Tags: opentdf/java-sdk
Tags
feat: verify that BC works with `approved_only` mode set (#375) The bouncycastle FIPS provider happily does things that are not FIPS-compliant when the `org.bouncycastle.fips.approved_only` system property is not set to `true`. The following problems were observed: 1. using OAEP to `ENCRYPT` rather than `WRAP`. We are indeed using OEAP for key wrapping so we just had to change some cipher parameters. `WRAP` and `ENCRYPT` perform the same operation; the only difference is in the semantics and the JCA API associated with each operation. This should not affect compatibility with other parts of the platform in any way. 1. Without `approved_only` BC would be fine using a non-FIPS truststore. Now we add an empty truststore (with an empty password) of a type that can be loaded by the BC FIPS truststore. 1. Our home grown implementation of HKDF didn't work because our usage of `SHA-265/HMAC` within the HKDF implementation triggers the error: `ECKeyPairTest.createSymmetricKeysWithOtherCurves:129 » IllegalKey Key size for HMAC must be at least 112 bits in approved mode: SHA-256/HMAC`. By using a FIPS compliant provider that implements HKDF directly we bypass this error. We include the FIPS implementation of HKDF in a separate JAR due to its dependency on the bouncycastle FIPS provider. If we included it in the same JAR we would have a dependency on `bc-fips`, which would conflict with usage of the regular bouncycastle provider. Since bouncycastle is popular it seems best to allow non-FIPS usage. The major change from a customer POV is that customers that want to use EC crypto in a FIPS context will now need to pull in the `sdk-fips-bouncycastle` jar and depend on `bc-fips` since HKDF [only got a JCA name in JDK 24](https://openjdk.org/jeps/478) and [bc-fips does not expose HKDF through a provider interface](https://downloads.bouncycastle.org/fips-java/docs/BC-FJA-UserGuide-2.1.1.pdf). If using `bc-fips` is not appropriate in a particular application it would be quite easy to implement an alternative JAR that implements a similar provider pattern and uses whichever FIPS-compliant library one wishes to implement HKDF. Also: * pull the test scripts in `checks.yaml` in to bash files so they can be run locally more easily * add a FIPS mode `cmdline` platform integration phase * publish the new FIPS provider JAR to maven central * remove double addition of generated sources that was generating a warning * overwrite the `java.security` file in its entirety so that we know exactly which providers we are using in FIPS tests --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
chore(main): release 0.15.0 (#358) 🤖 I have created a release *beep* *boop* --- <details><summary>0.15.0</summary> ## [0.15.0](v0.14.0...v0.15.0) (2026-04-29) ### Features * **sdk:** add shorthand enum constants for policy types ([#357](#357)) ([a1d4651](a1d4651)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
chore(main): release 0.14.0 (#351) 🤖 I have created a release *beep* *boop* --- <details><summary>0.14.0</summary> ## [0.14.0](v0.13.0...v0.14.0) (2026-04-21) ### Features * **sdk:** add ergonomic Resource constructors for authorization ([#354](#354)) ([9e05ca2](9e05ca2)) ### Bug Fixes * **ci:** allow release branch scopes in PR title validation ([#349](#349)) ([8020a3b](8020a3b)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
chore(main): release 0.13.0 (#327) 🤖 I have created a release *beep* *boop* --- <details><summary>0.13.0</summary> ## [0.13.0](v0.12.0...v0.13.0) (2026-04-09) ### Features * **sdk:** add EntityIdentifier convenience constructors ([#346](#346)) ([eeb8805](eeb8805)) * **sdk:** DSPX-2418 add discovery convenience methods ([#339](#339)) ([8de6068](8de6068)) * **sdk:** expose SRT signer ([#329](#329)) ([f93d332](f93d332)) ### Bug Fixes * add a default assertion id if one is not specified ([#341](#341)) ([69d6a53](69d6a53)) * **docs:** DSPX-2409 replace SDK README code example with working code ([#336](#336)) ([0f224a6](0f224a6)) * **sdk:** Support kas keys with extended EC methods ([#344](#344)) ([982b287](982b287)) * **sdk:** Support RSA4096 Kas keys ([#343](#343)) ([dba9bbf](dba9bbf)) * **sdk:** Updates to proto version v0.16.0 ([#308](#308)) ([4660e27](4660e27)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
chore(main): release 0.12.0 (#326) 🤖 I have created a release *beep* *boop* --- <details><summary>0.12.0</summary> ## [0.12.0](v0.11.1...v0.12.0) (2026-01-15) ### ⚠ BREAKING CHANGES * **sdk:** remove NanoTDF implementation ([#321](#321)) ### Features * **sdk:** enhance assertion verification to support jwk and x509 certificates ([#322](#322)) ([251fea2](251fea2)) * **sdk:** expose base key ([#323](#323)) ([c370a46](c370a46)) ### Bug Fixes * **sdk:** remove NanoTDF implementation ([#321](#321)) ([63715d2](63715d2)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
chore(main): release 0.11.1 (#318) 🤖 I have created a release *beep* *boop* --- <details><summary>0.11.1</summary> ## [0.11.1](v0.11.0...v0.11.1) (2025-12-08) ### Bug Fixes * **examples:** improve logging and setup logic in examples ([#316](#316)) ([2e5660c](2e5660c)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
chore(main): release 0.11.0 (#297) 🤖 I have created a release *beep* *boop* --- <details><summary>0.11.0</summary> ## [0.11.0](v0.10.0...v0.11.0) (2025-11-20) ### Features * **ci:** DSPX-1716 Updating permission for bundled tests ([#306](#306)) ([87ff3e6](87ff3e6)) ### Bug Fixes * **ci:** Fix the workflow that updates the proto version ([#301](#301)) ([9bd9ce5](9bd9ce5)) * **main:** make examples runnable ([#311](#311)) ([5ede7dd](5ede7dd)) * parse hostnames with no ports correctly ([#292](#292)) ([3da5f51](3da5f51)) * **sdk:** remove reserved and unused proto field ([#299](#299)) ([50b0302](50b0302)) * we can't parse things like `192.168.1.1:4000` ([#294](#294)) ([dc3142d](dc3142d)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
chore(main): release 0.10.0 (#279) 🤖 I have created a release *beep* *boop* --- <details><summary>0.10.0</summary> ## [0.10.0](v0.9.0...v0.10.0) (2025-09-02) ### ⚠ BREAKING CHANGES * **sdk:** add base key and support for key grants in ZTDF ([#271](#271)) ### Features * ability to set connect-rpc protocol ([#285](#285)) ([47041c5](47041c5)) * add system metadata assertion ([#270](#270)) ([d235f13](d235f13)) * expose AuthorizationService v2 ([#287](#287)) ([d1fd106](d1fd106)) * introduce the base key for nano flows ([#273](#273)) ([d337704](d337704)) * **sdk:** add base key and support for key grants in ZTDF ([#271](#271)) ([c3b79db](c3b79db)) ### Bug Fixes * **ci:** Update codeql.yaml to run on all pull requests ([#283](#283)) ([9e318bb](9e318bb)) * create AES-256 keys of the correct length with all curves ([#282](#282)) ([95c20b3](95c20b3)) * **sdk:** add methods to examine Manifest and Policy ([#278](#278)) ([03d5d41](03d5d41)) * **sdk:** parse the component sizes ([#286](#286)) ([3b1bb69](3b1bb69)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
chore(main): release 0.9.0 (#274) 🤖 I have created a release *beep* *boop* --- <details><summary>0.9.0</summary> ## [0.9.0](v0.8.1...v0.9.0) (2025-07-14) ### Features * **sdk:** Get the algorithm from the KASInfo and not the config ([#272](#272)) ([feff0e8](feff0e8)) ### Bug Fixes * **sdk:** upgrade the platform protocol code ([#275](#275)) ([90eaba1](90eaba1)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
chore(main): release 0.8.1 (#263) 🤖 I have created a release *beep* *boop* --- <details><summary>0.8.1</summary> ## [0.8.1](v0.8.0...v0.8.1) (2025-05-29) ### Bug Fixes * **ci:** use `dokka-maven-plugin` instead of `javadoc-maven-plugin` ([#262](#262)) ([ab1e7b1](ab1e7b1)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
PreviousNext