diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
index 36acfebd..7da2ff4b 100644
--- a/.github/workflows/checks.yaml
+++ b/.github/workflows/checks.yaml
@@ -93,8 +93,8 @@ jobs:
run: mvn clean --batch-mode clean generate-sources
- name: Tests and enforcer (fips)
run: |
- # install the sdk-fips-bouncycastle jar so that FIPS mode tests work
- mvn --batch-mode install -pl sdk-fips-bouncycastle -am \
+ # install the sdk-fips-bc jar so that FIPS mode tests work
+ mvn --batch-mode install -pl sdk-fips-bc -am \
-Dmaven.antrun.skip \
-Dmaven.test.skip
mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' \
diff --git a/cmdline/pom.xml b/cmdline/pom.xml
index 28a20b80..0047db9e 100644
--- a/cmdline/pom.xml
+++ b/cmdline/pom.xml
@@ -88,8 +88,9 @@
io.opentdf.platform
- sdk-fips-bouncycastle
+ sdk-fips-bc
${project.version}
+ runtime
diff --git a/pom.xml b/pom.xml
index c15307a7..21e750c5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -218,6 +218,67 @@
maven-deploy-plugin
3.1.2
+
+
+ org.apache.maven.plugins
+ maven-source-plugin
+ 3.3.1
+
+
+ attach-sources
+
+ jar
+
+
+
+
+
+
+ org.jetbrains.dokka
+ dokka-maven-plugin
+ 2.0.0
+
+
+ javadoc
+ package
+
+ javadocJar
+
+
+
+
+
+
+ net.nicoulaj.maven.plugins
+ checksum-maven-plugin
+ 1.11
+
+
+ create-checksums
+ package
+
+ files
+
+
+
+ MD5
+ SHA-1
+ SHA-256
+ SHA-512
+
+ true
+
+
+ ${project.build.directory}
+
+ *.jar
+
+
+
+
+
+
+
@@ -287,28 +348,15 @@
develop
sdk
- sdk-fips-bouncycastle
cmdline
+ sdk-pqc-bc
+ sdk-fips-bc
examples
true
-
-
- non-fips
-
- true
-
-
- sdk-pqc-bc
-
-
stage
@@ -345,7 +393,8 @@
release
sdk
- sdk-fips-bouncycastle
+ sdk-pqc-bc
+ sdk-fips-bc
false
diff --git a/sdk-fips-bouncycastle/pom.xml b/sdk-fips-bc/pom.xml
similarity index 67%
rename from sdk-fips-bouncycastle/pom.xml
rename to sdk-fips-bc/pom.xml
index 6c1f08b8..f379bf73 100644
--- a/sdk-fips-bouncycastle/pom.xml
+++ b/sdk-fips-bc/pom.xml
@@ -6,8 +6,8 @@
sdk-pom
0.17.0
- sdk-fips-bouncycastle
- io.opentdf.platform:sdk-fips-bouncycastle
+ sdk-fips-bc
+ io.opentdf.platform:sdk-fips-bc
BouncyCastle FIPS-backed HkdfProvider SPI implementation (FIPS 140-approved HKDF via bc-fips).
jar
@@ -38,4 +38,23 @@
test
+
+
+
+
+ org.apache.maven.plugins
+ maven-source-plugin
+
+
+
+ org.jetbrains.dokka
+ dokka-maven-plugin
+
+
+
+ net.nicoulaj.maven.plugins
+ checksum-maven-plugin
+
+
+
diff --git a/sdk-fips-bouncycastle/src/main/java/io/opentdf/platform/sdk/fips/bouncycastle/BouncyCastleFipsHkdfProvider.java b/sdk-fips-bc/src/main/java/io/opentdf/platform/sdk/fips/bouncycastle/BouncyCastleFipsHkdfProvider.java
similarity index 100%
rename from sdk-fips-bouncycastle/src/main/java/io/opentdf/platform/sdk/fips/bouncycastle/BouncyCastleFipsHkdfProvider.java
rename to sdk-fips-bc/src/main/java/io/opentdf/platform/sdk/fips/bouncycastle/BouncyCastleFipsHkdfProvider.java
diff --git a/sdk-fips-bouncycastle/src/main/resources/META-INF/services/io.opentdf.platform.sdk.HkdfProvider b/sdk-fips-bc/src/main/resources/META-INF/services/io.opentdf.platform.sdk.HkdfProvider
similarity index 100%
rename from sdk-fips-bouncycastle/src/main/resources/META-INF/services/io.opentdf.platform.sdk.HkdfProvider
rename to sdk-fips-bc/src/main/resources/META-INF/services/io.opentdf.platform.sdk.HkdfProvider
diff --git a/sdk-fips-bouncycastle/src/test/java/io/opentdf/platform/sdk/fips/bouncycastle/BouncyCastleFipsHkdfProviderTest.java b/sdk-fips-bc/src/test/java/io/opentdf/platform/sdk/fips/bouncycastle/BouncyCastleFipsHkdfProviderTest.java
similarity index 100%
rename from sdk-fips-bouncycastle/src/test/java/io/opentdf/platform/sdk/fips/bouncycastle/BouncyCastleFipsHkdfProviderTest.java
rename to sdk-fips-bc/src/test/java/io/opentdf/platform/sdk/fips/bouncycastle/BouncyCastleFipsHkdfProviderTest.java
diff --git a/sdk-pqc-bc/pom.xml b/sdk-pqc-bc/pom.xml
index cfbb4130..c647bc55 100644
--- a/sdk-pqc-bc/pom.xml
+++ b/sdk-pqc-bc/pom.xml
@@ -79,4 +79,23 @@
test
+
+
+
+
+ org.apache.maven.plugins
+ maven-source-plugin
+
+
+
+ org.jetbrains.dokka
+ dokka-maven-plugin
+
+
+
+ net.nicoulaj.maven.plugins
+ checksum-maven-plugin
+
+
+
diff --git a/sdk/pom.xml b/sdk/pom.xml
index 1ef48063..f8c536a7 100644
--- a/sdk/pom.xml
+++ b/sdk/pom.xml
@@ -286,15 +286,6 @@
org.apache.maven.plugins
maven-source-plugin
- 3.3.1
-
-
- attach-sources
-
- jar
-
-
-
@@ -314,48 +305,11 @@
org.jetbrains.dokka
dokka-maven-plugin
- 2.0.0
-
-
- javadoc
- package
-
- javadocJar
-
-
-
net.nicoulaj.maven.plugins
checksum-maven-plugin
- 1.11
-
-
- create-checksums
- package
-
- files
-
-
-
- MD5
- SHA-1
- SHA-256
- SHA-512
-
- true
-
-
- ${project.build.directory}
-
- *.jar
-
-
-
-
-
-
org.apache.maven.plugins
@@ -525,7 +479,7 @@
io.opentdf.platform
- sdk-fips-bouncycastle
+ sdk-fips-bc
${project.version}
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java b/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java
index ef906d06..bdf5674f 100644
--- a/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java
+++ b/sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java
@@ -112,7 +112,7 @@ public static byte[] computeECDHKey(ECPublicKey publicKey, ECPrivateKey privateK
* that is 32 bytes (256 bits) long.
*
* Delegates to a registered {@link HkdfProvider} when one is available on the
- * classpath (e.g. {@code sdk-fips-bouncycastle}); otherwise falls back to the
+ * classpath (e.g. {@code sdk-fips-bc}); otherwise falls back to the
* JDK-native HmacSHA256 implementation.
*/
public static byte[] calculateHKDF(byte[] salt, byte[] secret) {
@@ -141,7 +141,7 @@ public static byte[] calculateHKDF(byte[] salt, byte[] secret) {
} catch (Exception e) {
String className = e.getClass().getName();
if (className.contains("bouncycastle") && className.endsWith("IllegalKeyException")) {
- throw new SDKException("if running bouncycastle FIPS in approved_only mode include the sdk-fips-bouncycastle jar to use HKDF", e);
+ throw new SDKException("if running bouncycastle FIPS in approved_only mode include the sdk-fips-bc jar to use HKDF", e);
}
throw new SDKException("error computing HKDF", e);
}
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/HkdfProvider.java b/sdk/src/main/java/io/opentdf/platform/sdk/HkdfProvider.java
index 57581619..bee23dae 100644
--- a/sdk/src/main/java/io/opentdf/platform/sdk/HkdfProvider.java
+++ b/sdk/src/main/java/io/opentdf/platform/sdk/HkdfProvider.java
@@ -6,7 +6,7 @@
* When no implementation is on the classpath, {@link ECKeyPair#calculateHKDF} falls
* back to the JDK-native HmacSHA256 implementation.
*
- * The FIPS-approved implementation is {@code io.opentdf.platform:sdk-fips-bouncycastle},
+ * The FIPS-approved implementation is {@code io.opentdf.platform:sdk-fips-bc},
* which uses the BouncyCastle FIPS KDF API directly.
*/
public interface HkdfProvider {
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java
index 537e2f8f..13d83bd2 100644
--- a/sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java
+++ b/sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java
@@ -183,6 +183,6 @@ void testECDSA() {
@EnabledIfSystemProperty(named = "org.bouncycastle.fips.approved_only", matches = "true")
void testInformativeException() {
var thrown = assertThrows(SDKException.class, () -> ECKeyPair.calculateHKDF(new byte[]{0}, new byte[]{1,2,3}));
- assertThat(thrown).hasMessage("if running bouncycastle FIPS in approved_only mode include the sdk-fips-bouncycastle jar to use HKDF");
+ assertThat(thrown).hasMessage("if running bouncycastle FIPS in approved_only mode include the sdk-fips-bc jar to use HKDF");
}
}
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/FipsProviderVerificationTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/FipsProviderVerificationTest.java
index c86a6082..13aa76d4 100644
--- a/sdk/src/test/java/io/opentdf/platform/sdk/FipsProviderVerificationTest.java
+++ b/sdk/src/test/java/io/opentdf/platform/sdk/FipsProviderVerificationTest.java
@@ -52,7 +52,7 @@ void keyManagerFactoryAlgorithmIsPkix() {
@Test
void providerResolves() {
assertThat(HkdfResolver.get())
- .as("the sdk-fips-bouncycastle library must be on the path so that the Hkdf provider resolves. this is configured in the surefire plugin and the sdk-fips-bouncycastle project must be packaged")
+ .as("the sdk-fips-bc library must be on the path so that the Hkdf provider resolves. this is configured in the surefire plugin and the sdk-fips-bc project must be packaged")
.isNotNull();
}
}