Fix ArmorUtils spotless complaint

Fixed typo in sop readme

.github/workflows/codeql-analysis.yml

@@ -36,7 +36,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'java' ]
+        language: [ 'java-kotlin' ]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
@@ -46,7 +46,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -71,4 +71,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

CHANGELOG.md

@@ -5,6 +5,10 @@ SPDX-License-Identifier: CC0-1.0
 
 # PGPainless Changelog
 
+## 1.7.7-SNAPSHOT
+- Bump `bcpg-jdk8on` to `1.81`
+- Bump `bcprov-jdk18on` to `1.81`
+
 ## 1.7.6
 - Fix `RevocationSignatureBuilder` properly calculating third-party signatures of type `KeyRevocation` (delegation revocations)
 - Enable support for native images

REUSE.toml

@@ -93,6 +93,12 @@ precedence = "aggregate"
 SPDX-FileCopyrightText = "2022 Paul Schaub <info@pgpainless.org>, 2017 Steve Smith"
 SPDX-License-Identifier = "CC-BY-SA-3.0"
 
+[[annotations]]
+path = "pgpainless-cli/src/main/resources/META-INF/native-image/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2025 Paul Schaub <info@pgpainless.org>"
+SPDX-License-Identifier = "Apache-2.0"
+
 [[annotations]]
 path = "pgpainless-cli/rewriteManPages.sh"
 precedence = "aggregate"

build.gradle

@@ -43,7 +43,7 @@ allprojects {
 
     // checkstyle
     checkstyle {
-        toolVersion = '10.12.1'
+        toolVersion = '10.25.0'
     }
 
     spotless {

pgpainless-cli/build.gradle

@@ -5,7 +5,7 @@
 plugins {
     id 'application'
     id 'org.graalvm.buildtools.native' version '0.10.6'
-    id 'com.github.johnrengelman.shadow' version '8.1.1'
+    id 'com.gradleup.shadow' version '8.3.6'
 }
 
 graalvmNative {

pgpainless-cli/src/main/resources/META-INF/native-image/reflect-config.json

@@ -1,16 +1,7 @@
 [
-{
-  "name":"[B"
-},
 {
   "name":"[Ljava.lang.Object;"
 },
-{
-  "name":"[Ljava.lang.String;"
-},
-{
-  "name":"[Lsun.security.pkcs.SignerInfo;"
-},
 {
   "name":"ch.qos.logback.classic.encoder.PatternLayoutEncoder",
   "queryAllPublicMethods":true,
@@ -70,9 +61,6 @@
 {
   "name":"java.lang.RuntimePermission"
 },
-{
-  "name":"java.lang.String"
-},
 {
   "name":"java.lang.System",
   "methods":[{"name":"console","parameterTypes":[] }]
@@ -101,9 +89,6 @@
   "name":"java.nio.file.Paths",
   "methods":[{"name":"get","parameterTypes":["java.lang.String","java.lang.String[]"] }]
 },
-{
-  "name":"java.security.AlgorithmParametersSpi"
-},
 {
   "name":"java.security.AllPermission"
 },
@@ -119,21 +104,6 @@
 {
   "name":"java.security.cert.PKIXRevocationChecker"
 },
-{
-  "name":"java.security.interfaces.DSAPrivateKey"
-},
-{
-  "name":"java.security.interfaces.DSAPublicKey"
-},
-{
-  "name":"java.security.interfaces.RSAPrivateKey"
-},
-{
-  "name":"java.security.interfaces.RSAPublicKey"
-},
-{
-  "name":"java.security.spec.DSAParameterSpec"
-},
 {
   "name":"java.sql.Connection"
 },
@@ -208,9 +178,6 @@
   "name":"java.time.ZonedDateTime",
   "methods":[{"name":"parse","parameterTypes":["java.lang.CharSequence"] }]
 },
-{
-  "name":"java.util.Date"
-},
 {
   "name":"java.util.HashSet"
 },
@@ -245,11 +212,6 @@
 {
   "name":"java.util.concurrent.locks.ReentrantLock$Sync"
 },
-{
-  "name":"javax.security.auth.x500.X500Principal",
-  "fields":[{"name":"thisX500Name"}],
-  "methods":[{"name":"<init>","parameterTypes":["sun.security.x509.X500Name"] }]
-},
 {
   "name":"javax.smartcardio.CardPermission"
 },
@@ -333,6 +295,10 @@
   "name":"org.bouncycastle.jcajce.provider.asymmetric.NTRU$Mappings",
   "methods":[{"name":"<init>","parameterTypes":[] }]
 },
+{
+  "name":"org.bouncycastle.jcajce.provider.asymmetric.NoSig$Mappings",
+  "methods":[{"name":"<init>","parameterTypes":[] }]
+},
 {
   "name":"org.bouncycastle.jcajce.provider.asymmetric.RSA$Mappings",
   "methods":[{"name":"<init>","parameterTypes":[] }]
@@ -914,18 +880,6 @@
   "queryAllDeclaredMethods":true,
   "methods":[{"name":"<init>","parameterTypes":[] }]
 },
-{
-  "name":"sun.security.provider.DSA$SHA256withDSA",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
-{
-  "name":"sun.security.provider.DSAKeyFactory",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
-{
-  "name":"sun.security.provider.DSAParameters",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
 {
   "name":"sun.security.provider.NativePRNG",
   "methods":[{"name":"<init>","parameterTypes":[] }, {"name":"<init>","parameterTypes":["java.security.SecureRandomParameters"] }]
@@ -933,59 +887,5 @@
 {
   "name":"sun.security.provider.SHA",
   "methods":[{"name":"<init>","parameterTypes":[] }]
-},
-{
-  "name":"sun.security.provider.SHA2$SHA256",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
-{
-  "name":"sun.security.provider.X509Factory",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
-{
-  "name":"sun.security.rsa.RSAKeyFactory$Legacy",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
-{
-  "name":"sun.security.rsa.RSASignature$SHA256withRSA",
-  "methods":[{"name":"<init>","parameterTypes":[] }]
-},
-{
-  "name":"sun.security.util.ObjectIdentifier"
-},
-{
-  "name":"sun.security.x509.AuthorityInfoAccessExtension",
-  "methods":[{"name":"<init>","parameterTypes":["java.lang.Boolean","java.lang.Object"] }]
-},
-{
-  "name":"sun.security.x509.AuthorityKeyIdentifierExtension",
-  "methods":[{"name":"<init>","parameterTypes":["java.lang.Boolean","java.lang.Object"] }]
-},
-{
-  "name":"sun.security.x509.BasicConstraintsExtension",
-  "methods":[{"name":"<init>","parameterTypes":["java.lang.Boolean","java.lang.Object"] }]
-},
-{
-  "name":"sun.security.x509.CRLDistributionPointsExtension",
-  "methods":[{"name":"<init>","parameterTypes":["java.lang.Boolean","java.lang.Object"] }]
-},
-{
-  "name":"sun.security.x509.CertificateExtensions"
-},
-{
-  "name":"sun.security.x509.CertificatePoliciesExtension",
-  "methods":[{"name":"<init>","parameterTypes":["java.lang.Boolean","java.lang.Object"] }]
-},
-{
-  "name":"sun.security.x509.ExtendedKeyUsageExtension",
-  "methods":[{"name":"<init>","parameterTypes":["java.lang.Boolean","java.lang.Object"] }]
-},
-{
-  "name":"sun.security.x509.KeyUsageExtension",
-  "methods":[{"name":"<init>","parameterTypes":["java.lang.Boolean","java.lang.Object"] }]
-},
-{
-  "name":"sun.security.x509.SubjectKeyIdentifierExtension",
-  "methods":[{"name":"<init>","parameterTypes":["java.lang.Boolean","java.lang.Object"] }]
 }
 ]

pgpainless-cli/src/main/resources/META-INF/native-image/resource-config.json

@@ -40,8 +40,6 @@
     "pattern":"\\Qsop-java-version.properties\\E"
   }, {
     "pattern":"java.base:\\Qsun/text/resources/LineBreakIteratorData\\E"
-  }, {
-    "pattern":"java.base:\\Qsun/text/resources/nfkc.icu\\E"
   }]},
   "bundles":[{
     "name":"msg_armor",

pgpainless-core/src/main/kotlin/org/pgpainless/key/generation/KeyRingBuilder.kt

@@ -45,7 +45,7 @@ class KeyRingBuilder : KeyRingBuilderInterface<KeyRingBuilder> {
     }
 
     override fun addUserId(userId: CharSequence): KeyRingBuilder = apply {
-        userIds[userId.toString().trim()] = null
+        userIds[userId.toString()] = null
     }
 
     override fun addUserId(userId: ByteArray): KeyRingBuilder =

pgpainless-core/src/main/kotlin/org/pgpainless/key/modification/secretkeyring/SecretKeyRingEditor.kt

@@ -478,7 +478,7 @@ class SecretKeyRingEditor(
         val prevBinding =
             inspectKeyRing(secretKeyRing).getCurrentSubkeyBindingSignature(keyId)
                 ?: throw NoSuchElementException(
-                    "Previous subkey binding signaure for ${keyId.openPgpKeyId()} MUST NOT be null.")
+                    "Previous subkey binding signature for ${keyId.openPgpKeyId()} MUST NOT be null.")
         val bindingSig = reissueSubkeyBindingSignature(subkey, expiration, protector, prevBinding)
         secretKeyRing = injectCertification(secretKeyRing, subkey, bindingSig)
     }
@@ -569,9 +569,10 @@ class SecretKeyRingEditor(
     }
 
     private fun sanitizeUserId(userId: CharSequence): CharSequence =
-        // TODO: Further research how to sanitize user IDs.
+        // I'm not sure, what kind of sanitization is needed.
-        //  e.g. what about newlines?
+        // Newlines are allowed, they just need to be escaped when emitted in an ASCII armor header
-        userId.toString().trim()
+        // Trailing/Leading whitespace is also fine.
+        userId.toString()
 
     private fun callbackFromRevocationAttributes(attributes: RevocationAttributes?) =
         object : RevocationSignatureSubpackets.Callback {

pgpainless-core/src/main/kotlin/org/pgpainless/util/ArmorUtils.kt

@@ -247,7 +247,9 @@ class ArmorUtils {
                 .add(OpenPgpFingerprint.of(publicKey).prettyPrint())
             // Primary / First User ID
             (primary ?: first)?.let {
-                headerMap.getOrPut(HEADER_COMMENT) { mutableSetOf() }.add(it)
+                headerMap
+                    .getOrPut(HEADER_COMMENT) { mutableSetOf() }
+                    .add(it.replace("\n", "\\n").replace("\r", "\\r"))
             }
             // X-1 further identities
             when (userIds.size) {

pgpainless-core/src/main/kotlin/org/pgpainless/util/Passphrase.kt

@@ -11,14 +11,9 @@ import org.bouncycastle.util.Arrays
  *
  * @param chars may be null for empty passwords.
  */
-class Passphrase(chars: CharArray?) {
+class Passphrase(private val chars: CharArray?) {
     private val lock = Any()
     private var valid = true
-    private val chars: CharArray?
-
-    init {
-        this.chars = trimWhitespace(chars)
-    }
 
     /**
      * Return a copy of the underlying char array. A return value of null represents an empty
@@ -67,6 +62,13 @@ class Passphrase(chars: CharArray?) {
 
     override fun hashCode(): Int = getChars()?.let { String(it) }.hashCode()
 
+    /**
+     * Return a copy of this [Passphrase], but with whitespace characters trimmed off.
+     *
+     * @return copy with trimmed whitespace
+     */
+    fun withTrimmedWhitespace(): Passphrase = Passphrase(trimWhitespace(chars))
+
     companion object {
 
         /**

pgpainless-sop/README.md

@@ -67,7 +67,7 @@ byte[] encrypted = sop.encrypt()
 
 // Decrypt a message
 ByteArrayAndResult<DecryptionResult> messageAndVerifications = sop.decrypt()
-        .verifyWith(cert)
+        .verifyWithCert(cert)
         .withKey(key)
         .ciphertext(encrypted)
         .toByteArrayAndResult();

pgpainless-sop/src/test/java/org/pgpainless/sop/GenerateKeyTest.java

@@ -100,4 +100,14 @@ public class GenerateKeyTest {
         assertThrows(SOPGPException.UnsupportedProfile.class, () ->
                 sop.generateKey().profile("invalid"));
     }
+
+    @Test
+    public void generateKeyWithNewlinesInUserId() throws IOException {
+        byte[] keyBytes = sop.generateKey()
+                .userId("Foo\n\nBar")
+                .generate()
+                .getBytes();
+
+        assertTrue(new String(keyBytes).contains("Foo\\n\\nBar"));
+    }
 }

version.gradle

@@ -4,10 +4,10 @@
 
 allprojects {
     ext {
-        shortVersion = '1.7.6'
+        shortVersion = '1.7.7'
-        isSnapshot = false
+        isSnapshot = true
         javaSourceCompatibility = 11
-        bouncyCastleVersion = '1.80'
+        bouncyCastleVersion = '1.81'
         bouncyPgVersion = bouncyCastleVersion
         junitVersion = '5.8.2'
         logbackVersion = '1.5.13'