Draft
Conversation
Merges main (v0.15.0) into the fips branch.
Conflict resolution:
- ECKeyPair.java: Combined main's structure (ECCurve enum, KeyPair field,
new methods like getPEMPublicKeyFromX509Cert) with fips's FIPS-compatible
crypto changes (no explicit BouncyCastle provider, standard Java interfaces
for ECPublicKey/ECPrivateKey, KeyFactory.getInstance("EC")).
- ECKeyPairTest.java: Kept fips's removal of extractPemPubKeyFromX509 test
(which used BC-specific .getQ()), incorporated main's new
createSymmetricKeysWithOtherCurves test, and enabled publicKeyFromECPoint
assertion using ECCurve.getCurveName().
- NanoTDF.java: Accepted main's deletion since all NanoTDF dependencies
(ECCMode, NanoTDFType, etc.) were also removed in main.
Signed-off-by: GitHub <noreply@github.com>
Co-authored-by: mkleene <262667+mkleene@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
mkleene
May 5, 2026 20:48
View session
Contributor
X-Test Results |
Remove the three io.github.hakky54:ayza* dependencies and replace their TLS trust-material role with an SDK-owned TrustProvider built on provider-agnostic JCA APIs (CertificateFactory, KeyStore, TrustManagerFactory, SSLContext). This works under any registered crypto provider, including BC-FIPS, and avoids hardcoded provider names. - Add TrustProvider and package-private CompositeX509ExtendedTrustManager for combining JVM default + custom trust material. - SDKBuilder: replace SSLFactory field with SSLSocketFactory + X509TrustManager. sslFactory(SSLFactory) becomes sslFactory(SSLSocketFactory); add sslFactory(SSLSocketFactory, X509TrustManager) for callers that have a matching trust manager. sslFactoryFromDirectory / sslFactoryFromKeyStore signatures and semantics are preserved, now backed by TrustProvider internally. - TokenSource takes SSLSocketFactory directly. - Command.java --insecure path uses TrustProvider.insecure(). - SDKBuilderTest reworked to drop nl.altindag imports and use TrustProvider + standard JCA. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| try { | ||
| SSLContext ctx = SSLContext.getInstance("TLS"); | ||
| X509ExtendedTrustManager trustAll = new InsecureTrustManager(); | ||
| ctx.init(new KeyManager[0], new TrustManager[]{trustAll}, new SecureRandom()); |
Contributor
Contributor
X-Test Failure Report |
…to copilot/merge-main-into-fips
mkleene
force-pushed
the
copilot/merge-main-into-fips
branch
from
0c540e0 to
46ac8d9
Compare
Contributor
X-Test Failure Report |
|
Contributor
X-Test Results |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings the
fipsbranch up to date withmain(v0.15.0), incorporating ~50 commits of new features and refactoring while preserving FIPS-specific crypto changes.Conflict resolution
ECKeyPair.javaThe two branches diverged significantly:
mainrestructured around anECCurveenum,KeyPairfield, and addedgetPEMPublicKeyFromX509Cert;fipsswitched to standardjava.security.interfacestypes and removed explicit BouncyCastle provider pinning from JCA operations. Resolution takes main's structure and applies fips's FIPS-critical constraints:KeyPairGeneratorSpi.getInstance(algo)— no explicit BC providerKeyFactory.getInstance("EC")— not"ECDSA"or"EC","BC"KeyAgreement.getInstance("ECDH")/Signature.getInstance("SHA256withECDSA")— no"BC"provider argnew JcaPEMKeyConverter()— no.setProvider(BOUNCY_CASTLE_PROVIDER)java.security.interfaces.ECPublicKey/ECPrivateKey(compatible with auto-mergedTDF.java/KASClient.java)ECKeyPairTest.javaextractPemPubKeyFromX509— used BC-specific.getQ()which is unavailable onjava.security.interfaces.ECPublicKeycreateSymmetricKeysWithOtherCurvesfrom main (no BC-specific calls)publicKeyFromECPointassertion usingSECP256R1.getCurveName()NanoTDF.javaAccepted main's deletion. All NanoTDF dependencies (
ECCMode,NanoTDFType,NanoTDFECDSAStruct, etc.) were removed in main; keepingNanoTDF.javaalone would break compilation. The fips-branch changes toNanoTDF.javawere incidental import-style updates, not new FIPS functionality.