uio-bmi / crypt4gh Goto Github PK

CodeFactor found an issue: Overload methods should not be split. Previous overloaded method located at line '80'.

It's currently on:
src\main\java\no\uio\ifi\crypt4gh\stream\Crypt4GHInputStream.java:167

Describe the bug
As of March 2021, jcenter went readonly. See https://developer.android.com/studio/build/jcenter-migration or https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/

The pom.xml directions in https://github.com/uio-bmi/crypt4gh#readme give jcenter.bintray.com as the repository.

Maven central or another repository seems like a good second option to list this project. I know of https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-gradle-registry but do not know the pluses or minuses there.

I know I see some pretty harsh warnings when including this in Android studio. Some sources say jcenter planned to completely shut off some jcenter services as of Feb 2022, I am not sure if they carried through on that or not.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'https://github.com/uio-bmi/crypt4gh#readme'
2. Copy sections of the pom.xml into Android studio (or ostensibly any other modern IDE that will use/convert these).
3. Attempt to sync packages for the v.2.4.3 release
4. See error: "Unable to resolve dependency for ':app@debugUnitTest/compileClasspath': Could not resolve no.uio.ifi:crypt4gh:v2.4.3" (The same occurs for no.uio.ifi:crypt4gh:2.4.3 or even no.uio.ifi:crypt4gh:+ which would download the latest of any version available).

Expected behavior
The library artifact is fetchable from a trustworthy repository, and future versions (v2.4.4, e.g) will be fetchable as well.

Screenshots
n/a

Desktop (please complete the following information):

• OS: macOS 11.6
• Browser: Safari (not that it matters)
• Android Studio Bumblebee 2021.1.1

Additional context
As a workaround a user could build directly from GitHub

Is your feature request related to a problem? Please describe.
No.

Describe the solution you'd like
The current version of README.md does not provide up-to-date information on the crypt4gh maven artifact.

Depending on the JVM, some users may see a warning during encryption:

Encryption initialized...
Done: <path>
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.commons.crypto.stream.CryptoInputStream (<path>/crypt4gh.jar) to method sun.nio.ch.DirectBuffer.cleaner()
WARNING: Please consider reporting this to the maintainers of org.apache.commons.crypto.stream.CryptoInputStream
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

Assumption: it happens only on Java 9+ JVM.

CodeFactor found an issue: Overload methods should not be split. Previous overloaded method located at line '66'.

It's currently on:
src\main\java\no\uio\ifi\crypt4gh\stream\Crypt4GHInputStreamInternal.java:136

Description

The full conversation where this issue was identified is here: EGA-archive/ega-data-api#111 (comment)

ids.add(Long.toHexString(pgpPublicKeyEncryptedData.getKeyID())); https://github.com/uio-bmi/crypt4gh/blob/master/src/main/java/no/uio/ifi/crypt4gh/factory/HeaderFactory.java#L68 it suffers from this: https://stackoverflow.com/a/35335975

Steps to Reproduce

1. Load a key id that starts with 0 e.g. 012C3737B2ED3BA5
2. see that extracted id is 12c3737b2ed3ba5

Proposed solution

Maybe drop the long conversion, as the library should return the key id as found with no extra processing.

Describe the bug

Section 4.2 of the specification outlines how the edit list is applied. In the example, it says that the last keep value "[...] could actually be left out as it extends all the way to the end of the file." While testing my PR #88, I noticed that the last keep value is not optional in this implementation. Is this a potential interoperability issue?

To Reproduce

Encrypt value "1234" with edit list [3].

Expected behavior

Expecting first 3 bytes to be discarded. Decrypted result should therefore be "4".

Actual behavior

All data is discarded resulting to an empty result. Changing the edit list to [3,1] produces the expected result "4".

Sample code

    @Test
    public void testEditListImplementation() throws Exception {
        PrivateKey writerPrivateKey = keyUtils.generatePrivateKey();
        KeyPair readerKeyPair = keyUtils.generateKeyPair();
        PrivateKey readerPrivateKey = readerKeyPair.getPrivate();
        PublicKey readerPublicKey = readerKeyPair.getPublic();

        try (ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
            try (Crypt4GHOutputStream crypt4GHOutputStream = new Crypt4GHOutputStream(byteArrayOutputStream, new DataEditList(new long[]{ 3 }), writerPrivateKey, readerPublicKey)) {
                crypt4GHOutputStream.write("1234".getBytes());
            }
            try (ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(byteArrayOutputStream.toByteArray());
                 Crypt4GHInputStream crypt4GHInputStream = new Crypt4GHInputStream(byteArrayInputStream, readerPrivateKey)) {

                Assert.assertArrayEquals("4".getBytes(), crypt4GHInputStream.readAllBytes()); // Fails!
            }
        }
    }

One test fails when CI runs on PR#45 with suggested maven-jar-plugin version bump:

https://github.com/uio-bmi/crypt4gh/runs/4798705086?check_suite_focus=true#step:2:52

seems to be a documented known problem with GitHub workflow (missing privileges, read_only instead of required write).

Is your feature request related to a problem? Please describe.

I'd like to incorporate this module on IGV desktop and the upstream maintainers might not accept the PR unless the .jar is publicly accessible (sans authenticated Github tokens). Unauthenticated access is planned but not implemented in GH yet:

https://github.com/orgs/community/discussions/26634

Describe the solution you'd like

It'd be very convenient to resume publishing here: https://mvnrepository.com/artifact/no.uio.ifi/crypt4gh

Github has detailed github actions workflows that allow parallel publishing (github + mavencentral).

Describe alternatives you've considered

I could just download the .jar and ship it with IGV's codebase, which is the approach I'll take for the time being, although it's suboptimal from a release and dependencies management perspective.