chore(fips): merge main into fips

cmdline/pom.xml

@@ -77,5 +77,9 @@
             <artifactId>sdk</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <dependency>
+            <groupId>org.bouncycastle</groupId>
+            <artifactId>bcprov-jdk18on</artifactId>
+        </dependency>
     </dependencies>
 </project>

cmdline/src/main/java/io/opentdf/platform/Command.java

@@ -10,6 +10,7 @@
 import com.google.gson.GsonBuilder;
 import com.google.gson.reflect.TypeToken;
 
+import java.security.Security;
 import java.text.ParseException;
 import com.google.gson.JsonSyntaxException;
 import io.opentdf.platform.sdk.AssertionConfig;
@@ -18,7 +19,8 @@
 import io.opentdf.platform.sdk.KeyType;
 import io.opentdf.platform.sdk.SDK;
 import io.opentdf.platform.sdk.SDKBuilder;
-import nl.altindag.ssl.SSLFactory;
+import io.opentdf.platform.sdk.TrustProvider;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import picocli.CommandLine;
 import picocli.CommandLine.HelpCommand;
 import picocli.CommandLine.Option;
@@ -63,6 +65,10 @@ class Versions {
         + "\",\"tdfSpecVersion\":\"" + Versions.TDF_SPEC + "\"}")
 class Command {
 
+    static {
+        Security.addProvider(new BouncyCastleProvider());
+    }
+
     @Option(names = { "-V", "--version" }, versionHelp = true, description = "display version info")
     boolean versionInfoRequested;
 
@@ -262,10 +268,8 @@ void encrypt(
     private SDK buildSDK() {
         SDKBuilder builder = new SDKBuilder();
         if (insecure) {
-            SSLFactory sslFactory = SSLFactory.builder()
-                    .withUnsafeTrustMaterial() // Trust all certificates
-                    .build();
-            builder.sslFactory(sslFactory);
+            // Trust all certificates
+            builder.sslFactory(TrustProvider.insecure().getSslSocketFactory());
         }
 
         return builder.platformEndpoint(platformEndpoint)

pom.xml

@@ -17,7 +17,6 @@
         <grpc.version>1.75.0</grpc.version>
         <protobuf.version>4.29.2</protobuf.version>
         <bouncycastle.version>1.82</bouncycastle.version>
-        <ayza.version>10.0.0</ayza.version>
         <bytebuddy.version>1.18.3</bytebuddy.version>
         <!-- JaCoCo Properties -->
         <jacoco.version>0.8.13</jacoco.version>
@@ -78,39 +77,6 @@
                 <version>3.4</version>
                 <scope>provided</scope>
             </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza-for-pem</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza-for-netty</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
             <dependency>
                 <groupId>io.grpc</groupId>
                 <artifactId>grpc-netty-shaded</artifactId>

sdk/pom.xml

@@ -31,18 +31,6 @@
             <artifactId>oauth2-oidc-sdk</artifactId>
             <version>11.10.1</version>
         </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza-for-pem</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza-for-netty</artifactId>
-        </dependency>
         <!-- Serialization and Deserialization Dependencies -->
         <dependency>
             <groupId>com.google.code.gson</groupId>

sdk/src/main/java/io/opentdf/platform/sdk/CompositeX509ExtendedTrustManager.java

@@ -0,0 +1,122 @@
+package io.opentdf.platform.sdk;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+
+final class CompositeX509ExtendedTrustManager extends X509ExtendedTrustManager {
+
+    private final List<X509ExtendedTrustManager> delegates;
+    private final X509Certificate[] acceptedIssuers;
+
+    CompositeX509ExtendedTrustManager(List<X509ExtendedTrustManager> delegates) {
+        if (delegates == null || delegates.isEmpty()) {
+            throw new IllegalArgumentException("at least one trust manager is required");
+        }
+        this.delegates = Collections.unmodifiableList(new ArrayList<>(delegates));
+        Set<X509Certificate> issuers = new LinkedHashSet<>();
+        for (X509ExtendedTrustManager tm : this.delegates) {
+            X509Certificate[] tmIssuers = tm.getAcceptedIssuers();
+            if (tmIssuers != null) {
+                Collections.addAll(issuers, tmIssuers);
+            }
+        }
+        this.acceptedIssuers = issuers.toArray(new X509Certificate[0]);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkClientTrusted(chain, authType);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkClientTrusted(chain, authType, socket);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkClientTrusted(chain, authType, engine);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkServerTrusted(chain, authType);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkServerTrusted(chain, authType, socket);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkServerTrusted(chain, authType, engine);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return acceptedIssuers.clone();
+    }
+}