Modernize implementation

.github/workflows/build.yml

@@ -3,18 +3,25 @@ on:
   push:
   pull_request_target:
     types: [labeled]
+
+env:
+  JAVA_VERSION: 21
+
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # Required for the attestations step
+      attestations: write # Required for the attestations step
+    outputs:
+      sha256: ${{ steps.checksums.outputs.sha256 }}
     steps:
       - uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
       - uses: actions/setup-java@v5
         with:
-          java-version: 21
-          distribution: 'zulu'
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Cache SonarCloud packages
         uses: actions/cache@v4
@@ -24,10 +31,10 @@ jobs:
           restore-keys: ${{ runner.os }}-sonar
       - name: Ensure to use tagged version
         if: startsWith(github.ref, 'refs/tags/')
-        run: ./mvnw -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
+        run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
         run: >
-          ./mvnw -B verify
+          ./mvnw -B verify --no-transfer-progress
           jacoco:report
           org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
           -Pcoverage
@@ -37,10 +44,6 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - uses: actions/upload-artifact@v5
-        with:
-          name: artifacts
-          path: target/*.jar
       - name: Calculate Checksums
         id: checksums
         run: |
@@ -49,12 +52,93 @@ jobs:
             shasum -a256 target/*.jar
             echo EOF
           } >> $GITHUB_OUTPUT
-      - name: Create Release
+      - name: Attest
         if: startsWith(github.ref, 'refs/tags/')
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: |
+            target/*.jar
+            target/*.pom
+      - uses: actions/upload-artifact@v5
+        with:
+          name: artifacts
+          path: target/*.jar
+
+  deploy-central:
+    name: Deploy to Maven Central
+    runs-on: ubuntu-latest
+    permissions: {}
+    needs: [build]
+    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+          server-id: central
+          server-username: MAVEN_CENTRAL_USERNAME
+          server-password: MAVEN_CENTRAL_PASSWORD
+      - name: Verify project version matches tag
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "$PROJECT_VERSION" = "${GITHUB_REF##*/}"
+      - name: Deploy to Maven Central
+        run: ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
+        env:
+          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
+
+  deploy-github:
+    name: Deploy to GitHub Packages
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write # Required for the deploy to GitHub Packages step
+    needs: [build]
+    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-java@v5
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Verify project version matches tag
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "$PROJECT_VERSION" = "${GITHUB_REF##*/}"
+      - name: Deploy to GitHub Packages
+        run: ./mvnw deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required for the release step
+    needs: [build, deploy-central, deploy-github]
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Create Release
         uses: softprops/action-gh-release@v2
         with:
+          prerelease: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          generate_release_notes: true
           body: |-
+            ### Full Changelog
+            See [CHANGELOG.md](https://github.com/cryptomator/siv-mode/blob/develop/CHANGELOG.md).
+
             ### Maven Coordinates
             ```xml
               <dependency>
@@ -66,8 +150,7 @@ jobs:
 
             ### Artifact Checksums
             ```txt
-            ${{ steps.checksums.outputs.sha256 }}
+            ${{ needs.build.outputs.sha256 }}
             ```
 
-            See [README.md](https://github.com/cryptomator/siv-mode/#reproducible-builds) section regarding reproducing this build.
-          generate_release_notes: true
+            See [README.md](https://github.com/cryptomator/siv-mode/#reproducible-builds) section regarding reproducing this build.

.github/workflows/codeql-analysis.yml

@@ -26,7 +26,7 @@ jobs:
       uses: actions/setup-java@v5
       with:
         java-version: 21
-        distribution: 'zulu'
+        distribution: 'temurin'
         cache: 'maven'
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v4

CHANGELOG.md

@@ -5,15 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/cryptomator/siv-mode/compare/1.6.0...HEAD)
+## [Unreleased](https://github.com/cryptomator/siv-mode/compare/1.6.1...HEAD)
+
+### Added
+- new low-level API:
+  * `new SivEngine(key).encrypt(plaintext, associatedData...)`
+  * `new SivEngine(key).decrypt(plaintext, associatedData...)`
+- implement JCA `Cipher` SPI:
+  ```java
+  Cipher siv = Cipher.getInstance("AES/SIV/NoPadding");
+  siv.init(Cipher.ENCRYPT_MODE, key);
+  siv.updateAAD(aad1);
+  siv.updateAAD(aad2);
+  byte[] ciphertext = siv.doFinal(plaintext);
+  ```
+
+### Changed
+- remove dependencies on BouncyCastle and Jetbrains Annotations
+- simplify build by removing `maven-shade-plugin`
+- update test dependencies
+- update build plugins
+
+### Deprecated
+- old low-level API:
+  * `new SivMode().encrypt(key, plaintext, associatedData...)`
+  * `new SivMode().encrypt(ctrKey, macKey, plaintext, associatedData...)`
+  * `new SivMode().decrypt(key, ciphertext, associatedData...)`
+  * `new SivMode().decrypt(ctrKey, macKey, ciphertext, associatedData...)`
+
+## [1.6.1](https://github.com/cryptomator/siv-mode/compare/1.6.0...1.6.1)
+
+### Changed
+- update dependencies
 
 ## [1.6.0](https://github.com/cryptomator/siv-mode/compare/1.5.2...1.6.0)
 
 ### Added
-
 - This CHANGELOG file
 - `encrypt(SecretKey key, byte[] plaintext, byte[]... associatedData)` and `decrypt(SecretKey key, byte[] ciphertext, byte[]... associatedData)` using a single 256, 384, or 512 bit key
 
 ### Changed
-
 - use `maven-gpg-plugin`'s bc-based signer 

README.md

@@ -8,12 +8,9 @@
 [![Javadocs](http://www.javadoc.io/badge/org.cryptomator/siv-mode.svg)](http://www.javadoc.io/doc/org.cryptomator/siv-mode)
 
 ## Features
-- No dependencies (required BouncyCastle classes are repackaged)
+- No dependencies
 - Passes official RFC 5297 test vectors
 - Constant time authentication
-- Defaults on AES, but supports any block cipher with a 128-bit block size.
-- Supports any key sizes that the block cipher supports (e.g. 128/192/256-bit keys for AES)
-- Thread-safe
 - [Fast](https://github.com/cryptomator/siv-mode/issues/15)
 - Requires JDK 8+ or Android API Level 24+ (since version 1.4.0)
 
@@ -28,16 +25,16 @@
 
 ## Usage
 ```java
-private static final SivMode AES_SIV = new SivMode();
+SivMode AES_SIV = new SivMode(key);
 
 public void encrypt() {
-  byte[] encrypted = AES_SIV.encrypt(ctrKey, macKey, "hello world".getBytes());
-  byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted);
+  byte[] encrypted = AES_SIV.encrypt("hello world".getBytes());
+  byte[] decrypted = AES_SIV.decrypt(encrypted);
 }
 
 public void encryptWithAssociatedData() {
-  byte[] encrypted = AES_SIV.encrypt(ctrKey, macKey, "hello world".getBytes(), "associated".getBytes(), "data".getBytes());
-  byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted, "associated".getBytes(), "data".getBytes());
+  byte[] encrypted = AES_SIV.encrypt("hello world".getBytes(), "associated".getBytes(), "data".getBytes());
+  byte[] decrypted = AES_SIV.decrypt(encrypted, "associated".getBytes(), "data".getBytes());
 }
 ```
 
@@ -48,7 +45,7 @@ public void encryptWithAssociatedData() {
   <dependency>
     <groupId>org.cryptomator</groupId>
     <artifactId>siv-mode</artifactId>
-    <version>1.4.0</version>
+    <version>2.0.0</version>
   </dependency>
 </dependencies>
 ```
@@ -61,8 +58,6 @@ From version 1.3.2 onwards this library is an explicit module with the name `org
 requires org.cryptomator.siv;
 ```
 
-Because BouncyCastle classes are shaded, this library only depends on `java.base`.
-
 ## Reproducible Builds
 
 This is a Maven project that can be built using `mvn install`. However, if you want to build this reproducibly, please make sure: