IvParameterSpec;
 import javax.crypto.spec.SecretKeySpec;
 import org.apache.commons.codec.binary.Hex;
+import org.bouncycastle.crypto.Digest;
+import org.bouncycastle.crypto.digests.SHA1Digest;
+import org.bouncycastle.crypto.digests.SHA224Digest;
+import org.bouncycastle.crypto.digests.SHA256Digest;
+import org.bouncycastle.crypto.digests.SHA384Digest;
+import org.bouncycastle.crypto.digests.SHA512Digest;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.jupiter.api.Assumptions;
 
@@ -809,4 +815,21 @@ public static List<Integer> genPattern(final long seed, final int choice, final
     }
     return constantPattern(inputLen, choice);
   }
+
+  static Digest bcDigest(final String digest) {
+    switch (digest) {
+      case "SHA1":
+        return new SHA1Digest();
+      case "SHA224":
+        return new SHA224Digest();
+      case "SHA256":
+        return new SHA256Digest();
+      case "SHA384":
+        return new SHA384Digest();
+      case "SHA512":
+        return new SHA512Digest();
+      default:
+        return null;
+    }
+  }
 }