pool/bouncycastle
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1170680 from home:pmonrealgonzalez:branches:Java:packages

Browse Source 
- Update to version 1.78: [bsc#1223252, CVE-2024-30171]
  * Security Advisories.
    - CVE-2024-29857: Importing an EC certificate with specially crafted
      F2m parameters can cause high CPU usage during parameter evaluation.
    - CVE-2024-30171: Possible timing based leakage in RSA based handshakes
      due to exception processing eliminated.
    - CVE-2024-30172: Crafted signature and public key can be used to
      trigger an infinite loop in the Ed25519 verification code.
    - CVE-2024-301XX: When endpoint identification is enabled in the BCJSSE
      and an SSL socket is not created with an explicit hostname (as happens
      with HttpsURLConnection), hostname verification could be performed
      against a DNS-resolved IP address. This has been fixed.
  * Defects Fixed:
    - Issues with a dangling weak reference causing intermittent
      NullPointerExceptions in the OcspCache have been fixed.
    - Issues with non-constant time RSA operations in TLS handshakes.
    - Issue with Ed25519, Ed448 signature verification causing intermittent
      infinite loop have been fixed.
    - Issues with non-constant time ML-KEM implementation ("Kyber Slash").
    - Align ML-KEM input validation with FIPS 203 IPD requirements.
    - Make PEM parsing more forgiving of whitespace to align with RFC 7468.
    - Fix CCM length checks with large nonce sizes (n=12, n=13).
    - EAC: Fixed the CertificateBody ASN.1 type to support an optional
      Certification Authority Reference in a Certificate Request.
    - ASN.1: ObjectIdentifier (also Relative OID) parsing has been optimized
      and the contents octets for both types are now limited to 4096 bytes.
    - BCJSSE: Fixed a missing null check on the result of PrivateKey.getEncoded(),
      which could cause issues for HSM RSA keys.
    - BCJSSE: When endpoint identification is enabled and an SSL socket is not
      created with an explicit hostname (as happens with HttpsURLConnection),

OBS-URL: https://build.opensuse.org/request/show/1170680
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=103
This commit is contained in:
Gus Kenion 2024-04-29 08:01:56 +00:00 committed by Git OBS Bridge
parent ca87595d47
commit 129b616253
12 changed files with 98 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
bcjmail-jdk18on-1.77.pom → bcjmail-jdk18on-1.78.pom
View File

@ -5,7 +5,7 @@
<artifactId>bcjmail-jdk18on</artifactId>
<packaging>jar</packaging>
<name>Bouncy Castle Jakarta S/MIME API</name>
<version>1.77</version>
<version>1.78</version>
<description>The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The Jakarta Mail API and the Jakarta activation framework will also be needed.</description>
<url>https://www.bouncycastle.org/java.html</url>
<licenses>
@ -33,19 +33,19 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcutil-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
</dependencies>

8
bcmail-jdk18on-1.77.pom → bcmail-jdk18on-1.78.pom
View File

@ -5,7 +5,7 @@
<artifactId>bcmail-jdk18on</artifactId>
<packaging>jar</packaging>
<name>Bouncy Castle S/MIME API</name>
<version>1.77</version>
<version>1.78</version>
<description>The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed.</description>
<url>https://www.bouncycastle.org/java.html</url>
<licenses>
@ -33,19 +33,19 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcutil-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
</dependencies>

4
bcpg-jdk18on-1.77.pom → bcpg-jdk18on-1.78.pom
View File

@ -5,7 +5,7 @@
<artifactId>bcpg-jdk18on</artifactId>
<packaging>jar</packaging>
<name>Bouncy Castle OpenPGP API</name>
<version>1.77</version>
<version>1.78</version>
<description>The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.</description>
<url>https://www.bouncycastle.org/java.html</url>
<licenses>
@ -38,7 +38,7 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
</dependencies>

6
bcpkix-jdk18on-1.77.pom → bcpkix-jdk18on-1.78.pom
View File

@ -5,7 +5,7 @@
<artifactId>bcpkix-jdk18on</artifactId>
<packaging>jar</packaging>
<name>Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs</name>
<version>1.77</version>
<version>1.78</version>
<description>The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.</description>
<url>https://www.bouncycastle.org/java.html</url>
<licenses>
@ -33,13 +33,13 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcutil-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
</dependencies>

2
bcprov-jdk18on-1.77.pom → bcprov-jdk18on-1.78.pom
View File

@ -5,7 +5,7 @@
<artifactId>bcprov-jdk18on</artifactId>
<packaging>jar</packaging>
<name>Bouncy Castle Provider</name>
<version>1.77</version>
<version>1.78</version>
<description>The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.</description>
<url>https://www.bouncycastle.org/java.html</url>
<licenses>

6
bctls-jdk18on-1.77.pom → bctls-jdk18on-1.78.pom
View File

@ -5,7 +5,7 @@
<artifactId>bctls-jdk18on</artifactId>
<packaging>jar</packaging>
<name>Bouncy Castle JSSE provider and TLS/DTLS API</name>
<version>1.77</version>
<version>1.78</version>
<description>The Bouncy Castle Java APIs for TLS and DTLS, including a provider for the JSSE.</description>
<url>https://www.bouncycastle.org/java.html</url>
<licenses>
@ -33,13 +33,13 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcutil-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
</dependencies>

4
bcutil-jdk18on-1.77.pom → bcutil-jdk18on-1.78.pom
View File

@ -5,7 +5,7 @@
<artifactId>bcutil-jdk18on</artifactId>
<packaging>jar</packaging>
<name>Bouncy Castle ASN.1 Extension and Utility APIs</name>
<version>1.77</version>
<version>1.78</version>
<description>The Bouncy Castle Java APIs for ASN.1 extension and utility APIs used to support bcpkix and bctls. This jar contains APIs for JDK 1.8 and up.</description>
<url>https://www.bouncycastle.org/java.html</url>
<licenses>
@ -33,7 +33,7 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>1.77</version>
<version>1.78</version>
<type>jar</type>
</dependency>
</dependencies>

11
bouncycastle-notests.patch
View File

@ -1,7 +1,7 @@
Index: bc-java-r1rv76/ant/bc+-build.xml
Index: bc-java-r1rv78/ant/bc+-build.xml
===================================================================
--- bc-java-r1rv76.orig/ant/bc+-build.xml
+++ bc-java-r1rv76/ant/bc+-build.xml
--- bc-java-r1rv78.orig/ant/bc+-build.xml
+++ bc-java-r1rv78/ant/bc+-build.xml
@@ -280,7 +280,7 @@
</target>
@ -11,7 +11,7 @@ Index: bc-java-r1rv76/ant/bc+-build.xml
<target name="build-lw" depends="initMacros">
<!--
@@ -935,146 +935,6 @@
@@ -935,149 +935,6 @@
</target>
@ -38,6 +38,7 @@ Index: bc-java-r1rv76/ant/bc+-build.xml
- <fileset dir="${src.dir}" includes="**/tsp/*UnitTest.java" />
- <fileset dir="${src.dir}" includes="**/utiltest/*Test.java" />
- <fileset dir="${src.dir}" includes="**/util/io/pem/*Test.java" />
- <fileset dir="${src.dir}" includes="**/keybox/*Test.java" />
- <fileset dir="${src.dir}" includes="**/test/*.java" />
- <fileset dir="${src.dir}" includes="**/test/*/*.java" />
- <fileset dir="${src.dir}" includes="**/*.asc" />
@ -68,6 +69,7 @@ Index: bc-java-r1rv76/ant/bc+-build.xml
- </copy>
-
- <delete file="${test.target.src.dir}/org/bouncycastle/pqc/crypto/lms/AllTests.java" />
- <delete file="${test.target.src.dir}/org/bouncycastle/gpg/keybox/AllTests.java" />
- <delete file="${test.target.src.dir}/org/bouncycastle/x509/CertPathReviewerMessages_de.properties" />
- <delete file="${test.target.src.dir}/org/bouncycastle/x509/CertPathReviewerMessages.properties" />
-
@ -106,6 +108,7 @@ Index: bc-java-r1rv76/ant/bc+-build.xml
- </fileset>
- </classpath>
- <sysproperty key="bc.test.data.home" value="../../core/src/test/data" />
- <sysproperty key="test.java.version.prefix" value="${env.JAVA_VERSION_PREFIX}" />
-
- <formatter type="xml" />
- <batchtest todir="${artifacts.reports.xml.dir}" unless="testcase">

66
bouncycastle.changes
View File

@ -1,3 +1,69 @@
-------------------------------------------------------------------
Mon Apr 29 06:39:43 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
- Update to version 1.78: [bsc#1223252, CVE-2024-30171]
* Security Advisories.
- CVE-2024-29857: Importing an EC certificate with specially crafted
F2m parameters can cause high CPU usage during parameter evaluation.
- CVE-2024-30171: Possible timing based leakage in RSA based handshakes
due to exception processing eliminated.
- CVE-2024-30172: Crafted signature and public key can be used to
trigger an infinite loop in the Ed25519 verification code.
- CVE-2024-301XX: When endpoint identification is enabled in the BCJSSE
and an SSL socket is not created with an explicit hostname (as happens
with HttpsURLConnection), hostname verification could be performed
against a DNS-resolved IP address. This has been fixed.
* Defects Fixed:
- Issues with a dangling weak reference causing intermittent
NullPointerExceptions in the OcspCache have been fixed.
- Issues with non-constant time RSA operations in TLS handshakes.
- Issue with Ed25519, Ed448 signature verification causing intermittent
infinite loop have been fixed.
- Issues with non-constant time ML-KEM implementation ("Kyber Slash").
- Align ML-KEM input validation with FIPS 203 IPD requirements.
- Make PEM parsing more forgiving of whitespace to align with RFC 7468.
- Fix CCM length checks with large nonce sizes (n=12, n=13).
- EAC: Fixed the CertificateBody ASN.1 type to support an optional
Certification Authority Reference in a Certificate Request.
- ASN.1: ObjectIdentifier (also Relative OID) parsing has been optimized
and the contents octets for both types are now limited to 4096 bytes.
- BCJSSE: Fixed a missing null check on the result of PrivateKey.getEncoded(),
which could cause issues for HSM RSA keys.
- BCJSSE: When endpoint identification is enabled and an SSL socket is not
created with an explicit hostname (as happens with HttpsURLConnection),
hostname verification could be performed against a DNS-resolved IP address.
- The missing module import of java.logging to the provider module has been added.
- GOST ASN.1 public key alg parameters are now compliant with RFC 9215.
- An off-by-one error in the encoding for EccP256CurvePoint for ITS.
- PEM Parser now enforces PEM headers to start at the beginning of the line
to be meaningful.
* Additional Features and Functionality.
- An implementation of MLS (RFC 9420 - The Messaging Layer Security Protocol)
has been added as a new module.
- NTRU now supports NTRU-HPS4096-1229 and NTRU-HRSS-1373.
- Improvements to PGP support, including Camellia key wrapping and Curve25519,
Curve448 key types (including XDH with HKDF).
- Added initial support for ML-KEM in TLS.
- Added XWing hybrid KEM construction (X25519 + ML-KEM-768).
- Introduced initial KEMSpi support (NTRU, SNTRU Prime) for JDK 21+.
- Introduced initial composite signature support for X509 Certificates.
- PKCS#12 now supports PKCS12-AES256-AES128, PKCS12-AES256-AES128-GCM,
PKCS12-DEF-AES256-AES128, and PKCS12-DEF-AES256-AES128-GCM.
- The default type for the KeyStore.getInstance("PKCS12", "BC") can now be set
using the org.bouncycastle.pkcs12.default system/security property.
- The PGP SExpParser will now handle Ed25519 and Ed448 keys.
- Dilithium and Kyber key encoding updated to latest Draft RFCs
(draft-ietf-lamps-dilithium-certificates and draft-ietf-lamps-kyber-certificates)
- Support has been added for encryption key derivation using HKDF in CMS, see
draft-housley-lamps-cms-cek-hkdf-sha256.
- X500Name now recognises jurisdiction{C,ST,L} DNs.
- CertPathValidationContext and CertificatePoliciesValidation now include
implementations of Memoable.
- The Composite post-quantum signatures implementation has been updated to the
latest draft draft-ounsworth-pq-composite-sigs.
* Full release notes: bouncycastle.org/releasenotes.html#r1rv78
* Rebase bouncycastle-notests.patch
-------------------------------------------------------------------
Mon Dec 4 13:44:16 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

6
bouncycastle.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package bouncycastle
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -17,7 +17,7 @@
%global ver_major 1
%global ver_minor 77
%global ver_minor 78
%global gittag r%{ver_major}rv%{ver_minor}
%global archivever jdk18on-%{ver_major}%{ver_minor}
%global classname org.bouncycastle.jce.provider.BouncyCastleProvider
@ -51,7 +51,7 @@ BuildRequires: jakarta-mail
BuildRequires: javamail
BuildRequires: javapackages-local >= 6
Requires(post): javapackages-tools
Requires(postun):javapackages-tools
Requires(postun): javapackages-tools
Provides: bcprov = %{version}-%{release}
BuildArch: noarch

BIN
r1rv77.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

3
r1rv78.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6eb33f05248aa74a7927435d364c5fbeb3f3885e476f36e1ee36ff58f4db49e4
size 47211676