opentdf · mkleene · May 11, 2026 · May 11, 2026 · May 11, 2026 · May 11, 2026
@@ -85,13 +85,23 @@ jobs:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
-      - name: Maven Test Coverage
+      - name: Generate sources
         env:
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           BUF_INPUT_HTTPS_USERNAME: opentdf-bot
           BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
-        run: mvn --batch-mode clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=opentdf_java-sdk -P coverage
+        run: mvn clean --batch-mode clean generate-sources
+      - name: Tests and enforcer (fips)
+        run: mvn --batch-mode test enforcer:enforce -P 'fips,!non-fips' -Dmaven.antrun.skip
+      - name: Tests with coverage and javadoc (non-fips)
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          mvn --batch-mode verify \
+            org.sonarsource.scanner.maven:sonar-maven-plugin:sonar \
+            -Dmaven.antrun.skip -Dsonar.projectKey=opentdf_java-sdk \
+            -P 'coverage,non-fips,!fips'
 
   platform-integration:
     runs-on: ubuntu-22.04

@@ -10,6 +10,7 @@
 import com.google.gson.GsonBuilder;
 import com.google.gson.reflect.TypeToken;
 
+import java.security.cert.X509Certificate;
 import java.text.ParseException;
 import com.google.gson.JsonSyntaxException;
 import io.opentdf.platform.sdk.AssertionConfig;
@@ -18,11 +19,11 @@
 import io.opentdf.platform.sdk.KeyType;
 import io.opentdf.platform.sdk.SDK;
 import io.opentdf.platform.sdk.SDKBuilder;
-import nl.altindag.ssl.SSLFactory;
 import picocli.CommandLine;
 import picocli.CommandLine.HelpCommand;
 import picocli.CommandLine.Option;
 
+import javax.net.ssl.X509TrustManager;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -262,10 +263,13 @@ void encrypt(
     private SDK buildSDK() {
         SDKBuilder builder = new SDKBuilder();
         if (insecure) {
-            SSLFactory sslFactory = SSLFactory.builder()
-                    .withUnsafeTrustMaterial() // Trust all certificates
-                    .build();
-            builder.sslFactory(sslFactory);
+            // Trust all certificates
+            X509TrustManager insecureTrustManager = new X509TrustManager() {
+                @Override public void checkClientTrusted(X509Certificate[] chain, String authType) {}
+                @Override public void checkServerTrusted(X509Certificate[] chain, String authType) {}
+                @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
+            };
+            builder.sslFactoryFromTrustManager(insecureTrustManager);
         }
 
         return builder.platformEndpoint(platformEndpoint)

@@ -17,7 +17,9 @@
         <grpc.version>1.75.0</grpc.version>
         <protobuf.version>4.29.2</protobuf.version>
         <bouncycastle.version>1.82</bouncycastle.version>
-        <ayza.version>10.0.0</ayza.version>
+        <bc-fips.version>2.1.2</bc-fips.version>
+        <bcpkix-fips.version>2.1.11</bcpkix-fips.version>
+        <bctls-fips.version>2.1.23</bctls-fips.version>
         <bytebuddy.version>1.18.3</bytebuddy.version>
         <!-- JaCoCo Properties -->
         <jacoco.version>0.8.13</jacoco.version>
@@ -78,39 +80,6 @@
                 <version>3.4</version>
                 <scope>provided</scope>
             </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza-for-pem</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
-            <dependency>
-                <groupId>io.github.hakky54</groupId>
-                <artifactId>ayza-for-netty</artifactId>
-                <version>${ayza.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.slf4j</groupId>
-                        <artifactId>slf4j-api</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
             <dependency>
                 <groupId>io.grpc</groupId>
                 <artifactId>grpc-netty-shaded</artifactId>
@@ -157,6 +126,26 @@
                 <artifactId>bcprov-jdk18on</artifactId>
                 <version>${bouncycastle.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bctls-jdk18on</artifactId>
+                <version>${bouncycastle.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bc-fips</artifactId>
+                <version>${bc-fips.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-fips</artifactId>
+                <version>${bcpkix-fips.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bctls-fips</artifactId>
+                <version>${bctls-fips.version}</version>
+            </dependency>
             <!--
                 Pin Byte Buddy for test-time Mockito instrumentation on newer JVMs (e.g. Java 21).
                 This does NOT add a runtime dependency; it only manages the version used by modules.

@@ -17,6 +17,10 @@
         <connect.version>0.7.2</connect.version>
         <okhttp.version>4.12.0</okhttp.version>
         <platform.branch>protocol/go/v0.16.0</platform.branch>
+        <!-- in the non-FIPS case we don't need to pass anything to the jvm -->
+        <java.security.properties.test></java.security.properties.test>
+        <!-- Default empty argLine; overridden by jacoco:prepare-agent when the `coverage` profile is active -->
+        <argLine></argLine>
     </properties>
     <dependencies>
         <!-- Logging Dependencies -->
@@ -31,18 +35,6 @@
             <artifactId>oauth2-oidc-sdk</artifactId>
             <version>11.10.1</version>
         </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza-for-pem</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>io.github.hakky54</groupId>
-            <artifactId>ayza-for-netty</artifactId>
-        </dependency>
         <!-- Serialization and Deserialization Dependencies -->
         <dependency>
             <groupId>com.google.code.gson</groupId>
@@ -160,15 +152,7 @@
             <version>6.0.53</version>
             <scope>provided</scope>
         </dependency>
-        <!-- Crypto Dependencies -->
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk18on</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.bouncycastle</groupId>
-            <artifactId>bcprov-jdk18on</artifactId>
-        </dependency>
+        <!-- Crypto Dependencies are pulled in via the `non-fips` (default) or `fips` profile -->
         <!-- Testing Dependencies -->
         <dependency>
             <groupId>org.junit.jupiter</groupId>
@@ -483,11 +467,56 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <configuration>
+                    <argLine>@{argLine} ${java.security.properties.test}</argLine>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
-    <!--profile
-    to execute fuzz test -->
     <profiles>
+        <profile>
+            <id>non-fips</id>
+            <activation>
+                <activeByDefault>true</activeByDefault>
+            </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-jdk18on</artifactId>
+                    <scope>test</scope>
+                </dependency>
+            </dependencies>
+        </profile>
+        <profile>
+            <id>fips</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <properties>
+                <java.security.properties.test>-Djava.security.properties=${project.basedir}/src/test/resources/java.security.fips.test</java.security.properties.test>
+            </properties>
+            <dependencies>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bc-fips</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bctls-fips</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
+                <dependency>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcpkix-fips</artifactId>
+                    <scope>test</scope>
+                </dependency>
+            </dependencies>
+        </profile>
+        <!-- profile to execute fuzz test -->
         <profile>
             <id>fuzz</id>
             <activation>

@@ -3,6 +3,7 @@
 import javax.crypto.BadPaddingException;
 import javax.crypto.Cipher;
 import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
 import javax.crypto.NoSuchPaddingException;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.GCMParameterSpec;
@@ -20,10 +21,27 @@
 public class AesGcm {
     public static final int GCM_NONCE_LENGTH = 12; // in bytes
     public static final int GCM_TAG_LENGTH = 16; // in bytes
+    public static final int GCM_KEY_SIZE_BITS = 256;
+    private static final String KEY_ALGORITHM = "AES";
     private static final String CIPHER_TRANSFORM = "AES/GCM/NoPadding";
 
     private final SecretKey key;
 
+    /**
+     * <p>Generate a fresh 256-bit AES key using the JCA {@link KeyGenerator}.</p>
+     *
+     * @return the encoded key bytes
+     */
+    static byte[] generateKey() {
+        try {
+            KeyGenerator keyGenerator = KeyGenerator.getInstance(KEY_ALGORITHM);
+            keyGenerator.init(GCM_KEY_SIZE_BITS);
+            return keyGenerator.generateKey().getEncoded();
+        } catch (NoSuchAlgorithmException e) {
+            throw new SDKException("error generating AES key", e);
+        }
+    }
+
 
     /**
      * <p>Return symmetric key</p>