PGPainless 1.6.8-SNAPSHOT

Partially addresses #428 for the 1.6 branch

CHANGELOG.md

@@ -5,6 +5,12 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.6.7
+- SOP: Fix OOM error when detached-signing large amounts of data (fix #432)
+- Move `CachingBcPublicKeyDataDecryptorFactory` from `org.bouncycastle` packet to `org.pgpainless.decryption_verification` to avoid package split (partially addresses #428)
+- Basic support for Java Modules for `pgpainless-core` and `pgpainless-sop`
+  - Added `Automatic-Module-Name` directive to gradle build files
+
 ## 1.6.6
 - Downgrade `logback-core` and `logback-classic` to `1.2.13` to fix #426
 

README.md

@@ -191,7 +191,7 @@ repositories {
 }
 
 dependencies {
-	implementation 'org.pgpainless:pgpainless-core:1.6.6'
+	implementation 'org.pgpainless:pgpainless-core:1.6.7'
 }
 ```
 

SECURITY.md

@@ -32,4 +32,4 @@ Valid security issues will be fixed ASAP.
 PGPainless has received a security audit by [cure53.de](https://cure53.de) in late 2021.
 The [penetrationj test and audit](https://cure53.de/pentest-report_pgpainless.pdf) covered PGPainless
 release candidate 1.0.0-rc6.
-Security fixes for discovered flaws were deployed before the final 1.0.0 release.
+Security fixes for discovered flaws were deployed before the final 1.0.0 release.

pgpainless-core/build.gradle

@@ -27,3 +27,10 @@ dependencies {
     // @Nullable, @Nonnull annotations
     implementation "com.google.code.findbugs:jsr305:3.0.2"
 }
+
+// https://docs.gradle.org/current/userguide/java_library_plugin.html#sec:java_library_modular_auto
+tasks.named('jar') {
+    manifest {
+        attributes('Automatic-Module-Name': 'org.pgpainless.core')
+    }
+}

pgpainless-core/src/main/java/org/bouncycastle/package-info.java

@@ -1,8 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Classes which could be upstreamed to BC at some point.
- */
-package org.bouncycastle;

pgpainless-core/src/main/java/org/pgpainless/decryption_verification/CachingBcPublicKeyDataDecryptorFactory.java

@@ -1,8 +1,8 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
 //
 // SPDX-License-Identifier: Apache-2.0
 
-package org.bouncycastle;
+package org.pgpainless.decryption_verification;
 
 import org.bouncycastle.openpgp.PGPException;
 import org.bouncycastle.openpgp.PGPPrivateKey;
@@ -10,7 +10,6 @@ import org.bouncycastle.openpgp.operator.PublicKeyDataDecryptorFactory;
 import org.bouncycastle.openpgp.operator.bc.BcPublicKeyDataDecryptorFactory;
 import org.bouncycastle.util.encoders.Base64;
 import org.bouncycastle.util.encoders.Hex;
-import org.pgpainless.decryption_verification.CustomPublicKeyDataDecryptorFactory;
 import org.pgpainless.key.SubkeyIdentifier;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

pgpainless-core/src/test/java/org/bouncycastle/CachingBcPublicKeyDataDecryptorFactoryTest.java

@@ -18,6 +18,7 @@ import org.bouncycastle.util.io.Streams;
 import org.junit.jupiter.api.Test;
 import org.pgpainless.PGPainless;
 import org.pgpainless.algorithm.EncryptionPurpose;
+import org.pgpainless.decryption_verification.CachingBcPublicKeyDataDecryptorFactory;
 import org.pgpainless.decryption_verification.ConsumerOptions;
 import org.pgpainless.decryption_verification.DecryptionStream;
 import org.pgpainless.key.SubkeyIdentifier;

pgpainless-sop/README.md

@@ -23,7 +23,7 @@ To start using pgpainless-sop in your code, include the following lines in your
 ...
 dependencies {
     ...
-    implementation "org.pgpainless:pgpainless-sop:1.6.6"
+    implementation "org.pgpainless:pgpainless-sop:1.6.7"
     ...
 }
 
@@ -34,7 +34,7 @@ dependencies {
     <dependency>
         <groupId>org.pgpainless</groupId>
         <artifactId>pgpainless-sop</artifactId>
-        <version>1.6.6</version>
+        <version>1.6.7</version>
     </dependency>
     ...
 </dependencies>

pgpainless-sop/build.gradle

@@ -34,3 +34,10 @@ test {
     useJUnitPlatform()
     environment("test.implementation", "sop.testsuite.pgpainless.PGPainlessSopInstanceFactory")
 }
+
+// https://docs.gradle.org/current/userguide/java_library_plugin.html#sec:java_library_modular_auto
+tasks.named('jar') {
+    manifest {
+        attributes('Automatic-Module-Name': 'org.pgpainless.sop')
+    }
+}

pgpainless-sop/src/main/java/org/pgpainless/sop/DetachedSignImpl.java

@@ -4,7 +4,6 @@
 
 package org.pgpainless.sop;
 
-import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
@@ -92,10 +91,10 @@ public class DetachedSignImpl implements DetachedSign {
             }
         }
 
-        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+        OutputStream sink = new NullOutputStream();
         try {
             EncryptionStream signingStream = PGPainless.encryptAndOrSign()
-                    .onOutputStream(buffer)
+                    .onOutputStream(sink)
                     .withOptions(ProducerOptions.sign(signingOptions)
                             .setAsciiArmor(armor));
 

pgpainless-sop/src/main/java/org/pgpainless/sop/NullOutputStream.java

@@ -0,0 +1,17 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package org.pgpainless.sop;
+
+import java.io.OutputStream;
+
+/**
+ * {@link OutputStream} that simply discards bytes written to it.
+ */
+public class NullOutputStream extends OutputStream {
+    @Override
+    public void write(int b) {
+        // NOP
+    }
+}

version.gradle

@@ -4,7 +4,7 @@
 
 allprojects {
     ext {
-        shortVersion = '1.6.7'
+        shortVersion = '1.6.8'
         isSnapshot = true
         pgpainlessMinAndroidSdk = 10
         javaSourceCompatibility = 1.8