feat(sdk): replace ayza libraries with TrustProvider on JCA

Remove the three io.github.hakky54:ayza* dependencies and replace their
TLS trust-material role with an SDK-owned TrustProvider built on
provider-agnostic JCA APIs (CertificateFactory, KeyStore,
TrustManagerFactory, SSLContext). This works under any registered crypto
provider, including BC-FIPS, and avoids hardcoded provider names.

- Add TrustProvider and package-private CompositeX509ExtendedTrustManager
  for combining JVM default + custom trust material.
- SDKBuilder: replace SSLFactory field with SSLSocketFactory +
  X509TrustManager. sslFactory(SSLFactory) becomes
  sslFactory(SSLSocketFactory); add sslFactory(SSLSocketFactory,
  X509TrustManager) for callers that have a matching trust manager.
  sslFactoryFromDirectory / sslFactoryFromKeyStore signatures and
  semantics are preserved, now backed by TrustProvider internally.
- TokenSource takes SSLSocketFactory directly.
- Command.java --insecure path uses TrustProvider.insecure().
- SDKBuilderTest reworked to drop nl.altindag imports and use
  TrustProvider + standard JCA.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: mkleene

cmdline/src/main/java/io/opentdf/platform/Command.java

@@ -18,7 +18,7 @@
 import io.opentdf.platform.sdk.KeyType;
 import io.opentdf.platform.sdk.SDK;
 import io.opentdf.platform.sdk.SDKBuilder;
-import nl.altindag.ssl.SSLFactory;
+import io.opentdf.platform.sdk.TrustProvider;
 import picocli.CommandLine;
 import picocli.CommandLine.HelpCommand;
 import picocli.CommandLine.Option;
@@ -262,10 +262,8 @@ void encrypt(
     private SDK buildSDK() {
         SDKBuilder builder = new SDKBuilder();
         if (insecure) {
-            SSLFactory sslFactory = SSLFactory.builder()
-                    .withUnsafeTrustMaterial() // Trust all certificates
-                    .build();
-            builder.sslFactory(sslFactory);
+            // Trust all certificates
+            builder.sslFactory(TrustProvider.insecure().getSslSocketFactory());
         }
 
         return builder.platformEndpoint(platformEndpoint)

pom.xml

@@ -17,7 +17,6 @@
         <grpc.version>1.75.0</grpc.version>
         <protobuf.version>4.29.2</protobuf.version>
         <bouncycastle.version>1.82</bouncycastle.version>
-        <ayza.version>10.0.0</ayza.version>
         <bytebuddy.version>1.18.3</bytebuddy.version>
         <!-- JaCoCo Properties -->
         <jacoco.version>0.8.13</jacoco.version>
@@ -78,39 +77,6 @@
                 <version>3.4</version>
                 <scope>provided</scope>
             </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza-for-pem</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza-for-netty</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
             <dependency>
                 <groupId>io.grpc</groupId>
                 <artifactId>grpc-netty-shaded</artifactId>

sdk/pom.xml

@@ -31,18 +31,6 @@
             <artifactId>oauth2-oidc-sdk</artifactId>
             <version>11.10.1</version>
         </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza-for-pem</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza-for-netty</artifactId>
-        </dependency>
         <!-- Serialization and Deserialization Dependencies -->
         <dependency>
             <groupId>com.google.code.gson</groupId>

sdk/src/main/java/io/opentdf/platform/sdk/CompositeX509ExtendedTrustManager.java

@@ -0,0 +1,122 @@
+package io.opentdf.platform.sdk;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+
+final class CompositeX509ExtendedTrustManager extends X509ExtendedTrustManager {
+
+    private final List<X509ExtendedTrustManager> delegates;
+    private final X509Certificate[] acceptedIssuers;
+
+    CompositeX509ExtendedTrustManager(List<X509ExtendedTrustManager> delegates) {
+        if (delegates == null || delegates.isEmpty()) {
+            throw new IllegalArgumentException("at least one trust manager is required");
+        }
+        this.delegates = Collections.unmodifiableList(new ArrayList<>(delegates));
+        Set<X509Certificate> issuers = new LinkedHashSet<>();
+        for (X509ExtendedTrustManager tm : this.delegates) {
+            X509Certificate[] tmIssuers = tm.getAcceptedIssuers();
+            if (tmIssuers != null) {
+                Collections.addAll(issuers, tmIssuers);
+            }
+        }
+        this.acceptedIssuers = issuers.toArray(new X509Certificate[0]);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkClientTrusted(chain, authType);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkClientTrusted(chain, authType, socket);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkClientTrusted(chain, authType, engine);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkServerTrusted(chain, authType);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkServerTrusted(chain, authType, socket);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+        CertificateException last = null;
+        for (X509ExtendedTrustManager tm : delegates) {
+            try {
+                tm.checkServerTrusted(chain, authType, engine);
+                return;
+            } catch (CertificateException e) {
+                last = e;
+            }
+        }
+        throw last;
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return acceptedIssuers.clone();
+    }
+}

sdk/src/main/java/io/opentdf/platform/sdk/SDKBuilder.java

@@ -34,22 +34,17 @@
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationResponse;
 import io.opentdf.platform.wellknownconfiguration.WellKnownServiceClient;
 import io.opentdf.platform.wellknownconfiguration.WellKnownServiceClientInterface;
-import nl.altindag.ssl.SSLFactory;
-import nl.altindag.ssl.pem.util.PemUtils;
 import okhttp3.OkHttpClient;
 import okhttp3.Protocol;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.annotation.Nonnull;
+import javax.net.ssl.SSLSocketFactory;
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509ExtendedTrustManager;
-import java.io.File;
-import java.io.FileInputStream;
+import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
-import java.io.InputStream;
 import java.nio.file.Path;
-import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.UUID;
@@ -63,7 +58,8 @@ public class SDKBuilder {
     private String platformEndpoint = null;
     private ClientAuthentication clientAuth = null;
     private Boolean usePlainText;
-    private SSLFactory sslFactory;
+    private SSLSocketFactory sslSocketFactory;
+    private X509TrustManager trustManager;
     private AuthorizationGrant authzGrant;
     private ProtocolType protocolType = ProtocolType.CONNECT;
     private SrtSigner srtSigner;
@@ -80,42 +76,61 @@ public static SDKBuilder newBuilder() {
         return builder;
     }
 
-    public SDKBuilder sslFactory(SSLFactory sslFactory) {
-        this.sslFactory = sslFactory;
+    /**
+     * Configure the SDK to use the supplied {@link SSLSocketFactory} for outbound TLS connections.
+     * Callers using this overload bring their own pre-built socket factory; cert-chain trust
+     * material is whatever the supplied factory was built with. For full PKIX validation under a
+     * matching {@link X509TrustManager}, use {@link #sslFactoryFromDirectory(String)} or
+     * {@link #sslFactoryFromKeyStore(String, String)} which build both via {@link TrustProvider}.
+     */
+    public SDKBuilder sslFactory(SSLSocketFactory sslSocketFactory) {
+        this.sslSocketFactory = sslSocketFactory;
+        this.trustManager = null;
+        return this;
+    }
+
+    /**
+     * Configure the SDK to use the supplied {@link SSLSocketFactory} together with a matching
+     * {@link X509TrustManager}. The trust manager is used by OkHttp for certificate pinning and
+     * cleartext-fallback decisions; supply this overload when the caller has a trust manager that
+     * matches the socket factory's trust material (e.g. both built from a {@link TrustProvider}).
+     */
+    public SDKBuilder sslFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager) {
+        this.sslSocketFactory = sslSocketFactory;
+        this.trustManager = trustManager;
         return this;
     }
 
     /**
      * Add SSL Context with trusted certs from certDirPath
-     * 
+     *
      * @param certsDirPath Path to a directory containing .pem or .crt trusted certs
      */
     public SDKBuilder sslFactoryFromDirectory(String certsDirPath) throws Exception {
-        File certsDir = new File(certsDirPath);
-        File[] certFiles = certsDir.listFiles((dir, name) -> name.endsWith(".pem") || name.endsWith(".crt"));
-        logger.info("Loading certificates from: " + certsDir.getAbsolutePath());
-        List<InputStream> certStreams = new ArrayList<>(certFiles.length);
-        for (File certFile : certFiles) {
-            certStreams.add(new FileInputStream(certFile));
-        }
-        X509ExtendedTrustManager trustManager = PemUtils.loadTrustMaterial(certStreams.toArray(new InputStream[0]));
-        this.sslFactory = SSLFactory.builder().withDefaultTrustMaterial().withSystemTrustMaterial()
-                .withTrustMaterial(trustManager).build();
+        logger.info("Loading certificates from: {}", certsDirPath);
+        TrustProvider provider = TrustProvider.fromDirectory(certsDirPath);
+        this.sslSocketFactory = provider.getSslSocketFactory();
+        this.trustManager = provider.getTrustManager();
         return this;
     }
 
     /**
      * Add SSL Context with default system trust material + certs contained in a
      * Java keystore
-     * 
+     *
      * @param keystorePath     Path to keystore
      * @param keystorePassword Password to keystore
      */
     public SDKBuilder sslFactoryFromKeyStore(String keystorePath, String keystorePassword) {
-        this.sslFactory = SSLFactory.builder().withDefaultTrustMaterial().withSystemTrustMaterial()
-                .withTrustMaterial(Path.of(keystorePath),
-                        keystorePassword == null ? "".toCharArray() : keystorePassword.toCharArray())
-                .build();
+        try {
+            TrustProvider provider = TrustProvider.fromKeyStore(
+                    Path.of(keystorePath),
+                    keystorePassword == null ? "".toCharArray() : keystorePassword.toCharArray());
+            this.sslSocketFactory = provider.getSslSocketFactory();
+            this.trustManager = provider.getTrustManager();
+        } catch (IOException | java.security.GeneralSecurityException e) {
+            throw new SDKException("failed to load keystore from " + keystorePath, e);
+        }
         return this;
     }
 
@@ -223,8 +238,8 @@ private Interceptor getAuthInterceptor(RSAKey rsaKey) {
         OIDCProviderMetadata providerMetadata;
         try {
             providerMetadata = OIDCProviderMetadata.resolve(issuer, httpRequest -> {
-                if (sslFactory != null) {
-                    httpRequest.setSSLSocketFactory(sslFactory.getSslSocketFactory());
+                if (sslSocketFactory != null) {
+                    httpRequest.setSSLSocketFactory(sslSocketFactory);
                 }
             });
         } catch (IOException | GeneralException e) {
@@ -234,7 +249,7 @@ private Interceptor getAuthInterceptor(RSAKey rsaKey) {
         if (this.authzGrant == null) {
             this.authzGrant = new ClientCredentialsGrant();
         }
-        var ts = new TokenSource(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI(), this.authzGrant, sslFactory);
+        var ts = new TokenSource(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI(), this.authzGrant, sslSocketFactory);
         return new AuthInterceptor(ts);
     }
 
@@ -344,7 +359,7 @@ public SDK.KAS kas() {
 
         return new ServicesAndInternals(
                 authInterceptor,
-                sslFactory == null ? null : sslFactory.getTrustManager().orElse(null),
+                trustManager,
                 services,
                 client,
                 srtSignerToUse);
@@ -378,6 +393,7 @@ private ProtocolClient getProtocolClient(String endpoint, OkHttpClient httpClien
         return new ProtocolClient(new ConnectOkHttpClient(httpClient), protocolClientConfig);
     }
 
+    @SuppressWarnings("deprecation")
     private OkHttpClient getHttpClient() {
         // using a single http client is apparently the best practice, subject to everyone wanting to
         // have the same protocols
@@ -387,17 +403,24 @@ private OkHttpClient getHttpClient() {
             // expect HTTP/2, and Connect protocol can communicate with gRPC servers over HTTP/2
             httpClient.protocols(List.of(Protocol.H2_PRIOR_KNOWLEDGE));
         }
-        if (sslFactory != null) {
-            var trustManager = sslFactory.getTrustManager();
-            if (trustManager.isEmpty()) {
-                throw new SDKException("SSL factory must have a trust manager");
+        if (sslSocketFactory != null) {
+            if (trustManager != null) {
+                httpClient.sslSocketFactory(sslSocketFactory, trustManager);
+            } else {
+                // Caller supplied an SSLSocketFactory without a matching trust manager (e.g. via
+                // sslFactory(SSLSocketFactory)). Falls back to OkHttp's reflection-based platform
+                // default trust manager — only the SSLSocketFactory governs the actual handshake.
+                httpClient.sslSocketFactory(sslSocketFactory);
             }
-            httpClient.sslSocketFactory(sslFactory.getSslSocketFactory(), trustManager.get());
         }
         return httpClient.build();
     }
 
-    SSLFactory getSslFactory() {
-        return this.sslFactory;
+    SSLSocketFactory getSslFactory() {
+        return this.sslSocketFactory;
+    }
+
+    X509TrustManager getTrustManager() {
+        return this.trustManager;
     }
 }