Merge pull request #20 from nats-io/regular-lts-1

Regular and LTS WIP, FIPS scaffolding

Author: scottf

.github/workflows/lts-main.yml

@@ -0,0 +1,45 @@
+name: Lts Main Snapshot
+permissions:
+  contents: read
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'lts/**'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./lts
+    env:
+      BUILD_EVENT: ${{ github.event_name }}
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+      OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+      OSSRH_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+      SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+      SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+      SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build and Test
+        run: chmod +x gradlew && ./gradlew clean test jacocoTestReport
+      - name: Verify Javadoc
+        run: ./gradlew javadoc
+      - name: Publish Snapshot
+        run: ./gradlew -i publishToSonatype

.github/workflows/lts-pr.yml

@@ -0,0 +1,37 @@
+name: Lts Pull Request
+permissions:
+  contents: read
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'lts/**'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./lts
+    env:
+      BUILD_EVENT: ${{ github.event_name }}
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build and Test
+        run: chmod +x gradlew && ./gradlew clean test jacocoTestReport
+      - name: Verify Javadoc
+        run: ./gradlew javadoc

.github/workflows/lts-release.yml

@@ -0,0 +1,38 @@
+name: Lts Publish Release
+permissions:
+  contents: read
+on:
+  push:
+    tags: [ 'lts/*' ]
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./lts
+    env:
+      BUILD_EVENT: "release"
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+      OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+      OSSRH_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+      SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+      SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+      SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build, Sign and Publish Release
+        run: chmod +x gradlew && ./gradlew clean compileJava publishToSonatype closeAndReleaseSonatypeStagingRepository

.github/workflows/regular-main.yml

@@ -0,0 +1,45 @@
+name: Regular Main Snapshot
+permissions:
+  contents: read
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'regular/**'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./regular
+    env:
+      BUILD_EVENT: ${{ github.event_name }}
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+      OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+      OSSRH_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+      SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+      SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+      SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build and Test
+        run: chmod +x gradlew && ./gradlew clean test jacocoTestReport
+      - name: Verify Javadoc
+        run: ./gradlew javadoc
+      - name: Publish Snapshot
+        run: ./gradlew -i publishToSonatype

.github/workflows/regular-pr.yml

@@ -0,0 +1,37 @@
+name: Regular Pull Request
+permissions:
+  contents: read
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'regular/**'
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./regular
+    env:
+      BUILD_EVENT: ${{ github.event_name }}
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build and Test
+        run: chmod +x gradlew && ./gradlew clean test jacocoTestReport
+      - name: Verify Javadoc
+        run: ./gradlew javadoc

.github/workflows/regular-release.yml

@@ -0,0 +1,38 @@
+name: Regular Publish Release
+permissions:
+  contents: read
+on:
+  push:
+    tags: [ 'regular/*' ]
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        tc: [ 17, 21, 25 ]
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./regular
+    env:
+      BUILD_EVENT: "release"
+      TARGET_COMPATIBILITY: ${{ matrix.tc }}
+      OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+      OSSRH_PASSWORD: ${{ secrets.OSSRH_TOKEN }}
+      SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
+      SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+      SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
+    steps:
+      - name: Set up JDK
+        uses: actions/setup-java@v5
+        with:
+          java-version: 25
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: current
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: Build, Sign and Publish Release
+        run: chmod +x gradlew && ./gradlew clean compileJava publishToSonatype closeAndReleaseSonatypeStagingRepository

fips/build.gradle

@@ -10,24 +10,26 @@ plugins {
     id("signing")
 }
 
-def jarVersion = "3.0.0"
+def jarVersion = "3.0.1"
 group = 'io.nats.nkeys'
 
 def isRelease = System.getenv("BUILD_EVENT") == "release"
 def tc = System.getenv("TARGET_COMPATIBILITY")
-def targetJavaVersion = tc == null ? JavaVersion.VERSION_1_8 : JavaVersion.toVersion(tc)
+def targetJavaVersion = tc == null ? JavaVersion.VERSION_17 : JavaVersion.toVersion(tc)
 def targetId = targetJavaVersion.toString()
-def artifact = "fips" + (targetJavaVersion == JavaVersion.VERSION_1_8 ? "" : "-jdk" + targetId)
-def bundleName = "io.nats.nkeys.fips" + (targetJavaVersion == JavaVersion.VERSION_1_8 ? "" : ".jdk" + targetId)
+def artifact = "fips-jdk" + targetId
+def bundleName = "io.nats.nkeys.fips.jdk" + targetId
+def coreName = "core-jdk" + targetId
 
 System.out.println("targetCompatibility: " + targetId)
 System.out.println("artifact: " + artifact)
+System.out.println("core: " + coreName)
 System.out.println("bundleName: " + bundleName)
 
 version = isRelease ? jarVersion : jarVersion + "-SNAPSHOT" // version is the variable the gradle uses.
 
 java {
-    sourceCompatibility = JavaVersion.VERSION_1_8
+    sourceCompatibility = JavaVersion.VERSION_17
     targetCompatibility = targetJavaVersion
     withSourcesJar()
     withJavadocJar()
@@ -41,7 +43,7 @@ repositories {
 }
 
 dependencies {
-    implementation 'io.nats.nkeys:core:3.0.0-SNAPSHOT'
+    implementation 'io.nats.nkeys:' + coreName + ':3.0.1'
     implementation 'org.bouncycastle:bc-fips:2.1.2'
     implementation 'org.jspecify:jspecify:1.0.0'
 

fips/src/main/java/io/nats/nkey/FipsNKeyProvider.java

@@ -2,10 +2,8 @@
 
 import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.jspecify.annotations.NullMarked;
-import sun.security.jca.JCAUtil;
 
-import java.security.KeyPair;
-import java.security.Security;
+import java.security.*;
 
 @NullMarked
 public class FipsNKeyProvider extends NKeyProvider {
@@ -15,14 +13,19 @@ public class FipsNKeyProvider extends NKeyProvider {
     }
 
     public FipsNKeyProvider() {
-        setSecureRandom(JCAUtil.getDefSecureRandom());
+        try {
+            setSecureRandom(SecureRandom.getInstance("DEFAULT", "BCFIPS"));
+        }
+        catch (NoSuchAlgorithmException | NoSuchProviderException e) {
+            throw new RuntimeException(e);
+        }
     }
 
     /**
      * {@inheritDoc}
      */
     @Override
-    public NKey createPair(NKeyType type, byte[] seed) {
+    public NKey createNKey(NKeyType type, byte[] seed) {
         throw new UnsupportedOperationException("createPair not supported yet.");
     }
 
@@ -31,6 +34,7 @@ public NKey createPair(NKeyType type, byte[] seed) {
      */
     @Override
     public KeyPair getKeyPair(NKey nkey) {
+        nkey.ensurePair();
         throw new UnsupportedOperationException("getKeyPair not supported yet.");
     }
 

lts/build.gradle

@@ -10,24 +10,26 @@ plugins {
     id("signing")
 }
 
-def jarVersion = "3.0.0"
+def jarVersion = "3.0.1"
 group = 'io.nats.nkeys'
 
 def isRelease = System.getenv("BUILD_EVENT") == "release"
 def tc = System.getenv("TARGET_COMPATIBILITY")
-def targetJavaVersion = tc == null ? JavaVersion.VERSION_1_8 : JavaVersion.toVersion(tc)
+def targetJavaVersion = tc == null ? JavaVersion.VERSION_17 : JavaVersion.toVersion(tc)
 def targetId = targetJavaVersion.toString()
-def artifact = "lts" + (targetJavaVersion == JavaVersion.VERSION_1_8 ? "" : "-jdk" + targetId)
-def bundleName = "io.nats.nkeys.lts" + (targetJavaVersion == JavaVersion.VERSION_1_8 ? "" : ".jdk" + targetId)
+def artifact = "lts-jdk" + targetId
+def bundleName = "io.nats.nkeys.lts.jdk" + targetId
+def coreName = "core-jdk" + targetId
 
 System.out.println("targetCompatibility: " + targetId)
 System.out.println("artifact: " + artifact)
+System.out.println("core: " + coreName)
 System.out.println("bundleName: " + bundleName)
 
 version = isRelease ? jarVersion : jarVersion + "-SNAPSHOT" // version is the variable the gradle uses.
 
 java {
-    sourceCompatibility = JavaVersion.VERSION_1_8
+    sourceCompatibility = JavaVersion.VERSION_17
     targetCompatibility = targetJavaVersion
     withSourcesJar()
     withJavadocJar()
@@ -41,7 +43,7 @@ repositories {
 }
 
 dependencies {
-    implementation 'io.nats.nkeys:core:3.0.0-SNAPSHOT'
+    implementation 'io.nats.nkeys:' + coreName + ':3.0.1'
     implementation 'org.bouncycastle:bcprov-lts8on:2.73.10'
     implementation 'org.jspecify:jspecify:1.0.0'
 

lts/src/main/java/io/nats/nkey/LtsNKeyProvider.java

@@ -19,7 +19,7 @@ public class LtsNKeyProvider extends NKeyProvider {
      * {@inheritDoc}
      */
     @Override
-    public NKey createPair(NKeyType type, byte[] seed) {
+    public NKey createNKey(NKeyType type, byte[] seed) {
         Ed25519PrivateKeyParameters privateKey = new Ed25519PrivateKeyParameters(seed);
         Ed25519PublicKeyParameters publicKey = privateKey.generatePublicKey();
 
@@ -38,6 +38,7 @@ public NKey createPair(NKeyType type, byte[] seed) {
      */
     @Override
     public KeyPair getKeyPair(NKey nkey) {
+        nkey.ensurePair();
         NKeyDecodedSeed decoded = nkey.getDecodedSeed();
         byte[] seedBytes = new byte[ED25519_SEED_SIZE];
         byte[] pubBytes = new byte[ED25519_PUBLIC_KEYSIZE];