Merge pull request #85 from cryptomator/feature/zero-deps

* Internalize CMAC
* reduce allocations
* implement JCA `CMAC` Mac
* implement JCA `AES/SIV/NoPadding` Cipher
* restructure tests
* deprecate legacy API

Author: overheadhunter

.github/workflows/build.yml

@@ -140,6 +140,9 @@ jobs:
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
           generate_release_notes: true
           body: |-
+            ### Full Changelog
+            See [CHANGELOG.md](https://github.com/cryptomator/siv-mode/blob/develop/CHANGELOG.md).
+            
             ### Maven Coordinates
             ```xml
               <dependency>

CHANGELOG.md

@@ -5,15 +5,44 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/cryptomator/siv-mode/compare/1.6.0...HEAD)
+## [Unreleased](https://github.com/cryptomator/siv-mode/compare/1.6.1...HEAD)
+
+### Added
+- new low-level API:
+  * `new SivEngine(key).encrypt(plaintext, associatedData...)`
+  * `new SivEngine(key).decrypt(plaintext, associatedData...)`
+- implement JCA `Cipher` SPI:
+  ```java
+  Cipher siv = Cipher.getInstance("AES/SIV/NoPadding");
+  siv.init(Cipher.ENCRYPT_MODE, key);
+  siv.updateAAD(aad1);
+  siv.updateAAD(aad2);
+  byte[] ciphertext = siv.doFinal(plaintext);
+  ```
+
+### Changed
+- remove dependencies on BouncyCastle and Jetbrains Annotations
+- simplify build by removing `maven-shade-plugin`
+- update test dependencies
+- update build plugins
+
+### Deprecated
+- old low-level API:
+  * `new SivMode().encrypt(key, plaintext, associatedData...)`
+  * `new SivMode().encrypt(ctrKey, macKey, plaintext, associatedData...)`
+  * `new SivMode().decrypt(key, ciphertext, associatedData...)`
+  * `new SivMode().decrypt(ctrKey, macKey, ciphertext, associatedData...)`
+
+## [1.6.1](https://github.com/cryptomator/siv-mode/compare/1.6.0...1.6.1)
+
+### Changed
+- update dependencies
 
 ## [1.6.0](https://github.com/cryptomator/siv-mode/compare/1.5.2...1.6.0)
 
 ### Added
-
 - This CHANGELOG file
 - `encrypt(SecretKey key, byte[] plaintext, byte[]... associatedData)` and `decrypt(SecretKey key, byte[] ciphertext, byte[]... associatedData)` using a single 256, 384, or 512 bit key
 
 ### Changed
-
 - use `maven-gpg-plugin`'s bc-based signer 

README.md

@@ -8,12 +8,9 @@
 [![Javadocs](http://www.javadoc.io/badge/org.cryptomator/siv-mode.svg)](http://www.javadoc.io/doc/org.cryptomator/siv-mode)
 
 ## Features
-- No dependencies (required BouncyCastle classes are repackaged)
+- No dependencies
 - Passes official RFC 5297 test vectors
 - Constant time authentication
-- Defaults on AES, but supports any block cipher with a 128-bit block size.
-- Supports any key sizes that the block cipher supports (e.g. 128/192/256-bit keys for AES)
-- Thread-safe
 - [Fast](https://github.com/cryptomator/siv-mode/issues/15)
 - Requires JDK 8+ or Android API Level 24+ (since version 1.4.0)
 
@@ -28,16 +25,16 @@
 
 ## Usage
 ```java
-private static final SivMode AES_SIV = new SivMode();
+SivMode AES_SIV = new SivMode(key);
 
 public void encrypt() {
-  byte[] encrypted = AES_SIV.encrypt(ctrKey, macKey, "hello world".getBytes());
-  byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted);
+  byte[] encrypted = AES_SIV.encrypt("hello world".getBytes());
+  byte[] decrypted = AES_SIV.decrypt(encrypted);
 }
 
 public void encryptWithAssociatedData() {
-  byte[] encrypted = AES_SIV.encrypt(ctrKey, macKey, "hello world".getBytes(), "associated".getBytes(), "data".getBytes());
-  byte[] decrypted = AES_SIV.decrypt(ctrKey, macKey, encrypted, "associated".getBytes(), "data".getBytes());
+  byte[] encrypted = AES_SIV.encrypt("hello world".getBytes(), "associated".getBytes(), "data".getBytes());
+  byte[] decrypted = AES_SIV.decrypt(encrypted, "associated".getBytes(), "data".getBytes());
 }
 ```
 
@@ -48,7 +45,7 @@ public void encryptWithAssociatedData() {
   <dependency>
     <groupId>org.cryptomator</groupId>
     <artifactId>siv-mode</artifactId>
-    <version>1.4.0</version>
+    <version>2.0.0</version>
   </dependency>
 </dependencies>
 ```
@@ -61,8 +58,6 @@ From version 1.3.2 onwards this library is an explicit module with the name `org
 requires org.cryptomator.siv;
 ```
 
-Because BouncyCastle classes are shaded, this library only depends on `java.base`.
-
 ## Reproducible Builds
 
 This is a Maven project that can be built using `mvn install`. However, if you want to build this reproducibly, please make sure:

pom.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>org.cryptomator</groupId>
 	<artifactId>siv-mode</artifactId>
-	<version>1.7.0-SNAPSHOT</version>
+	<version>2.0.0-SNAPSHOT</version>
 
 	<name>SIV Mode</name>
 	<description>RFC 5297 SIV mode: deterministic authenticated encryption</description>
@@ -37,9 +38,6 @@
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.build.outputTimestamp>2025-03-14T12:02:43Z</project.build.outputTimestamp>
 
-		<!-- dependencies -->
-		<bouncycastle.version>1.82</bouncycastle.version>
-
 		<!-- test dependencies -->
 		<junit.version>6.0.1</junit.version>
 		<mockito.version>5.20.0</mockito.version>
@@ -49,23 +47,12 @@
 
 		<!-- maven plugins -->
 		<dependency-check.version>12.1.8</dependency-check.version>
+
+		<!-- Property used by surefire to determine jacoco engine -->
+		<surefire.jacoco.args/>
 	</properties>
 
 	<dependencies>
-		<dependency>
-			<groupId>org.bouncycastle</groupId>
-			<artifactId>bcprov-jdk18on</artifactId>
-			<version>${bouncycastle.version}</version>
-			<!-- see maven-shade-plugin; we don't want this as a transitive dependency in other projects -->
-			<optional>true</optional>
-		</dependency>
-		<dependency>
-			<groupId>org.jetbrains</groupId>
-			<artifactId>annotations</artifactId>
-			<version>26.0.2-1</version>
-			<scope>provided</scope>
-		</dependency>
-
 		<!-- Tests -->
 		<dependency>
 			<groupId>org.junit.jupiter</groupId>
@@ -134,13 +121,33 @@
 					</execution>
 				</executions>
 			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-dependency-plugin</artifactId>
+				<executions>
+					<execution>
+						<id>jar-paths-to-properties</id>
+						<phase>validate</phase>
+						<goals>
+							<goal>properties</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
 			<plugin>
 				<artifactId>maven-compiler-plugin</artifactId>
 				<version>3.14.1</version>
 				<configuration>
 					<release>8</release>
 					<encoding>UTF-8</encoding>
 					<showWarnings>true</showWarnings>
+					<annotationProcessorPaths>
+						<path>
+							<groupId>org.openjdk.jmh</groupId>
+							<artifactId>jmh-generator-annprocess</artifactId>
+							<version>${jmh.version}</version>
+						</path>
+					</annotationProcessorPaths>
 				</configuration>
 				<executions>
 					<execution>
@@ -163,6 +170,9 @@
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
 				<version>3.5.4</version>
+				<configuration>
+					<argLine>@{surefire.jacoco.args} -javaagent:${org.mockito:mockito-core:jar}</argLine>
+				</configuration>
 			</plugin>
 			<plugin>
 				<artifactId>maven-jar-plugin</artifactId>
@@ -208,43 +218,6 @@
 					<release>8</release>
 				</configuration>
 			</plugin>
-			<plugin>
-				<artifactId>maven-shade-plugin</artifactId>
-				<version>3.6.1</version>
-				<executions>
-					<execution>
-						<phase>package</phase>
-						<goals>
-							<goal>shade</goal>
-						</goals>
-						<configuration>
-							<minimizeJar>true</minimizeJar>
-							<keepDependenciesWithProvidedScope>false</keepDependenciesWithProvidedScope>
-							<createDependencyReducedPom>false</createDependencyReducedPom>
-							<createSourcesJar>false</createSourcesJar>
-							<artifactSet>
-								<includes>
-									<include>org.bouncycastle:bcprov-jdk18on</include>
-								</includes>
-							</artifactSet>
-							<relocations>
-								<relocation>
-									<pattern>org.bouncycastle</pattern>
-									<shadedPattern>org.cryptomator.siv.org.bouncycastle</shadedPattern>
-								</relocation>
-							</relocations>
-							<filters>
-								<filter>
-									<artifact>org.bouncycastle:bcprov-jdk18on</artifact>
-									<excludes>
-										<exclude>META-INF/**</exclude>
-									</excludes>
-								</filter>
-							</filters>
-						</configuration>
-					</execution>
-				</executions>
-			</plugin>
 		</plugins>
 	</build>
 
@@ -292,6 +265,9 @@
 								<goals>
 									<goal>prepare-agent</goal>
 								</goals>
+								<configuration>
+									<propertyName>surefire.jacoco.args</propertyName>
+								</configuration>
 							</execution>
 						</executions>
 						<!-- workaround for https://github.com/jacoco/jacoco/issues/407 -->
@@ -353,7 +329,7 @@
 						<extensions>true</extensions>
 						<configuration>
 							<publishingServerId>central</publishingServerId>
- 							<autoPublish>true</autoPublish>
+							<autoPublish>true</autoPublish>
 						</configuration>
 					</plugin>
 				</plugins>