feat: support FIPS endpoints for AWS KMS

[sbstjn]

AWS services offer FIPS endpoints for some services and regions. For AWS KMS, all regions support FIPS endpoints. When using the CLI, you can normally use --endpoint-url https://kms-fips.us-east-1.amazonaws.com and when using any AWS SDK, you can configure the endpoint "mode" by setting AWS_USE_FIPS_ENDPOINT in the environment to true.

This change tries to add comperable support for this.

default / current : kms.us-east-1.amazonaws.com
fips endpoint: kms-fips.us-east-1.amazonaws.com

Details:
https://docs.aws.amazon.com/sdkref/latest/guide/feature-endpoints.html

KMS Service Endpoints:
https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region

[ebourg]

Thank you for the PR, I wasn't aware of the AWS FIPS mode. It would be nice to make the FIPS mode usable even without setting an environment variable. The AmazonSigningService constructor could be modified to accept either a region or a full endpoint URL, or maybe a boolean to enable the FIPS mode.

[sbstjn]

I wanted to simulate the default AWS behaviour, as I don't want to have an additional configuration for jsign about FIPS and for AWS CLI etc.

[ebourg]

I'd rather strip the -fips suffix here, so this method remains generic for any AWS service

[sbstjn]

But that class is only intended to access KMS or are there other services involved that I miss?

[ebourg]

Is it possible to make this method non static and package privarte?

[sbstjn]

I assumed, if I want to test this individually, it needs to be public. Don't know that much about Java ;) Can give it a try later …

[ebourg]

It remains testable from a test class in the same package if the public keyword is removed, that's the "package private" visibility.