2024-05-31 14:32:41 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Apr 29 16:07:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
- Update to version 1.78.1
|
|
|
|
* Defects Fixed:
|
|
|
|
- The new dependency of the the PGP API on the bcutil jar was
|
|
|
|
missing from the module jar, the OSGi manifest, and the Maven
|
|
|
|
POM. This has been fixed.
|
|
|
|
- Missing exports and duplicate imports have been added/removed
|
|
|
|
from the OSGi manifests.
|
|
|
|
- The OSGi manifests now have the same bundle IDs as 1.77 and
|
|
|
|
lock down dependencies to the equivalent variations
|
|
|
|
- A check in the X.509 Extensions class preventing the parsing
|
|
|
|
of empty extensions has been removed.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Apr 29 06:39:43 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Update to version 1.78: [bsc#1223252, CVE-2024-30171]
|
|
|
|
* Security Advisories.
|
|
|
|
- CVE-2024-29857: Importing an EC certificate with specially crafted
|
|
|
|
F2m parameters can cause high CPU usage during parameter evaluation.
|
|
|
|
- CVE-2024-30171: Possible timing based leakage in RSA based handshakes
|
|
|
|
due to exception processing eliminated.
|
|
|
|
- CVE-2024-30172: Crafted signature and public key can be used to
|
|
|
|
trigger an infinite loop in the Ed25519 verification code.
|
|
|
|
- CVE-2024-301XX: When endpoint identification is enabled in the BCJSSE
|
|
|
|
and an SSL socket is not created with an explicit hostname (as happens
|
|
|
|
with HttpsURLConnection), hostname verification could be performed
|
|
|
|
against a DNS-resolved IP address. This has been fixed.
|
|
|
|
* Defects Fixed:
|
|
|
|
- Issues with a dangling weak reference causing intermittent
|
|
|
|
NullPointerExceptions in the OcspCache have been fixed.
|
|
|
|
- Issues with non-constant time RSA operations in TLS handshakes.
|
|
|
|
- Issue with Ed25519, Ed448 signature verification causing intermittent
|
|
|
|
infinite loop have been fixed.
|
|
|
|
- Issues with non-constant time ML-KEM implementation ("Kyber Slash").
|
|
|
|
- Align ML-KEM input validation with FIPS 203 IPD requirements.
|
|
|
|
- Make PEM parsing more forgiving of whitespace to align with RFC 7468.
|
|
|
|
- Fix CCM length checks with large nonce sizes (n=12, n=13).
|
|
|
|
- EAC: Fixed the CertificateBody ASN.1 type to support an optional
|
|
|
|
Certification Authority Reference in a Certificate Request.
|
|
|
|
- ASN.1: ObjectIdentifier (also Relative OID) parsing has been optimized
|
|
|
|
and the contents octets for both types are now limited to 4096 bytes.
|
|
|
|
- BCJSSE: Fixed a missing null check on the result of PrivateKey.getEncoded(),
|
|
|
|
which could cause issues for HSM RSA keys.
|
|
|
|
- BCJSSE: When endpoint identification is enabled and an SSL socket is not
|
|
|
|
created with an explicit hostname (as happens with HttpsURLConnection),
|
|
|
|
hostname verification could be performed against a DNS-resolved IP address.
|
|
|
|
- The missing module import of java.logging to the provider module has been added.
|
|
|
|
- GOST ASN.1 public key alg parameters are now compliant with RFC 9215.
|
|
|
|
- An off-by-one error in the encoding for EccP256CurvePoint for ITS.
|
|
|
|
- PEM Parser now enforces PEM headers to start at the beginning of the line
|
|
|
|
to be meaningful.
|
|
|
|
* Additional Features and Functionality.
|
|
|
|
- An implementation of MLS (RFC 9420 - The Messaging Layer Security Protocol)
|
|
|
|
has been added as a new module.
|
|
|
|
- NTRU now supports NTRU-HPS4096-1229 and NTRU-HRSS-1373.
|
|
|
|
- Improvements to PGP support, including Camellia key wrapping and Curve25519,
|
|
|
|
Curve448 key types (including XDH with HKDF).
|
|
|
|
- Added initial support for ML-KEM in TLS.
|
|
|
|
- Added XWing hybrid KEM construction (X25519 + ML-KEM-768).
|
|
|
|
- Introduced initial KEMSpi support (NTRU, SNTRU Prime) for JDK 21+.
|
|
|
|
- Introduced initial composite signature support for X509 Certificates.
|
|
|
|
- PKCS#12 now supports PKCS12-AES256-AES128, PKCS12-AES256-AES128-GCM,
|
|
|
|
PKCS12-DEF-AES256-AES128, and PKCS12-DEF-AES256-AES128-GCM.
|
|
|
|
- The default type for the KeyStore.getInstance("PKCS12", "BC") can now be set
|
|
|
|
using the org.bouncycastle.pkcs12.default system/security property.
|
|
|
|
- The PGP SExpParser will now handle Ed25519 and Ed448 keys.
|
|
|
|
- Dilithium and Kyber key encoding updated to latest Draft RFCs
|
|
|
|
(draft-ietf-lamps-dilithium-certificates and draft-ietf-lamps-kyber-certificates)
|
|
|
|
- Support has been added for encryption key derivation using HKDF in CMS, see
|
|
|
|
draft-housley-lamps-cms-cek-hkdf-sha256.
|
|
|
|
- X500Name now recognises jurisdiction{C,ST,L} DNs.
|
|
|
|
- CertPathValidationContext and CertificatePoliciesValidation now include
|
|
|
|
implementations of Memoable.
|
|
|
|
- The Composite post-quantum signatures implementation has been updated to the
|
|
|
|
latest draft draft-ounsworth-pq-composite-sigs.
|
|
|
|
* Full release notes: bouncycastle.org/releasenotes.html#r1rv78
|
|
|
|
* Rebase bouncycastle-notests.patch
|
|
|
|
|
2024-05-03 11:22:38 +02:00
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Dec 4 13:44:16 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Update to version 1.77:
|
|
|
|
* Defects Fixed:
|
|
|
|
- Using an unescaped '=' in an X.500 RDN would result in the
|
|
|
|
RDN being truncated silently. The issue is now detected and
|
|
|
|
an exception is thrown.
|
|
|
|
- asn1.eac.CertificateBody was returning certificateEffectiveDate
|
|
|
|
from getCertificateExpirationDate(). This has been fixed to
|
|
|
|
return certificateExpirationDate.
|
|
|
|
- DTLS: Fixed retransmission in response to re-receipt of an
|
|
|
|
aggregated ChangeCipherSpec.
|
|
|
|
- (D)TLS: Fixed compliance for supported_groups extension.
|
|
|
|
Server will no longer negotiate an EC cipher suite using a
|
|
|
|
default curve when the ClientHello includes the supported_groups
|
|
|
|
extension but it contains no curves in common with the server.
|
|
|
|
Similarly, a DH cipher suite will not be negotiated when the
|
|
|
|
ClientHello includes supported_groups, containing at least one
|
|
|
|
FFDHE group, but none in common with the server.
|
|
|
|
- IllegalStateException was being thrown by Ed25519/Ed448 SignatureSpi.
|
|
|
|
- TLS: class annotation issues that could occur between the BC
|
|
|
|
provider and the TLS API for the GCMParameterSpec class when
|
|
|
|
the jars were loaded on the boot class path have been addressed.
|
|
|
|
- Attempt to create an ASN.1 OID from a zero length byte array
|
|
|
|
is now caught at construction time.
|
|
|
|
- Attempt to create an X.509 extension block which is empty will
|
|
|
|
now be blocked cause an exception.
|
|
|
|
- IES implementation will now accept a null ParameterSpec if no
|
|
|
|
nonce is needed.
|
|
|
|
- An internal method in Arrays was failing to construct its
|
|
|
|
failure message correctly on an error.
|
|
|
|
- HSSKeyPublicParameters.generateLMSContext() would fail for a
|
|
|
|
unit depth key.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- BCJSSE: Added org.bouncycastle.jsse.client.omitSigAlgsCertExtension
|
|
|
|
and org.bouncycastle.jsse.server.omitSigAlgsCertExtension boolean
|
|
|
|
system properties to control (for client and server resp.) whether
|
|
|
|
the signature_algorithms_cert extension should be omitted if it
|
|
|
|
would be identical to signature_algorithms. Defaults to true, the
|
|
|
|
historical behaviour.
|
|
|
|
- The low-level HPKE API now allows the sender to specify an
|
|
|
|
ephemeral key pair.
|
|
|
|
- Support has been added for the delta-certificate requests in line
|
|
|
|
with the current Chameleon Cert draft from the IETF.
|
|
|
|
- Some accommodation has been added for historical systems to
|
|
|
|
accommodate variations in the SHA-1 digest OID for CMS SignedData.
|
|
|
|
- TLS: the TLS API will now try "RSAwithDigestAndMFG1" as well as
|
|
|
|
the newer RSAPSS algorithm names when used with the JCA.
|
|
|
|
- TLS: RSA key exchange cipher suites are now disabled by default.
|
|
|
|
- Support has been added for PKCS#10 requests to allow certificates
|
|
|
|
using the altSignature/altPublicKey extensions.
|
|
|
|
* Notes:
|
|
|
|
- Kyber and Dilithium have been updated according to the latest
|
|
|
|
draft of the standard. Dilithium-AES and Kyber-AES have now been
|
|
|
|
removed. Kyber now produces 256 bit secrets for all parameter sets
|
|
|
|
(in line with the draft standard).
|
|
|
|
- NTRU has been updated to produce 256 bit secrets in line with Kyber.
|
|
|
|
- SPHINCS+ can now be used to generate certificates in line with
|
|
|
|
those used by (Open Quantum Safe) OQS.
|
|
|
|
- Falcon object idenitifiers are now in line with OQS as well.
|
|
|
|
- PQC CMS SignedData now defaults to SHA-256 for signed attributes
|
|
|
|
rather than SHAKE-256. This is also a compatibility change, but may
|
|
|
|
change further again as the IETF standard for CMS is updated.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Oct 18 13:28:47 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Update to version 1.76:
|
|
|
|
* Defects Fixed:
|
|
|
|
- Service allocation in the provider could fail due to the lack
|
|
|
|
of a permission block. This has been fixed.
|
|
|
|
- JceKeyFingerPrintCalculator has been generalised for different
|
|
|
|
providers by using "SHA-256" for the algorithm string.
|
|
|
|
- BCJSSE: Fixed a regression in 1.74 (NullPointerException) that
|
|
|
|
prevents a BCJSSE server from negotiating TLSv1.1 or earlier.
|
|
|
|
- DTLS: Fixed server support for client_certificate_type extension.
|
|
|
|
- Cipher.unwrap() for HQC could fail due to a miscalculation of
|
|
|
|
the length of the KEM packet. This has been fixed.
|
|
|
|
- There was exposure to a Java 7 method in the Java 5 to Java 8
|
|
|
|
BCTLS jar which could cause issues with some TLS 1.2 cipher
|
|
|
|
suites running on older JVMs. This is now fixed.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- BCJSSE: Following OpenJDK, finalizers have been removed from
|
|
|
|
SSLSocket subclasses. Applications should close sockets and
|
|
|
|
not rely on garbage collection.
|
|
|
|
- BCJSSE: Added support for boolean system property
|
|
|
|
"jdk.tls.client.useCompatibilityMode" (default "true").
|
|
|
|
- DTLS: Added server support for session resumption.
|
|
|
|
- JcaPKCS10CertificationRequest will now work with EC on the
|
|
|
|
OpenJDK provider.
|
|
|
|
- TimeStamp generation now supports the SHA3 algorithm set.
|
|
|
|
- The SPHINCS+ simple parameters are now fully supported in the
|
|
|
|
BCPQC provider.
|
|
|
|
- Kyber, Classic McEliece, HQC, and Bike now supported by the
|
|
|
|
CRMF/CMS/CMP APIs.
|
|
|
|
- Builder classes have been add for PGP ASCII Armored streams
|
|
|
|
allowing CRCs and versions to now be optional.
|
|
|
|
- An UnknownPacket type has been added to the PGP APIs to allow
|
|
|
|
for forwards compatibility with upcoming revisions to the standard.
|
|
|
|
* Rebase patch bouncycastle-notests.patch
|
|
|
|
|
|
|
|
- Update to version 1.75:
|
|
|
|
* Defects Fixed:
|
|
|
|
- Several Java 8 method calls were accidentally introduced in
|
|
|
|
the Java 5 to Java 8 build. The affected classes have been
|
|
|
|
refactored to remove this.
|
|
|
|
- (D)TLS: renegotiation after resumption now fixed to avoid
|
|
|
|
breaking connection.
|
|
|
|
* Notes:
|
|
|
|
- The ASN.1 core package has had some dead and retired methods
|
|
|
|
cleaned up and removed.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 19 10:26:53 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Update to version 1.74: [bsc#1212508, CVE-2023-33201]
|
|
|
|
* Defects Fixed:
|
|
|
|
- AsconEngine: Fixed a buffering bug when decrypting across
|
|
|
|
multiple processBytes calls (ascon128a unaffected).
|
|
|
|
- Context based sanity checking on PGP signatures has been added.
|
|
|
|
- The ParallelHash clone constructor was not copying all fields.
|
|
|
|
- The maximimum number of blocks for CTR/SIC modes was 1 block
|
|
|
|
less than it should have been.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- The PGP API now supports wildcard key IDs for public key
|
|
|
|
based data encryption.
|
|
|
|
- LMS now supports SHA256/192, SHAKE256/192, and SHAKE256/256
|
|
|
|
(the additional SP 8000-208 parameter sets).
|
|
|
|
- The PGP API now supports V5 and V6 AEAD encryption for
|
|
|
|
encrypted data packets.
|
|
|
|
- The PGP examples have been updated to reflect key size and algorithm
|
|
|
|
changes that have occurred since they were first written (10+ years...).
|
|
|
|
- (D)TLS: A new callback 'TlsPeer.notifyConnectionClosed' will be called
|
|
|
|
when the connection is closed (including by failure).
|
|
|
|
- BCJSSE: Improved logging of connection events and include unique IDs
|
|
|
|
in connection-specific log messages.
|
|
|
|
- BCJSSE: Server now logs the offered cipher suites when it fails to
|
|
|
|
select one.
|
|
|
|
- BCJSSE: Added support for SSLParameters namedGroups and
|
|
|
|
signatureSchemes properties (can also be used via BCJSSE
|
|
|
|
extension API in earlier Java versions).
|
|
|
|
- DTLS: The initial handshake re-send time is now configurable by
|
|
|
|
overriding 'TlsPeer.getHandshakeResendTimeMillis'.
|
|
|
|
- DTLS: Added support for connection IDs per RFC 9146.
|
|
|
|
- DTLS: Performance of DTLSVerifier has been improved so that it can
|
|
|
|
reasonably be used for all incoming packets.
|
|
|
|
- Initial support has been added for A Mechanism for Encoding
|
|
|
|
Differences in Paired Certificates.
|
|
|
|
- The PGP API now supports parsing, encoding, and fingerprinting
|
|
|
|
of V6 EC/EdEC keys.
|
|
|
|
- A thread safe verifier API has been added to the PGP API to support
|
|
|
|
multi-threaded verification of certifications on keys and user IDs.
|
|
|
|
- The number of keys/sub-keys in a PGPKeyRing can now be found by
|
|
|
|
calling PGPKeyRing.size().
|
|
|
|
- The PQC algorithms LMS/HSS, SPHINCS+, Dilithium, Falcon, and NTRU
|
|
|
|
are now supported directly by the BC provider.
|
|
|
|
* Notes:
|
|
|
|
- The now defunct PQC SIKE algorithm has been removed, this has also
|
|
|
|
meant the removal of its resource files so the provider is now quite
|
|
|
|
a bit smaller.
|
|
|
|
- As a precaution, HC128 now enforces a 128 bit IV, previous behaviour
|
|
|
|
for shorter IVs can be supported where required by padding the IV to
|
|
|
|
the 128 bits with zero.
|
|
|
|
- PGP encrypted data generation now uses integrity protection by default.
|
|
|
|
Previous behaviour for encrypted data can be supported where required
|
|
|
|
by calling PGPDataEncryptorBuilder.setWithIntegrityPacket(false) when
|
|
|
|
data encryption is set up.
|
|
|
|
- There are now additional sanity checks in place to prevent accidental
|
|
|
|
mis-use of PGPSignature objects. If this change causes any issues, you
|
|
|
|
might want to check what your code is up to as there is probably a bug.
|
|
|
|
* Security Advisories:
|
|
|
|
- CVE-2023-33201: this release fixes an issue with the X509LDAPCertStoreSpi
|
|
|
|
where a specially crafted certificate subject could be used to try and
|
|
|
|
extract extra information out of an LDAP server with wild-card matthing
|
|
|
|
enabled.
|
|
|
|
* Rebase bouncycastle-javadoc.patch
|
|
|
|
* Add bouncycastle-notests.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Apr 25 10:26:27 UTC 2023 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Update to version 1.73: [jsc#PED-3756]
|
|
|
|
* Defects Fixed:
|
|
|
|
- BCJSSE: Instantiating a JSSE provider in some contexts could
|
|
|
|
cause an AccessControl exception.
|
|
|
|
- The EC key pair generator can generate out of range private
|
|
|
|
keys when used with SM2. A specific SM2KeyPairGenerator has
|
|
|
|
been added to the low-level API and is used by
|
|
|
|
KeyPairGenerator.getInstance("SM2", "BC"). The SM2 signer has
|
|
|
|
been updated to check for out of range keys as well..
|
|
|
|
- The attached signature type byte was still present in Falcon
|
|
|
|
signatures as well as the detached signature byte.
|
|
|
|
- There was an off-by-one error in engineGetOutputSize() for ECIES.
|
|
|
|
- The method for invoking read() internally in BCPGInputStream
|
|
|
|
could result in inconsistent behaviour if the class was extended.
|
|
|
|
- Fixed a rounding issue with FF1 Format Preserving Encryption
|
|
|
|
algorithm for certain radices.
|
|
|
|
- Fixed RFC3394WrapEngine handling of 64 bit keys.
|
|
|
|
- Internal buffer for blake2sp was too small and could result in
|
|
|
|
an ArrayIndexOutOfBoundsException.
|
|
|
|
- JCA PSS Signatures using SHAKE128 and SHAKE256 now support
|
|
|
|
encoding of algorithm parameters.
|
|
|
|
- PKCS10CertificationRequest now checks for empty extension
|
|
|
|
parameters.
|
|
|
|
- Parsing errors in the processing of PGP Armored Data now throw
|
|
|
|
an explicit exception ArmoredInputException.
|
|
|
|
- PGP AEAD streams could occassionally be truncated.
|
|
|
|
- The ESTService class now supports processing of chunked HTTP data.
|
|
|
|
- A constructed ASN.1 OCTET STRING with a single member would
|
|
|
|
sometimes be re-encoded as a definite-length OCTET STRING. The
|
|
|
|
encoding has been adjusted to preserve the BER status of the object.
|
|
|
|
- PKIXCertPathReviewer could fail if the trust anchor was also
|
|
|
|
included in the certificate store being used for path analysis.
|
|
|
|
- UTF-8 parsing of an array range ignored the provided length.
|
|
|
|
- IPAddress has been written to provide stricter checking and
|
|
|
|
avoid the use of Integer.parseInt().
|
|
|
|
- A Java 7 class snuck into the Java 5 to Java 8 build.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- The Rainbow NIST Post Quantum Round-3 Candidate has been added to
|
|
|
|
the low-level API and the BCPQC provider (level 3 and level 5
|
|
|
|
parameter sets only).
|
|
|
|
- The GeMSS NIST Post Quantum Round-3 Candidate has been added to
|
|
|
|
the low-level API.
|
|
|
|
- The org.bouncycastle.rsa.max_mr_tests property check has been
|
|
|
|
added to allow capping of MR tests done on RSA moduli.
|
|
|
|
- Significant performance improvements in PQC algorithms,
|
|
|
|
especially BIKE, CMCE, Frodo, HQC, Picnic.
|
|
|
|
- EdDSA verification now conforms to the recommendations of Taming
|
|
|
|
the many EdDSAs, in particular cofactored verification. As a side
|
|
|
|
benefit, Pornin's basis reduction is now used for EdDSA
|
|
|
|
verification, giving a significant performance boost.
|
|
|
|
- Major performance improvements for Anomalous Binary (Koblitz) Curves.
|
|
|
|
- The lightweight Cryptography finalists Ascon, ISAP, Elephant,
|
|
|
|
PhotonBeetle, Sparkle, and Xoodyak have been added to the
|
|
|
|
light-weight cryptography API.
|
|
|
|
- BLAKE2bp and BLAKE2sp have been added to the light-weight
|
|
|
|
cryptography API.
|
|
|
|
- Support has been added for X.509, Section 9.8, hybrid certificates
|
|
|
|
and CRLs using alternate public keys and alternate signatures.
|
|
|
|
- The property "org.bouncycastle.emulate.oracle" has been added to
|
|
|
|
signal the provider should return algorithm names on some algorithms
|
|
|
|
in the same manner as the Oracle JCE provider.
|
|
|
|
- An extra replaceSigners method has been added to CMSSignedData
|
|
|
|
which allows for specifying the digest algorithm IDs to be used
|
|
|
|
in the new CMSSignedData object.
|
|
|
|
- Parsing and re-encoding of ASN.1 PEM data has been further
|
|
|
|
optimized to prevent unecessary conversions between basic encoding,
|
|
|
|
definite length, and DER.
|
|
|
|
- Support has been added for KEM ciphers in CMS in accordance with
|
|
|
|
draft-ietf-lamps-cms-kemri
|
|
|
|
- Support has been added for certEncr in CRMF to allow issuing of
|
|
|
|
certificates for KEM public keys.
|
|
|
|
- Further speedups have been made to CRC24.
|
|
|
|
- GCMParameterSpec constructor caching has been added to improve
|
|
|
|
performance for JVMs that have the class available.
|
|
|
|
- The PGPEncrytedDataGenerator now supports injecting the session
|
|
|
|
key to be used for PGP PBE encrypted data.
|
|
|
|
- The CRMF CertificateRequestMessageBuilder now supports optional
|
|
|
|
attributes.
|
|
|
|
- Improvements to the s calculation in JPAKE.
|
|
|
|
- A general purpose PQCOtherInfoGenerator has been added which
|
|
|
|
supports all Kyber and NTRU.
|
|
|
|
- An implementation of HPKE (RFC 9180 - Hybrid Public Key
|
|
|
|
Encryption) has been added to the light-weight cryptography API.
|
|
|
|
* Security Advisories:
|
|
|
|
- The PQC implementations have now been subject to formal review for
|
|
|
|
secret leakage and side channels, there were issues in BIKE, Falcon,
|
|
|
|
Frodo, HQC which have now been fixed. Some weak positives also
|
|
|
|
showed up in Rainbow, Picnic, SIKE, and GeMSS - for now this last
|
|
|
|
set has been ignored as the algorithms will either be updated if
|
|
|
|
they reappear in the Signature Round, or deleted, as is already the
|
|
|
|
case for SIKE (it is now in the legacy package). Details on the
|
|
|
|
group responsible for the testing can be found in the CONTRIBUTORS
|
|
|
|
file.
|
|
|
|
- For at least some ECIES variants (e.g. when using CBC) there is
|
|
|
|
an issue with potential malleability of a nonce (implying silent
|
|
|
|
malleability of the plaintext) that must be sent alongside the
|
|
|
|
ciphertext but is outside the IES integrity check. For this reason
|
|
|
|
the automatic generation of nonces with IED is now disabled and
|
|
|
|
they have to be passed in using an IESParameterSpec. The current
|
|
|
|
advice is to agree on a nonce between parties and then rely on the
|
|
|
|
use of the ephemeral key component to allow the nonce (rather the
|
|
|
|
so called nonce) usage to be extended.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Oct 19 12:09:48 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Update to version 1.72:
|
|
|
|
* Defects Fixed:
|
|
|
|
- There were parameter errors in XMSS^MT OIDs for
|
|
|
|
XMSSMT_SHA2_40/4_256 and XMSSMT_SHA2_60/3_256. These have
|
|
|
|
been fixed.
|
|
|
|
- There was an error in Merkle tree construction for the
|
|
|
|
Evidence Records (ERS) implementation which could result in
|
|
|
|
invalid roots been timestamped. ERS now produces an
|
|
|
|
ArchiveTimeStamp for each data object/group with an associated
|
|
|
|
reduced hash tree. The reduced hash tree is now calculated as
|
|
|
|
a simple path to the root of the tree for each record.
|
|
|
|
- OpenPGP will now ignore signatures marked as non-exportable
|
|
|
|
on encoding.
|
|
|
|
- A tagging calculation error in GCMSIV which could result in
|
|
|
|
incorrect tags has been fixed.
|
|
|
|
- Issues around Java 17 which could result in failing tests
|
|
|
|
have been addressed.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- BCJSSE: TLS 1.3 is now enabled by default where no explicit
|
|
|
|
protocols are supplied (e.g. "TLS" or "Default" SSLContext
|
|
|
|
algorithms, or SSLContext.getDefault() method).
|
|
|
|
- BCJSSE: Rewrite SSLEngine implementation to improve compatibility
|
|
|
|
with SunJSSE.
|
|
|
|
- BCJSSE: Support export of keying material via extension API.
|
|
|
|
- (D)TLS: Add support for 'tls-exporter' channel binding per RFC 9266.
|
|
|
|
- (D)TLS (low-level API): By default, only (D)TLS 1.2 and TLS 1.3 are
|
|
|
|
offered now. Earlier versions are still supported if explicitly
|
|
|
|
enabled. Users may need to check they are offering suitable
|
|
|
|
cipher suites for TLS 1.3.
|
|
|
|
- (D)TLS (low-level API): Add support for raw public keys per RFC 7250.
|
|
|
|
- CryptoServicesRegistrar now has a setServicesConstraints() method
|
|
|
|
on it which can be used to selectively turn off algorithms.
|
|
|
|
- The NIST PQC Alternate Candidate, Picnic, has been added to the low
|
|
|
|
level API and the BCPQC provider.
|
|
|
|
- SPHINCS+ has been upgraded to the latest submission, SPHINCS+ 3.1
|
|
|
|
and support for Haraka has been added.
|
|
|
|
- Evidence records now support timestamp renewal and hash renewal.
|
|
|
|
- The SIKE Alternative Candidate NIST Post Quantum Algorithm has
|
|
|
|
been added to the low-level PQC API.
|
|
|
|
- The NTRU Round 3 Finalist Candidate NIST Post Quantum Algorithm
|
|
|
|
has been added to the low-level API and the BCPQC provider.
|
|
|
|
- The Falcon Finalist NIST Post Quantum Algorithm has been added to
|
|
|
|
the low-level API and the BCPQC provider.
|
|
|
|
- The CRYSTALS-Kyber Finalist NIST Post Quantum Algorithm has been
|
|
|
|
added to the low-level API and the BCPQC provider.
|
|
|
|
- Argon2 Support has been added to the OpenPGP API.
|
|
|
|
- XDH IES has now been added to the BC provider.
|
|
|
|
- The OpenPGP API now supports AEAD encryption and decryption.
|
|
|
|
- The NTRU Prime Alternative Candidate NIST Post Quantum Algorithms
|
|
|
|
have been added to the low-level API and the BCPQC provider.
|
|
|
|
- The CRYSTALS-Dilithium Finalist NIST Post Quantum Algorithm has
|
|
|
|
been added to the low-level API and the BCPQC provider.
|
|
|
|
- The BIKE NIST Post Quantum Alternative/Round-4 Candidate has been
|
|
|
|
added to the low-level API and the BCPQC provider.
|
|
|
|
- The HQC NIST Post Quantum Alternative/Round-4 Candidate has been
|
|
|
|
added to the low-level API and the BCPQC provider.
|
|
|
|
- Grain128AEAD has been added to the lightweight API.
|
|
|
|
- A fast version of CRC24 has been added for use with the PGP API.
|
|
|
|
- Some additional methods and fields have been exposed in the
|
|
|
|
PGPOnePassSignature class to (hopefully) make it easier to
|
|
|
|
deal with nested signatures.
|
|
|
|
- CMP support classes have been updated to reflect the latest
|
|
|
|
editions to the the draft RFC "Lightweight Certificate Management
|
|
|
|
Protocol (CMP) Profile".
|
|
|
|
- Support has been added to the PKCS#12 implementation for the
|
|
|
|
Oracle trusted certificate attribute.
|
|
|
|
- Performance of our BZIP2 classes has been improved.
|
|
|
|
* Notes:
|
|
|
|
- Keep in mind the PQC algorithms are still under development and
|
|
|
|
we are still at least a year and a half away from published standards.
|
|
|
|
This means the algorithms may still change so by all means experiment,
|
|
|
|
but do not use the PQC algoritms for anything long term.
|
|
|
|
- The legacy "Rainbow" and "McEliece" implementations have been
|
|
|
|
removed from the BCPQC provider. The underlying classes are
|
|
|
|
still present if required. Other legacy algorithm implementations
|
|
|
|
can be found under the org.bouncycastle.pqc.legacy package.
|
|
|
|
* Security Notes:
|
|
|
|
- The PQC SIKE algorithm is provided for research purposes only.
|
|
|
|
It should now be regarded as broken. The SIKE implementation
|
|
|
|
will be withdrawn in BC 1.73.
|
|
|
|
* Rebase bouncycastle-javadoc.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Apr 22 21:24:48 UTC 2022 - Anton Shvetz <shvetz.anton@gmail.com>
|
|
|
|
|
|
|
|
- Version update to 1.71
|
|
|
|
* Defects Fixed
|
|
|
|
- In line with GPG the PGP API now attempts to preserve
|
|
|
|
comments containing non-ascii UTF8 characters.
|
|
|
|
- An accidental partial dependency on Java 1.7 has been removed
|
|
|
|
from the TLS API.
|
|
|
|
- JcaPKIXIdentityBuilder would fail to process File objects
|
|
|
|
correctly. This is now fixed.
|
|
|
|
- Some byte[] parameters to the CMP API were not being
|
|
|
|
defensively cloned to prevent accidental changes. Extra
|
|
|
|
defensive cloning has been added.
|
|
|
|
- CMS primitives would sometimes convert ASN.1 definite-length
|
|
|
|
encodings into indefinite-length encodings. The primitives
|
|
|
|
will now try and preserve the original encoding where possible.
|
|
|
|
- CMSSignedData.getAttributeCertificates() now properly
|
|
|
|
restricts the tag values checked to just 1 (the obsolete
|
|
|
|
v1 tag) and 2 (for the more current v2 certificates).
|
|
|
|
- BCJSSE now tries to validate a custom KeyManager selection
|
|
|
|
in order to catch errors around a key manager ignoring
|
|
|
|
key type early.
|
|
|
|
- Compressed streams in PGP ending with zero length partial
|
|
|
|
packets could cause failure on parsing the OpenPGP API.
|
|
|
|
This has been fixed.
|
|
|
|
- The fallback mode for JceAsymmetricKeyWrapper/Unwrapper
|
|
|
|
would lose track of any algorithm parameters generated
|
|
|
|
in the initial attempt. The algorithm parameters are now
|
|
|
|
propagated.
|
|
|
|
- An accidental regression introduced by a fix for another
|
|
|
|
issue in PKIXCertPathReviewer around use of the
|
|
|
|
AuthorityKeyIdentifier extension and it failing to match
|
|
|
|
a certificate uniquely when the serial number field
|
|
|
|
is missing has been fixed.
|
|
|
|
- An error was found in the creation of TLS 1.3 Export Keying
|
|
|
|
Material which could cause compatibility issues. This has
|
|
|
|
been fixed.
|
|
|
|
* Additional Features and Functionality
|
|
|
|
- Support has been added for OpenPGP regular expression
|
|
|
|
signature packets.
|
|
|
|
- Support has been added for OpenPGP PolicyURI signature
|
|
|
|
packets.
|
|
|
|
- A utility method has been added to PGPSecretKeyRing to allow
|
|
|
|
for inserting or replacing a PGPPublicKey.
|
|
|
|
- The NIST PQC Finalist, Classic McEliece has been added to the
|
|
|
|
low level API and the BCPQC provider.
|
|
|
|
- The NIST PQC Alternate Candidate, SPHINCS+ has been added to
|
|
|
|
the BCPQC provider.
|
|
|
|
- The NIST PQC Alternate Candidate, FrodoKEM has been added to
|
|
|
|
the low level API and the BCPQC provider.
|
|
|
|
- The NIST PQC Finalist, SABER has been added to the low level
|
|
|
|
API and the BCPQC provider.
|
|
|
|
- KMAC128, KMAC256 has been added to the BC provider (empty
|
|
|
|
customization string).
|
|
|
|
- TupleHash128, TupleHash256 has been added to the BC provider
|
|
|
|
(empty customization string).
|
|
|
|
- ParallelHash128, ParallelHash256 has been added to the BC
|
|
|
|
provider (empty customization string, block size 1024 bits).
|
|
|
|
- Two new properties: "org.bouncycastle.rsa.max_size" (default
|
|
|
|
15360) and "org.bouncycastle.ec.fp_max_size" (default 1042)
|
|
|
|
have been added to cap the maximum size of RSA and EC keys.
|
|
|
|
- RSA modulus are now checked to be provably composite using
|
|
|
|
the enhanced MR probable prime test.
|
|
|
|
- Imported EC Fp basis values are now validated against the MR
|
|
|
|
prime number test before use. The certainty level of the
|
|
|
|
prime test can be determined by
|
|
|
|
"org.bouncycastle.ec.fp_certainty" (default 100).
|
|
|
|
- The BC entropy thread now has a specific name:
|
|
|
|
"BC-ENTROPY-GATHERER".
|
|
|
|
- Utility methods have been added for joining/merging PGP
|
|
|
|
public keys and signatures.
|
|
|
|
- Blake3-256 has been added to the BC provider.
|
|
|
|
- DTLS: optimisation to delayed handshake hash.
|
|
|
|
- Further additions to the ETSI 102 941 support in the ETSI/ITS
|
|
|
|
package: certification request, signed message generation and
|
|
|
|
verification now supported.
|
|
|
|
- CMSSignedDataGenerator now supports the direct generation of
|
|
|
|
definite-length data.
|
|
|
|
- The NetscapeCertType class now has a hasUsages() method on it
|
|
|
|
for querying usage settings on its bit string.
|
|
|
|
- Support for additional input has been added for deterministic
|
|
|
|
(EC)DSA.
|
|
|
|
- The OpenPGP API provides better support for subkey
|
|
|
|
generation.
|
|
|
|
- BCJSSE: Added boolean system properties
|
|
|
|
"org.bouncycastle.jsse.client.dh.disableDefaultSuites" and
|
|
|
|
"org.bouncycastle.jsse.server.dh.disableDefaultSuites".
|
|
|
|
Default "false". Set to "true" to disable inclusion of DH
|
|
|
|
cipher suites in the default cipher suites for client/server
|
|
|
|
respectively.
|
|
|
|
* Notes
|
|
|
|
- The deprecated QTESLA implementation has been removed from
|
|
|
|
the BCPQC provider.
|
|
|
|
- The submission update to SPHINCS+ has been added. This
|
|
|
|
changes the generation of signatures - particularly
|
|
|
|
deterministic ones.
|
|
|
|
- Version update to 1.70
|
|
|
|
* Defects Fixed
|
|
|
|
- Blake 3 output limit is enforced.
|
|
|
|
- The PKCS12 KeyStore was relying on default precedence for its
|
|
|
|
key Cipher implementation so was sometimes failing if used
|
|
|
|
from the keytool. The KeyStore class now makes sure it uses
|
|
|
|
the correct Cipher implementation.
|
|
|
|
- Fixed bzip2 compression for empty contents (GH #993).
|
|
|
|
- ASN.1: More robust handling of high tag numbers and
|
|
|
|
definite-length forms.
|
|
|
|
- BCJSSE: Fix a concurrent modification issue in session
|
|
|
|
contexts (GH#968).
|
|
|
|
- BCJSSE: Don't log sensitive system property values (GH#976).
|
|
|
|
- BCJSSE: Fixed a priority issue amongst imperfect-match
|
|
|
|
credentials in KeyManager classes.
|
|
|
|
- The IES AlgorithmParameters object has been re-written to
|
|
|
|
properly support all the variations of IESParameterSpec.
|
|
|
|
- getOutputSize() for ECIES has been corrected to avoid
|
|
|
|
occassional underestimates.
|
|
|
|
- The lack of close() in the ASN.1 Dump command line utility
|
|
|
|
was triggering false positives in some code analysis tools. A
|
|
|
|
close() call has been added.
|
|
|
|
- PGPPublicKey.getBitStrength() now properly recognises EdDSA
|
|
|
|
keys.
|
|
|
|
* Additional Features and Functionality
|
|
|
|
- Missing PGP CRC checksums can now be optionally ignored using
|
|
|
|
setDetectMissingCRC() (default false) on ArmoredInputStream.
|
|
|
|
- PGPSecretKey.copyWithNewPassword() now has a variant which
|
|
|
|
uses USAGE_SHA1 for key protection if a PGPDigestCalculator
|
|
|
|
is passed in.
|
|
|
|
- PGP ASCII armored data now skips "\t", "\v", and "\f".
|
|
|
|
- PKCS12 files with duplicate localKeyId attributes on
|
|
|
|
certificates will now have the incorrect attributes filtered
|
|
|
|
out, rather than the duplicate causing an exception.
|
|
|
|
- PGPObjectFactory will now ignore packets representing
|
|
|
|
unrecognised signature versions in the input stream.
|
|
|
|
- The X.509 extension generator will now accumulate some
|
|
|
|
duplicate X.509 extensions into a single extension where it
|
|
|
|
is possible to do so.
|
|
|
|
- Removed support for maxXofLen in Kangaroo digest.
|
|
|
|
- Ignore marker packets in PGP Public and Secret key ring
|
|
|
|
collection.
|
|
|
|
- An implementation of LEA has been added to the low-level API.
|
|
|
|
- Access, recovery, and direct use for PGP session keys has
|
|
|
|
been added to the OpenPGP API for processing encrypted data.
|
|
|
|
- A PGPCanonicalizedDataGenerator has been added which converts
|
|
|
|
input into canonicalized literal data for text and UTF-8
|
|
|
|
mode.
|
|
|
|
- A getUserKeyingMaterial() method has been added to the
|
|
|
|
KeyAgreeRecipientInformation class.
|
|
|
|
- ASN.1: Tagged objects (and parsers) now support all tag
|
|
|
|
classes. Special code for ApplicationSpecific has been
|
|
|
|
deprecated and re-implemented in terms of TaggedObject.
|
|
|
|
- ASN.1: Improved support for nested tagging.
|
|
|
|
- ASN.1: Added support for GraphicString, ObjectDescriptor,
|
|
|
|
RelativeOID.
|
|
|
|
- ASN.1: Added support for constructed BitString encodings,
|
|
|
|
including efficient parsing for large values.
|
|
|
|
- TLS: Added support for external PSK handshakes.
|
|
|
|
- TLS: Check policy restrictions on key size when determining
|
|
|
|
cipher suite support.
|
|
|
|
- A performance issue in KeccakDigest due to left over debug
|
|
|
|
code has been identified and dealt with.
|
|
|
|
- BKS key stores can now be used for collecting protected keys
|
|
|
|
(note: any attempt to store such a store will cause an
|
|
|
|
exception).
|
|
|
|
- A method for recovering user keying material has been added
|
|
|
|
to KeyAgreeRecipientInformation.
|
|
|
|
- Support has been added to the CMS API for SHA-3 based
|
|
|
|
PLAIN-ECDSA.
|
|
|
|
- The low level BcDefaultDigestProvider now supports the SHAKE
|
|
|
|
family of algorithms and the SM3 alogirthm.
|
|
|
|
- PGPKeyRingGenerator now supports creation of key-rings with
|
|
|
|
direct-key identified keys.
|
|
|
|
- The PQC NIST candidate, signature algorithm SPHINCS+ has been
|
|
|
|
added to the low-level API.
|
|
|
|
- ArmoredInputStream now explicitly checks for a '\n' if in
|
|
|
|
crLF mode.
|
|
|
|
- Direct support for NotationDataOccurances, Exportable,
|
|
|
|
Revocable, IntendedRecipientFingerPrints, and AEAD algorithm
|
|
|
|
preferences has been added to PGPSignatureSubpacketVector.
|
|
|
|
- Further support has been added for keys described using
|
|
|
|
S-Expressions in GPG 2.2.X.
|
|
|
|
- Support for OpenPGP Session Keys from the (draft) Stateless
|
|
|
|
OpenPGP CLI has been added.
|
|
|
|
- Additional checks have been added for PGP marker packets in
|
|
|
|
the parsing of PGP objects.
|
|
|
|
- A CMSSignedData.addDigestAlgorithm() has been added to allow
|
|
|
|
for adding additional digest algorithm identifiers to CMS
|
|
|
|
SignedData structures when required.
|
|
|
|
- Support has been added to CMS for the LMS/HSS signature
|
|
|
|
algorithm.
|
|
|
|
- The system property
|
|
|
|
"org.bouncycastle.jsse.client.assumeOriginalHostName"
|
|
|
|
(default false) has been added for dealing with SNI problems
|
|
|
|
related to the host name not being propagate by the JVM.
|
|
|
|
- The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with
|
|
|
|
ciphers that do not have algorithm parameters (e.g. AESKWP).
|
|
|
|
- Support is now added for certificates using ETSI TS 103 097,
|
|
|
|
"Intelligent Transport Systems (ITS)" in the bcpkix package.
|
|
|
|
* Notes.
|
|
|
|
- While this release should maintain source code compatibility,
|
|
|
|
developers making use of some parts of the ASN.1 library will
|
|
|
|
find that some classes need recompiling. Apologies for the
|
|
|
|
inconvenience.
|
|
|
|
- Version update to 1.69
|
|
|
|
* Defects Fixed
|
|
|
|
- Lightweight and JCA conversion of Ed25519 keys in the PGP API
|
|
|
|
could drop the leading byte as it was zero. This has been
|
|
|
|
fixed.
|
|
|
|
- Marker packets appearing at the start of PGP public key rings
|
|
|
|
could cause parsing failure. This has been fixed.
|
|
|
|
- ESTService could fail for some valid Content-Type headers.
|
|
|
|
This has been fixed.
|
|
|
|
- Originator key algorithm parameters were being passed as NULL
|
|
|
|
in key agreement recipients. The parameters now reflect the
|
|
|
|
value of the parameters in the key's SubjectPublicKeyInfo.
|
|
|
|
- ContentType on encapsulated data was not been passed through
|
|
|
|
correctly for authenticated and enveloped data. This has been
|
|
|
|
fixed.
|
|
|
|
- NTRUEncryptionParameters and
|
|
|
|
NTRUEncryptionKeyGenerationParameters were not correctly
|
|
|
|
cloning the contained message digest. This has been fixed.
|
|
|
|
- CertificateFactory.generateCertificates()/generateCRLs()
|
|
|
|
would throw an exception if extra data was found at the end
|
|
|
|
of a PEM file even if valid objects had been found. Extra
|
|
|
|
data is now ignored providing at least one object found.
|
|
|
|
- Internal class PKIXCRLUtil could throw a NullPointerException
|
|
|
|
for CRLs with an absent nextUpdate field. This has been
|
|
|
|
fixed.
|
|
|
|
- PGP ArmoredInputStream now fails earlier on malformed
|
|
|
|
headers.
|
|
|
|
- The McElieceKobaraImaiCipher was randomly throwing "Bad
|
|
|
|
Padding: invalid ciphertext" exception while decrypting due
|
|
|
|
to leading zeroes been missed during processing of the cipher
|
|
|
|
text. This has been fixed.
|
|
|
|
- Ed25519 keys being passed in via OpenSSH key spec are now
|
|
|
|
validated in the KeyFactory.
|
|
|
|
- Blowfish keys are now range checked on cipher construction.
|
|
|
|
- In some cases PGPSecretKeyRing was failing to search its
|
|
|
|
extraPubKeys list when searching for public keys.
|
|
|
|
- The BasicConstraintsValidation class in the BC cert path
|
|
|
|
validation tools has improved conformance to RFC 5280.
|
|
|
|
- AlgorithmIdentifiers involving message digests now attempt to
|
|
|
|
follow the latest conventions for the parameters field
|
|
|
|
(basically DER NULL appears less).
|
|
|
|
- Fix various conversions and interoperability for XDH and
|
|
|
|
EdDSA between BC and SunEC providers.
|
|
|
|
- TLS: Prevent attempts to use KeyUpdate mechanism in versions
|
|
|
|
before TLS 1.3.
|
|
|
|
* Additional Features and Functionality
|
|
|
|
- GCM-SIV has been added to the lightweight API and the
|
|
|
|
provider.
|
|
|
|
- Blake3 has been added to the lightweight API.
|
|
|
|
- The OpenSSL PEMParser can now be extended to add specialised
|
|
|
|
parsers.
|
|
|
|
- Base32 encoding has now been added, the default alphabet is
|
|
|
|
from RFC 4648.
|
|
|
|
- The KangarooTwelve message digest has been added to the
|
|
|
|
lightweight API.
|
|
|
|
- An implementation of the two FPE algorithms, FF1 and FF3-1 in
|
|
|
|
SP 800-38G has been added to the lightweight API and the JCE
|
|
|
|
provider.
|
|
|
|
- An implementation of ParallelHash has been added to the
|
|
|
|
lightweight API.
|
|
|
|
- An implementation of TupleHash has been added to the
|
|
|
|
lightweight API.
|
|
|
|
- RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the
|
|
|
|
mask generation function and digest.
|
|
|
|
- ECDSA now supports the use of SHAKE128 and SHAKE256.
|
|
|
|
- PGPPBEEncryptedData will now reset the stream if the initial
|
|
|
|
checksum fails so another password can be tried.
|
|
|
|
- Iterators on public and secret key ring collections in PGP
|
|
|
|
now reflect the original order of the public/secret key rings
|
|
|
|
they contain.
|
|
|
|
- KeyAgreeRecipientInformation now has a getOriginator() method
|
|
|
|
for retrieving the underlying orginator information.
|
|
|
|
- PGPSignature now has a getDigestPrefix() method for people
|
|
|
|
wanting exposure to the signature finger print details.
|
|
|
|
- The old BKS-V1 format keystore is now disabled by default. If
|
|
|
|
you need to use BKS-V1 for legacy reasons, it can be
|
|
|
|
re-enabled by adding: org.bouncycastle.bks.enable_v1=true to
|
|
|
|
the java.security file. We would be interested in hearing
|
|
|
|
from anyone that needs to do this.
|
|
|
|
- PLAIN-ECDSA now supports the SHA3 digests.
|
|
|
|
- Some highlevel support for RFC 4998 ERS has been added for
|
|
|
|
ArchiveTimeStamp and EvidenceRecord. The new classes are in
|
|
|
|
the org.bouncycastle.tsp.ers package.
|
|
|
|
- ECIES has now also support SHA256, SHA384, and SHA512.
|
|
|
|
- digestAlgorithms filed in CMS SignedData now includes counter
|
|
|
|
signature digest algorithms where possible.
|
|
|
|
- A new property "org.bouncycastle.jsse.config" has been added
|
|
|
|
which can be used to configure the BCJSSE provider when it is
|
|
|
|
created using the no-args constructor.
|
|
|
|
- In line with changes in OpenSSL 1.1.0,
|
|
|
|
OpenSSLPBEParametersGenerator can now be configured with a
|
|
|
|
digest.
|
|
|
|
- PGPKeyRingGenerator now includes a method for adding a subkey
|
|
|
|
with a primary key binding signature.
|
|
|
|
- Support for ASN.1 PRIVATE tags has been added.
|
|
|
|
- Performance enhancements to Nokeon, AES, GCM, and
|
|
|
|
SICBlockCipher.
|
|
|
|
- Support for ecoding/decoding McElieceCCA2 keys has been added
|
|
|
|
to the PQC API
|
|
|
|
- BCJSSE: Added support for jdk.tls.maxCertificateChainLength
|
|
|
|
system property (default is 10).
|
|
|
|
- BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize
|
|
|
|
system property (default is 32768).
|
|
|
|
- BCJSSE: Added support for jdk.tls.client.enableCAExtension
|
|
|
|
(default is 'false').
|
|
|
|
- BCJSSE: Added support for jdk.tls.client.cipherSuites system
|
|
|
|
property.
|
|
|
|
- BCJSSE: Added support for jdk.tls.server.cipherSuites system
|
|
|
|
property.
|
|
|
|
- BCJSSE: Extended ALPN support via standard JSSE API to JDK 8
|
|
|
|
versions after u251/u252.
|
|
|
|
- BCJSSE: Key managers now support EC credentials for use with
|
|
|
|
TLS 1.3 ECDSA signature schemes (including brainpool).
|
|
|
|
- TLS: Add TLS 1.3 support for brainpool curves per RFC 8734.
|
|
|
|
* Notes
|
|
|
|
- There is a small API change in the PKIX package to the
|
|
|
|
DigestAlgorithmIdentifierFinder interface as a find() method
|
|
|
|
that takes an ASN1ObjectIdentifier has been added to it. For
|
|
|
|
people wishing to extend their own implementations, see
|
|
|
|
DefaultDigestAlgorithmIdentifierFinder for a sample
|
|
|
|
implementation.
|
|
|
|
- A version of the bcmail API supporting Jakarta Mail has now
|
|
|
|
been added (see bcjmail jar).
|
|
|
|
- Some work has been done on moving out code that does not need
|
|
|
|
to be in the provider jar. This has reduced the size of the
|
|
|
|
provider jar and should also make it easier for developers to
|
|
|
|
patch the classes involved as they no longer need to be
|
|
|
|
signed. bcpkix and bctls are both dependent on the new bcutil
|
|
|
|
jar.
|
|
|
|
- Add build dependencies on
|
|
|
|
mvn(jakarta.activation:jakarta.activation-api) and
|
|
|
|
mvn(jakarta.mail:jakarta.mail-api)
|
|
|
|
- Remove unneeded script bouncycastle_getpoms.sh from sources
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 30 10:27:18 UTC 2022 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
- Build against the standalone JavaEE modules unconditionally
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Mar 18 18:47:50 UTC 2022 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
- Build with source/target levels 8
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Mar 17 03:36:32 UTC 2022 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
- Add glassfish-activation-api dependency so that we can build with
|
|
|
|
JDK that does not contain the JavaEE modules
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jul 27 16:03:32 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
- Directory core/docs does not exist
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue May 25 11:39:46 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Add bouncycastle_getpoms.sh to get pom files from Maven repos
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Jan 13 09:44:54 UTC 2021 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
- Version update to 1.68
|
|
|
|
* Defects Fixed:
|
|
|
|
- Some BigIntegers utility methods would fail for
|
|
|
|
BigInteger.ZERO. This has been fixed.
|
|
|
|
- PGPUtil.isKeyRing() was not detecting secret sub-keys in its
|
|
|
|
input. This has been fixed.
|
|
|
|
- The ASN.1 class, ArchiveTimeStamp was insisting on a value
|
|
|
|
for the optional reducedHashTree field. This has been fixed.
|
|
|
|
- BCJSSE: Lock against multiple writers - a possible
|
|
|
|
synchronization issue has been removed.
|
|
|
|
* Additional Features and Functionality
|
|
|
|
- BCJSSE: Added support for system property
|
|
|
|
com.sun.net.ssl.requireCloseNotify. Note that we are using a
|
|
|
|
default value of 'true'.
|
|
|
|
- BCJSSE: 'TLSv1.3' is now a supported protocol for both client
|
|
|
|
and server. For this release it is only enabled by default for
|
|
|
|
the 'TLSv1.3' SSLContext, but can be explicitly enabled using
|
|
|
|
'setEnabledProtocols' on an SSLSocket or SSLEngine, or via
|
|
|
|
SSLParameters.
|
|
|
|
- BCJSSE: Session resumption is now also supported for servers
|
|
|
|
in TLS 1.2 and earlier. For this release it is disabled by
|
|
|
|
default, and can be enabled by setting the boolean system
|
|
|
|
property org.bouncycastle.jsse.server.enableSessionResumption
|
|
|
|
to 'true'.
|
|
|
|
- The provider RSA-PSS signature names that follow the JCA
|
|
|
|
naming convention.
|
|
|
|
- FIPS mode for the BCJSSE now enforces namedCurves for any
|
|
|
|
presented certificates.
|
|
|
|
- PGPSignatureSubpacketGenerator now supports editing of a
|
|
|
|
pre-existing sub-packet list.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Dec 21 10:54:33 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Version update to 1.67 [bsc#1180215, CVE-2020-28052]
|
|
|
|
* CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method
|
|
|
|
compared incorrect data when checking the password
|
|
|
|
* Defects Fixed:
|
|
|
|
- BCJSSE: SunJSSE compatibility fix - override of getChannel()
|
|
|
|
removed and 'urgent data' behaviour should now conform to
|
|
|
|
what the SunJSSE expects
|
|
|
|
- Nested BER data could sometimes cause issues in octet strings
|
|
|
|
- Certificates/CRLs with short signatures could cause an exception
|
|
|
|
in toString() in the BC X509 Certificate implmentation
|
|
|
|
- In line with latest changes in the JVM, SignatureSpis which
|
|
|
|
don't require parameters now return null on engineGetParameters()
|
|
|
|
- The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey
|
|
|
|
where it can on requests for a KeySpec based on an RSAPrivateKey
|
|
|
|
- CMSTypedStream$FullReaderStream now handles zero length reads correctly
|
|
|
|
- Unecessary padding was added on KMAC when the key string was block aligned
|
|
|
|
- Zero length data would cause an unexpected exception from RFC5649WrapEngine
|
|
|
|
- OpenBSDBcrypt was failing to handle some valid prefixes
|
|
|
|
* Additional Features and Functionality
|
|
|
|
- Performance improvement of Argon2 and Noekeon
|
|
|
|
- A setSessionKeyObfuscation() method has been added to
|
|
|
|
PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key
|
|
|
|
obfuscation (default is on, method primarily to get around early version
|
|
|
|
GPG issues with AES-128 keys)
|
|
|
|
- Implemented 'safegcd' constant-time modular inversion (as well as a
|
|
|
|
variable-time variant). It has replaced Fermat inversion in all our EC
|
|
|
|
code, and BigInteger.modInverse in several other places, particularly
|
|
|
|
signers. This improves side-channel protection, and also gives a
|
|
|
|
significant performance boost
|
|
|
|
- Performance of custom binary ECC curves and Edwards Curves has been improved
|
|
|
|
- BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU'
|
|
|
|
allows to disable ExtendedKeyUsage restrictions when selecting credentials
|
|
|
|
(although the peer may still complain)
|
|
|
|
- Initial support has been added for "Composite Keys and Signatures For Use
|
|
|
|
In Internet PKI" using the test OID. Please note there will be further
|
|
|
|
refinements to this as the draft is standardised
|
|
|
|
- The BC EdDSA signature API now supports keys implementing all methods on
|
|
|
|
the EdECKey and XECKey interfaces directly
|
|
|
|
- Work has begun on classes to support the ETSI TS 103 097, Intelligent
|
|
|
|
Transport Systems (ITS) in the bcpkix package
|
|
|
|
- Further optimization work has been done on GCM
|
|
|
|
- A NewHope based processor, similar to the one for Key Agreement has been
|
|
|
|
added for trying to "quantum hard" KEM algorithms
|
|
|
|
- PGP clear signed signatures now support SHA-224
|
|
|
|
- Treating absent vs NULL as equivalent can now be configured by a system
|
|
|
|
property. By default this is not enabled
|
|
|
|
- Mode name checks in Cipher strings should now make sure an improper mode
|
|
|
|
name always results in a NoSuchAlgorithmException
|
|
|
|
- In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Jul 28 18:50:39 UTC 2020 - Pedro Monreal <pmonreal@suse.com>
|
|
|
|
|
|
|
|
- Version update to 1.66 [bsc#1186328, CVE-2020-15522]
|
|
|
|
* Defects Fixed:
|
|
|
|
- EdDSA verifiers now reset correctly after rejecting overly long signatures.
|
|
|
|
- BCJSSE: SSLSession.getPeerCertificateChain could throw NullPointerException.
|
|
|
|
- qTESLA-I verifier would reject some valid signatures.
|
|
|
|
- qTESLA verifiers now reject overly long signatures.
|
|
|
|
- PGP regression caused failure to preserve existing version header when
|
|
|
|
headers were reset.
|
|
|
|
- PKIXNameConstraintValidator had a bad cast preventing use of multiple
|
|
|
|
OtherName constraints.
|
|
|
|
- Serialisation of the non-CRT RSA Private Key could cause a NullPointerException.
|
|
|
|
- An extra 4 bytes was included in the start of HSS public key encodings.
|
|
|
|
- CMS with Ed448 using a direct signature was using id-shake256-len
|
|
|
|
rather than id-shake256.
|
|
|
|
- Use of GCMParameterSpec could cause an AccessControlException under
|
|
|
|
some circumstances.
|
|
|
|
- DTLS: Fixed high-latency HelloVerifyRequest handshakes.
|
|
|
|
- An encoding bug for rightEncoded() in KMAC has been fixed.
|
|
|
|
- For a few values the cSHAKE implementation would add unnecessary pad bytes
|
|
|
|
where the N and S strings produced encoded data that was block aligned.
|
|
|
|
- There were a few circumstances where Argon2BytesGenerator might hit an
|
|
|
|
unexpected null. These have been removed.
|
|
|
|
* Additional Features and Functionality
|
|
|
|
- The qTESLA signature algorithm has been updated to v2.8 (20191108).
|
|
|
|
- BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.
|
|
|
|
- Support has been added for "ocsp.enable", "ocsp.responderURL" and
|
|
|
|
PKIXRevocationChecker for users of Java 8 and later.
|
|
|
|
- Support has been added for "org.bouncycastle.x509.enableCRLDP" to the PKIX validator.
|
|
|
|
- BCJSSE: Now supports system property 'jsse.enableFFDHE'
|
|
|
|
- BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes'
|
|
|
|
and 'jdk.tls.server.SignatureSchemes'.
|
|
|
|
- Multi-release support has been added for Java 11 XECKeys.
|
|
|
|
- Multi-release support has been added for Java 15 EdECKeys.
|
|
|
|
- The MiscPEMGenerator will now output general PrivateKeyInfo structures.
|
|
|
|
- A new property "org.bouncycastle.pkcs8.v1_info_only" has been added to
|
|
|
|
make the provider only produce version 1 PKCS8 PrivateKeyInfo structures.
|
|
|
|
- The PKIX CertPathBuilder will now take the target certificate from the target
|
|
|
|
constraints if a specific certificate is given to the selector.
|
|
|
|
- BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list.
|
|
|
|
- BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards).
|
|
|
|
- Performance of the Base64 encoder has been improved.
|
|
|
|
- The PGPPublicKey class will now include direct key signatures when checking
|
|
|
|
for key expiry times.
|
|
|
|
* NOTES:
|
|
|
|
- The qTESLA update breaks compatibility with previous versions.
|
|
|
|
Private keys now include a hash of the public key at the end,
|
|
|
|
and signatures are no longer interoperable with previous versions.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Apr 29 09:28:03 UTC 2020 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
|
|
|
|
|
|
|
- Version update to 1.65
|
|
|
|
* Defects Fixed:
|
|
|
|
- DLExternal would encode using DER encoding for tagged SETs.
|
|
|
|
- ChaCha20Poly1305 could fail for large (>~2GB) files.
|
|
|
|
- ChaCha20Poly1305 could fail for small updates when used via the provider.
|
|
|
|
- Properties.getPropertyValue could ignore system property when other
|
|
|
|
local overrides set.
|
|
|
|
- The entropy gathering thread was not running in daemon mode, meaning there
|
|
|
|
could be a delay in an application shutting down due to it.
|
|
|
|
- A recent change in Java 11 could cause an exception with the BC Provider's
|
|
|
|
implementation of PSS.
|
|
|
|
- BCJSSE: TrustManager now tolerates having no trusted certificates.
|
|
|
|
- BCJSSE: Choice of credentials and signing algorithm now respect the peer's
|
|
|
|
signature_algorithms extension properly.
|
|
|
|
- BCJSSE: KeyManager for KeyStoreBuilderParameters no longer leaks memory.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- LMS and HSS (RFC 8554) support has been added to the low level library and
|
|
|
|
the PQC provider.
|
|
|
|
- SipHash128 support has been added to the low level library and the JCE provider.
|
|
|
|
- BCJSSE: BC API now supports explicitly specifying the session to resume.
|
|
|
|
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is
|
|
|
|
negotiated (except in FIPS mode).
|
|
|
|
- BCJSSE: Added support for extended_master_secret system properties:
|
|
|
|
jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption,
|
|
|
|
jdk.tls.useExtendedMasterSecret .
|
|
|
|
- BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is
|
|
|
|
negotiated (except in FIPS mode).
|
|
|
|
- BCJSSE: KeyManager and TrustManager now check algorithm constraints for
|
|
|
|
keys and certificate chains.
|
|
|
|
- BCJSSE: KeyManager selection of server credentials now prefers matching
|
|
|
|
SNI hostname (if any).
|
|
|
|
- BCJSSE: KeyManager may now fallback to imperfect credentials (expired,
|
|
|
|
SNI mismatch).
|
|
|
|
- BCJSSE: Client-side OCSP stapling support (beta version: via status_request
|
|
|
|
extension only, provides jdk.tls.client.enableStatusRequestExtension, and
|
|
|
|
requires CertPathBuilder support).
|
|
|
|
- TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around
|
|
|
|
NoneWithDSA limitations in default provider.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 25 13:17:01 UTC 2020 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
- Added patch:
|
|
|
|
* bouncycastle-osgi.patch
|
|
|
|
+ Add OSGi manifests to the distributed jars so that they can
|
|
|
|
be used from eclipse
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Nov 6 18:11:54 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
|
|
|
|
|
|
|
- Fix arch dependent macros in noarch package [bsc#1109539]
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Oct 12 17:27:09 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
|
|
|
|
|
|
|
- Update pom files with those from Maven repository.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Oct 10 16:29:27 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
|
|
|
|
|
|
|
- Version update to 1.64 [bsc#1153385, CVE-2019-17359]
|
|
|
|
[bsc#1096291, CVE-2018-1000180][bsc#1100694, CVE-2018-1000613]
|
|
|
|
* Security Advisory:
|
|
|
|
- CVE-2019-17359: A change to the ASN.1 parser in 1.63 introduced
|
|
|
|
a regression that can cause an OutOfMemoryError to occur on
|
|
|
|
parsing ASN.1 data.
|
|
|
|
* Defects Fixed:
|
|
|
|
- OpenSSH: Fixed padding in generated Ed25519 private keys.
|
|
|
|
- GOST3410-2012-512 now uses the GOST3411-2012-256 as its KDF digest.
|
|
|
|
- Validation of headers in PemReader now looks for tailing dashes in header.
|
|
|
|
- Some compatibility issues around the signature encryption algorithm
|
|
|
|
field in CMS SignedData and the GOST algorithms have been addressed.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- PKCS12 key stores containing only certificates can now be created
|
|
|
|
without the need to provide passwords.
|
|
|
|
- BCJSSE: Initial support for AlgorithmConstraints; protocol versions
|
|
|
|
and cipher suites.
|
|
|
|
- BCJSSE: Initial support for 'jdk.tls.disabledAlgorithms'; protocol
|
|
|
|
versions and cipher suites.
|
|
|
|
- BCJSSE: Add SecurityManager check to access session context.
|
|
|
|
- BCJSSE: Improved SunJSSE compatibility of the NULL_SESSION.
|
|
|
|
- BCJSSE: SSLContext algorithms updated for SunJSSE compatibility
|
|
|
|
(default enabled protocols).
|
|
|
|
- The digest functions Haraka-256 and Haraka-512 have been added to
|
|
|
|
the provider and the light-weight API
|
|
|
|
- XMSS/XMSS^MT key management now allows for allocating subsets of the
|
|
|
|
private key space using the extraKeyShard() method. Use of
|
|
|
|
StateAwareSignature is now deprecated.
|
|
|
|
- Support for Java 11's NamedParameterSpec class has been added
|
|
|
|
(using reflection) to the EC and EdEC KeyPairGenerator implementations.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Oct 10 16:22:11 UTC 2019 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
|
|
|
|
|
|
|
- Version update to 1.63
|
|
|
|
* Defects Fixed:
|
|
|
|
- The ASN.1 parser would throw a large object exception for some objects
|
|
|
|
which could be safely parsed.
|
|
|
|
- GOST3412-2015 CTR mode was unusable at the JCE level.
|
|
|
|
- The DSTU MACs were failing to reset fully on doFinal().
|
|
|
|
- The DSTU MACs would throw an exception if the key was a multiple of the
|
|
|
|
size as the MAC's underlying buffer size.
|
|
|
|
- EdEC and QTESLA were not previously usable with the post Java 9 module structure.
|
|
|
|
- ECNR was not correctly bounds checking the input and could produce invalid signatures.
|
|
|
|
- ASN.1: Enforce no leading zeroes in OID branches (longer than 1 character).
|
|
|
|
- TLS: Fix X448 support in JcaTlsCrypto.
|
|
|
|
- Fixed field reduction for secp128r1 custom curve.
|
|
|
|
- Fixed unsigned multiplications in X448 field squaring.
|
|
|
|
- Some issues over subset Name Constraint validation in the CertPath analyser
|
|
|
|
- TimeStampResponse.getEncoded() could throw an exception if the TimeStampToken was null.
|
|
|
|
- Unnecessary memory usage in the ARGON2 implementation has been removed.
|
|
|
|
- Param-Z in the GOST-28147 algorithm was not resolving correctly.
|
|
|
|
- It is now possible to specify different S-Box parameters for the GOST 28147-89 MAC.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- QTESLA is now updated with the round 2 changes. Note: the security catergories,
|
|
|
|
and in some cases key generation and signatures, have changed. The round 1 version is
|
|
|
|
now moved to org.bouncycastle.pqc.crypto.qteslarnd1, this package will be deleted in
|
|
|
|
1.64. Please keep in mind that QTESLA may continue to evolve.
|
|
|
|
- Support has been added for generating Ed25519/Ed448 signed certificates.
|
|
|
|
- A method for recovering the message/digest value from an ECNR signature has been added.
|
|
|
|
- Support for the ZUC-128 and ZUC-256 ciphers and MACs has been added to the provider
|
|
|
|
and the lightweight API.
|
|
|
|
- Support has been added for ChaCha20-Poly1305 AEAD mode from RFC 7539.
|
|
|
|
- Improved performance for multiple ECDSA verifications using same public key.
|
|
|
|
- Support for PBKDF2withHmacSM3 has been added to the BC provider.
|
|
|
|
- The S/MIME API has been fixed to avoid unnecessary delays due to DNS resolution of a
|
|
|
|
hosts name in internal MimeMessage preparation.
|
|
|
|
- The valid path for EST services has been updated to cope with the characters used in
|
|
|
|
the Aruba clearpass EST implementation.
|
|
|
|
|
|
|
|
- Version update to 1.62
|
|
|
|
* Defects Fixed:
|
|
|
|
- DTLS: Fixed infinite loop on IO exceptions.
|
|
|
|
- DTLS: Retransmission timers now properly apply to flights monolithically.
|
|
|
|
- BCJSSE: setEnabledCipherSuites ignores unsupported cipher suites.
|
|
|
|
- BCJSSE: SSLSocket implementations store passed-in 'host' before connecting.
|
|
|
|
- BCJSSE: Handle SSLEngine closure prior to handshake.
|
|
|
|
- BCJSSE: Provider now configurable using security config under Java 11 and later.
|
|
|
|
- EdDSA verifiers now reject overly long signatures.
|
|
|
|
- XMSS/XMSS^MT OIDs now using the values defined in RFC 8391.
|
|
|
|
- XMSS/XMSS^MT keys now encoded with OID at start.
|
|
|
|
- An error causing valid paths to be rejected due to DN based name constraints
|
|
|
|
has been fixed in the CertPath API.
|
|
|
|
- Name constraint resolution now includes special handling of serial numbers.
|
|
|
|
- Cipher implementations now handle ByteBuffer usage where the ByteBuffer has
|
|
|
|
no backing array.
|
|
|
|
- CertificateFactory now enforces presence of PEM headers when required.
|
|
|
|
- A performance issue with RSA key pair generation that was introduced in 1.61
|
|
|
|
has been mostly eliminated.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- Builders for X509 certificates and CRLs now support replace and remove extension methods.
|
|
|
|
- DTLS: Added server-side support for HelloVerifyRequest.
|
|
|
|
- DTLS: Added support for an overall handshake timeout.
|
|
|
|
- DTLS: Added support for the heartbeat extension (RFC 6520).
|
|
|
|
- DTLS: Improve record seq. behaviour in HelloVerifyRequest scenarios.
|
|
|
|
- TLS: BasicTlsPSKIdentity now reusable (returns cloned array from getPSK).
|
|
|
|
- BCJSSE: Improved ALPN support, including selectors from Java 9.
|
|
|
|
- Lightweight RSADigestSigner now support use of NullDigest.
|
|
|
|
- SM2Engine now supports C1C3C2 mode.
|
|
|
|
- SHA256withSM2 now added to provider.
|
|
|
|
- BCJSSE: Added support for ALPN selectors (including in BC extension API for earlier JDKs).
|
|
|
|
- BCJSSE: Support 'SSL' algorithm for SSLContext (alias for 'TLS').
|
|
|
|
- The BLAKE2xs XOF has been added to the lightweight API.
|
|
|
|
- Utility classes added to support journaling of SecureRandom and algorithms to allow
|
|
|
|
persistance and later resumption.
|
|
|
|
- PGP SexprParser now handles some unprotected key types.
|
|
|
|
- NONEwithRSA support added to lightweight RSADigestSigner.
|
|
|
|
- Support for the Ethereum flavor of IES has been added to the lightweight API.
|
|
|
|
|
|
|
|
- Version update to 1.61
|
|
|
|
* Defects Fixed:
|
|
|
|
- Use of EC named curves could be lost if keys were constructed.
|
|
|
|
via a key factory and algorithm parameters.
|
|
|
|
- RFC3211WrapEngine would not properly handle messages longer than 127 bytes.
|
|
|
|
- The JCE implementations for RFC3211 would not return null AlgorithmParameters.
|
|
|
|
- TLS: Don't check CCS status for hello_request.
|
|
|
|
- TLS: Tolerate unrecognized hash algorithms.
|
|
|
|
- TLS: Tolerate unrecognized SNI types.
|
|
|
|
- Incompatibility issue in ECIES-KEM encryption in cofactor fixed.
|
|
|
|
- Issue with XMSS/XMSSMT private key loading which could result in invalid signatures fixed.
|
|
|
|
- StateAwareSignature.isSigningCapable() now returns false when the
|
|
|
|
key has reached it's maximum number of signatures.
|
|
|
|
- The McEliece KeyPairGenerator was failing to initialize the underlying
|
|
|
|
class if a SecureRandom was explicitly passed.
|
|
|
|
- The McEliece cipher would sometimes report the wrong value on a call
|
|
|
|
to Cipher.getOutputSize(int).
|
|
|
|
- CSHAKEDigest.leftEncode() was using the wrong endianness for multi byte values.
|
|
|
|
- Some ciphers, such as CAST6, were missing AlgorithmParameters implementations.
|
|
|
|
- An issue with the default "m" parameter for 1024 bit Diffie-Hellman keys which
|
|
|
|
could result in an exception on key pair generation has been fixed.
|
|
|
|
- The SPHINCS256 implementation is now more tolerant of parameters wrapped with a
|
|
|
|
SecureRandom and will not throw an exception if it receives one.
|
|
|
|
- A regression in PGPUtil.writeFileToLiteralData() which could cause corrupted
|
|
|
|
literal data has been fixed.
|
|
|
|
- Several parsing issues related to the processing of CMP PKIPublicationInfo.
|
|
|
|
- The ECGOST curves for id-tc26-gost-3410-12-256-paramSetA and
|
|
|
|
id-tc26-gost-3410-12-512-paramSetC had incorrect co-factors.
|
|
|
|
* Additional Features and Functionality:
|
|
|
|
- The qTESLA signature algorithm has been added to PQC light-weight API and the PQC provider.
|
|
|
|
- The password hashing function, Argon2 has been added to the lightweight API.
|
|
|
|
- BCJSSE: Added support for endpoint ID validation (HTTPS, LDAP, LDAPS).
|
|
|
|
- BCJSSE: Added support for 'useCipherSuitesOrder' parameter.
|
|
|
|
- BCJSSE: Added support for ALPN.
|
|
|
|
- BCJSSE: Various changes for improved compatibility with SunJSSE.
|
|
|
|
- BCJSSE: Provide default extended key/trust managers.
|
|
|
|
- TLS: Added support for TLS 1.2 features from RFC 8446.
|
|
|
|
- TLS: Removed support for EC point compression.
|
|
|
|
- TLS: Removed support for record compression.
|
|
|
|
- TLS: Updated to RFC 7627 from draft-ietf-tls-session-hash-04.
|
|
|
|
- TLS: Improved certificate sig. alg. checks.
|
|
|
|
- TLS: Finalised support for RFC 8442 cipher suites.
|
|
|
|
- Support has been added to the main Provider for the Ed25519 and Ed448 signature algorithms.
|
|
|
|
- Support has been added to the main Provider for the X25519 and X448 key agreement algorithms.
|
|
|
|
- Utility classes have been added for handling OpenSSH keys.
|
|
|
|
- Support for processing messages built using GPG and Curve25519 has been added to the OpenPGP API.
|
|
|
|
- The provider now recognises the standard SM3 OID.
|
|
|
|
- A new API for directly parsing and creating S/MIME documents has been added to the PKIX API.
|
|
|
|
- SM2 in public key cipher mode has been added to the provider API.
|
|
|
|
- The BCFKSLoadStoreParameter has been extended to allow the use of certificates and digital
|
|
|
|
signatures for verifying the integrity of BCFKS key stores.
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Sep 24 14:35:32 UTC 2019 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
- Package also the bcpkix bcpg bcmail bctls artifacts in separate
|
|
|
|
sub-packages
|
|
|
|
- Revert to building with source/target 6, since it is still
|
|
|
|
possible
|
|
|
|
- Added patch:
|
|
|
|
* bouncycastle-javadoc.patch
|
|
|
|
+ fix javadoc build
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Jul 19 10:24:12 UTC 2018 - tchvatal@suse.com
|
|
|
|
|
|
|
|
- Version update to 1.60 bsc#1100694:
|
|
|
|
* CVE-2018-1000613 Use of Externally-ControlledInput to Select Classes or Code
|
|
|
|
* CVE-2018-1000180: issue around primality tests for RSA key pair generation
|
|
|
|
if done using only the low-level API [bsc#1096291]
|
|
|
|
* Release notes:
|
|
|
|
http://www.bouncycastle.org/releasenotes.html
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jun 11 12:32:43 UTC 2018 - abergmann@suse.com
|
|
|
|
|
|
|
|
- Version update to 1.59:
|
|
|
|
* CVE-2017-13098: Fix against Bleichenbacher oracle when not
|
|
|
|
using the lightweight APIs (boo#1072697).
|
|
|
|
* CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of
|
|
|
|
signature on verification (boo#1095722).
|
|
|
|
* CVE-2016-1000339: Fix AESEngine key information leak via lookup
|
|
|
|
table accesses (boo#1095853).
|
|
|
|
* CVE-2016-1000340: Fix carry propagation bugs in the
|
|
|
|
implementation of squaring for several raw math classes
|
|
|
|
(boo#1095854).
|
|
|
|
* CVE-2016-1000341: Fix DSA signature generation vulnerability to
|
|
|
|
timing attack (boo#1095852).
|
|
|
|
* CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of
|
|
|
|
signature on verification (boo#1095850).
|
|
|
|
* CVE-2016-1000343: Fix week default settings for private DSA key
|
|
|
|
pair generation (boo#1095849).
|
|
|
|
* CVE-2016-1000344: Remove DHIES from the provider to disable the
|
|
|
|
unsafe usage of ECB mode (boo#1096026).
|
|
|
|
* CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle
|
|
|
|
attack (boo#1096025).
|
|
|
|
* CVE-2016-1000346: Fix other party DH public key validation
|
|
|
|
(boo#1096024).
|
|
|
|
* CVE-2016-1000352: Remove ECIES from the provider to disable the
|
|
|
|
unsafe usage of ECB mode (boo#1096022).
|
|
|
|
* Release notes:
|
|
|
|
http://www.bouncycastle.org/releasenotes.html
|
|
|
|
- Removed patch:
|
|
|
|
* ambiguous-reseed.patch
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue May 15 17:44:49 UTC 2018 - fstrba@suse.com
|
|
|
|
|
|
|
|
- Build with source and target 8 to prepare for a possible removal
|
|
|
|
of 1.6 compatibility
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Sep 15 07:25:45 UTC 2017 - fstrba@suse.com
|
|
|
|
|
|
|
|
- Version update to 1.58
|
|
|
|
- Added patch:
|
|
|
|
* ambiguous-reseed.patch
|
|
|
|
+ Upstream fix for an ambiguous overload
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Sep 7 13:04:44 UTC 2017 - fstrba@suse.com
|
|
|
|
|
|
|
|
- Set java source and target to 1.6 to allow building with jdk9
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 19 10:17:53 UTC 2017 - pcervinka@suse.com
|
|
|
|
|
|
|
|
- New build dependency: javapackages-local
|
|
|
|
- Fixed requires
|
|
|
|
- Spec file cleaned
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Sat Feb 20 08:34:39 UTC 2016 - tchvatal@suse.com
|
|
|
|
|
|
|
|
- Version update to 1.54:
|
|
|
|
* No obvious changelog to be found
|
|
|
|
* Fixes bnc#967521 CVE-2015-7575
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Oct 23 08:47:46 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
- Version update to 1.53 (latest upstream)
|
|
|
|
* No obvious changelog
|
|
|
|
* Fixes bnc#951727 CVE-2015-7940
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Mar 18 09:46:03 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
- Fix build with new javapackages-tools
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri Feb 20 09:55:46 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
- Disable tests on obs as they hang
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Tue Feb 10 12:29:43 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
- Version bump to 1.50 to match Fedora
|
|
|
|
- Cleanup with spec-cleaner
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jul 7 14:57:54 UTC 2014 - tchvatal@suse.com
|
|
|
|
|
|
|
|
- Depend on junit not junit4
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu May 15 15:29:26 UTC 2014 - darin@darins.net
|
|
|
|
|
|
|
|
- disable bytecode check on sle_11
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Thu Nov 14 11:45:43 UTC 2013 - mvyskocil@suse.com
|
|
|
|
|
|
|
|
- Don't own /etc/java/security to not clash with javapackages-tools
|
|
|
|
- Don't mark random files as config
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Sep 9 11:05:33 UTC 2013 - tchvatal@suse.com
|
|
|
|
|
|
|
|
- Move from jpackage-utils to javapackage-tools
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Wed Aug 28 08:25:18 UTC 2013 - mvyskocil@suse.com
|
|
|
|
|
|
|
|
- use add_maven_depmap from recent javapackages-tools
|
|
|
|
- temporary mozilla-nss to BT: in order to pass a tests
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Fri May 18 12:39:28 UTC 2012 - mvyskocil@suse.cz
|
|
|
|
|
|
|
|
- bumb target to 1.6
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
Mon Jan 16 14:19:33 UTC 2012 - mvyskocil@suse.cz
|
|
|
|
|
|
|
|
- Initial packaging for SUSE
|
|
|
|
from Fedora's bouncycastle 1.46
|
|
|
|
|