Skip to content

fix: we need to publish all three modules #382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mkleene wants to merge 7 commits into
base: main
Choose a base branch
from
Open

fix: we need to publish all three modules #382

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3396308
manage from root pom
mkleene Jun 23, 2026
362b9e9
add sdk-pqc-bc to list of modules we publish
mkleene Jun 23, 2026
8083768
rename module
mkleene Jun 23, 2026
f0a8570
missed some
mkleene Jun 23, 2026
8427a63
use the right scope
mkleene Jun 23, 2026
585cb16
be consistent in what we include
mkleene Jun 23, 2026
c1930a0
always include them
mkleene Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/checks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,8 +93,8 @@ jobs:
run: mvn clean --batch-mode clean generate-sources
- name: Tests and enforcer (fips)
run: |
# install the sdk-fips-bouncycastle jar so that FIPS mode tests work
mvn --batch-mode install -pl sdk-fips-bouncycastle -am \
# install the sdk-fips-bc jar so that FIPS mode tests work
mvn --batch-mode install -pl sdk-fips-bc -am \
-Dmaven.antrun.skip \
-Dmaven.test.skip
mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' \
Expand Down
3 changes: 2 additions & 1 deletion cmdline/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,8 +88,9 @@
<dependencies>
<dependency>
<groupId>io.opentdf.platform</groupId>
<artifactId>sdk-fips-bouncycastle</artifactId>
<artifactId>sdk-fips-bc</artifactId>
<version>${project.version}</version>
<scope>runtime</scope>
</dependency>
</dependencies>
</profile>
Expand Down
81 changes: 65 additions & 16 deletions pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,67 @@
<artifactId>maven-deploy-plugin</artifactId>
<version>3.1.2</version>
</plugin>
<!-- Plugin to create source JAR -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.3.1</version>
<executions>
<execution>
<id>attach-sources</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- Plugin to create Javadoc JAR -->
<plugin>
<groupId>org.jetbrains.dokka</groupId>
<artifactId>dokka-maven-plugin</artifactId>
<version>2.0.0</version>
<executions>
<execution>
<id>javadoc</id>
<phase>package</phase>
<goals>
<goal>javadocJar</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- Plugin to generate checksum files -->
<plugin>
<groupId>net.nicoulaj.maven.plugins</groupId>
<artifactId>checksum-maven-plugin</artifactId>
<version>1.11</version>
<executions>
<execution>
<id>create-checksums</id>
<phase>package</phase>
<goals>
<goal>files</goal>
</goals>
<configuration>
<algorithms>
<algorithm>MD5</algorithm>
<algorithm>SHA-1</algorithm>
<algorithm>SHA-256</algorithm>
<algorithm>SHA-512</algorithm>
</algorithms>
<failOnError>true</failOnError>
<fileSets>
<fileSet>
<directory>${project.build.directory}</directory>
<includes>
<include>*.jar</include>
</includes>
</fileSet>
</fileSets>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</pluginManagement>
<plugins>
Expand Down Expand Up @@ -287,28 +348,15 @@
<id>develop</id>
<modules>
<module>sdk</module>
<module>sdk-fips-bouncycastle</module>
<module>cmdline</module>
<module>sdk-pqc-bc</module>
<module>sdk-fips-bc</module>
<module>examples</module>
</modules>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
</profile>
<profile>
<!-- sdk-pqc-bc is gated behind the non-fips profile because its
BC compile dependency (bcprov-jdk18on) collides with bc-fips
on the same package namespace. A FIPS build (mvn -P fips,!non-fips)
must omit sdk-pqc-bc from the reactor entirely; consumers who
want hybrid PQC opt in via the non-fips profile. -->
<id>non-fips</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<modules>
<module>sdk-pqc-bc</module>
</modules>
</profile>
<profile>
<id>stage</id>
<modules>
Expand Down Expand Up @@ -345,7 +393,8 @@
<id>release</id>
<modules>
<module>sdk</module>
<module>sdk-fips-bouncycastle</module>
<module>sdk-pqc-bc</module>
<module>sdk-fips-bc</module>
</modules>
<activation>
<activeByDefault>false</activeByDefault>
Expand Down
23 changes: 21 additions & 2 deletions sdk-fips-bouncycastle/pom.xml → sdk-fips-bc/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
<artifactId>sdk-pom</artifactId>
<version>0.17.0</version>
</parent>
<artifactId>sdk-fips-bouncycastle</artifactId>
<name>io.opentdf.platform:sdk-fips-bouncycastle</name>
<artifactId>sdk-fips-bc</artifactId>
Comment thread
mkleene marked this conversation as resolved.
<name>io.opentdf.platform:sdk-fips-bc</name>
<description>BouncyCastle FIPS-backed HkdfProvider SPI implementation (FIPS 140-approved HKDF via bc-fips).</description>
<packaging>jar</packaging>
<properties>
Expand Down Expand Up @@ -38,4 +38,23 @@
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<!-- Plugin to create source JAR -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
</plugin>
<!-- Plugin to create Javadoc JAR -->
<plugin>
<groupId>org.jetbrains.dokka</groupId>
<artifactId>dokka-maven-plugin</artifactId>
</plugin>
<!-- Plugin to generate checksum files -->
<plugin>
<groupId>net.nicoulaj.maven.plugins</groupId>
<artifactId>checksum-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
0 ...ycastle/BouncyCastleFipsHkdfProvider.java → ...ycastle/BouncyCastleFipsHkdfProvider.java
View file
Open in desktop
File renamed without changes.
0 ...ices/io.opentdf.platform.sdk.HkdfProvider → ...ices/io.opentdf.platform.sdk.HkdfProvider
View file
Open in desktop
File renamed without changes.
0 ...tle/BouncyCastleFipsHkdfProviderTest.java → ...tle/BouncyCastleFipsHkdfProviderTest.java
View file
Open in desktop
File renamed without changes.
19 changes: 19 additions & 0 deletions sdk-pqc-bc/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,4 +79,23 @@
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<!-- Plugin to create source JAR -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
</plugin>
<!-- Plugin to create Javadoc JAR -->
<plugin>
<groupId>org.jetbrains.dokka</groupId>
<artifactId>dokka-maven-plugin</artifactId>
</plugin>
<!-- Plugin to generate checksum files -->
<plugin>
<groupId>net.nicoulaj.maven.plugins</groupId>
<artifactId>checksum-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
48 changes: 1 addition & 47 deletions sdk/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -286,15 +286,6 @@
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.3.1</version>
<executions>
<execution>
<id>attach-sources</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- Test-jar for shared test fixtures (FakeServicesBuilder, etc.)
consumed by sibling modules like sdk-pqc-bc. -->
Expand All @@ -314,48 +305,11 @@
<plugin>
<groupId>org.jetbrains.dokka</groupId>
<artifactId>dokka-maven-plugin</artifactId>
<version>2.0.0</version>
<executions>
<execution>
<id>javadoc</id>
<phase>package</phase>
<goals>
<goal>javadocJar</goal>
</goals>
</execution>
</executions>
</plugin>
<!-- Plugin to generate checksum files -->
<plugin>
<groupId>net.nicoulaj.maven.plugins</groupId>
<artifactId>checksum-maven-plugin</artifactId>
<version>1.11</version>
<executions>
<execution>
<id>create-checksums</id>
<phase>package</phase>
<goals>
<goal>files</goal>
</goals>
<configuration>
<algorithms>
<algorithm>MD5</algorithm>
<algorithm>SHA-1</algorithm>
<algorithm>SHA-256</algorithm>
<algorithm>SHA-512</algorithm>
</algorithms>
<failOnError>true</failOnError>
<fileSets>
<fileSet>
<directory>${project.build.directory}</directory>
<includes>
<include>*.jar</include>
</includes>
</fileSet>
</fileSets>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
Expand Down Expand Up @@ -525,7 +479,7 @@
<additionalClasspathDependencies>
<dependency>
<groupId>io.opentdf.platform</groupId>
<artifactId>sdk-fips-bouncycastle</artifactId>
<artifactId>sdk-fips-bc</artifactId>
<version>${project.version}</version>
</dependency>
</additionalClasspathDependencies>
Expand Down
4 changes: 2 additions & 2 deletions sdk/src/main/java/io/opentdf/platform/sdk/ECKeyPair.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,7 +112,7 @@ public static byte[] computeECDHKey(ECPublicKey publicKey, ECPrivateKey privateK
* that is 32 bytes (256 bits) long.
*
* Delegates to a registered {@link HkdfProvider} when one is available on the
* classpath (e.g. {@code sdk-fips-bouncycastle}); otherwise falls back to the
* classpath (e.g. {@code sdk-fips-bc}); otherwise falls back to the
* JDK-native HmacSHA256 implementation.
*/
public static byte[] calculateHKDF(byte[] salt, byte[] secret) {
Expand Down Expand Up @@ -141,7 +141,7 @@ public static byte[] calculateHKDF(byte[] salt, byte[] secret) {
} catch (Exception e) {
String className = e.getClass().getName();
if (className.contains("bouncycastle") && className.endsWith("IllegalKeyException")) {
throw new SDKException("if running bouncycastle FIPS in approved_only mode include the sdk-fips-bouncycastle jar to use HKDF", e);
throw new SDKException("if running bouncycastle FIPS in approved_only mode include the sdk-fips-bc jar to use HKDF", e);
}
throw new SDKException("error computing HKDF", e);
}
Expand Down
2 changes: 1 addition & 1 deletion sdk/src/main/java/io/opentdf/platform/sdk/HkdfProvider.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
* When no implementation is on the classpath, {@link ECKeyPair#calculateHKDF} falls
* back to the JDK-native HmacSHA256 implementation.
*
* The FIPS-approved implementation is {@code io.opentdf.platform:sdk-fips-bouncycastle},
* The FIPS-approved implementation is {@code io.opentdf.platform:sdk-fips-bc},
* which uses the BouncyCastle FIPS KDF API directly.
*/
public interface HkdfProvider {
Expand Down
2 changes: 1 addition & 1 deletion sdk/src/test/java/io/opentdf/platform/sdk/ECKeyPairTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,6 @@ void testECDSA() {
@EnabledIfSystemProperty(named = "org.bouncycastle.fips.approved_only", matches = "true")
void testInformativeException() {
var thrown = assertThrows(SDKException.class, () -> ECKeyPair.calculateHKDF(new byte[]{0}, new byte[]{1,2,3}));
assertThat(thrown).hasMessage("if running bouncycastle FIPS in approved_only mode include the sdk-fips-bouncycastle jar to use HKDF");
assertThat(thrown).hasMessage("if running bouncycastle FIPS in approved_only mode include the sdk-fips-bc jar to use HKDF");
}
}
2 changes: 1 addition & 1 deletion sdk/src/test/java/io/opentdf/platform/sdk/FipsProviderVerificationTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ void keyManagerFactoryAlgorithmIsPkix() {
@Test
void providerResolves() {
assertThat(HkdfResolver.get())
.as("the sdk-fips-bouncycastle library must be on the path so that the Hkdf provider resolves. this is configured in the surefire plugin and the sdk-fips-bouncycastle project must be packaged")
.as("the sdk-fips-bc library must be on the path so that the Hkdf provider resolves. this is configured in the surefire plugin and the sdk-fips-bc project must be packaged")
.isNotNull();
}
}
Loading