Commit Graph

64 Commits

Author SHA256 Message Date
Fridrich Strba
95b48a5fba Accepting request 1118599 from home:pmonrealgonzalez:branches:Java:packages
- Update to version 1.76:
  * Defects Fixed:
    - Service allocation in the provider could fail due to the lack
      of a permission block. This has been fixed.
    - JceKeyFingerPrintCalculator has been generalised for different
      providers by using "SHA-256" for the algorithm string.
    - BCJSSE: Fixed a regression in 1.74 (NullPointerException) that
      prevents a BCJSSE server from negotiating TLSv1.1 or earlier.
    - DTLS: Fixed server support for client_certificate_type extension.
    - Cipher.unwrap() for HQC could fail due to a miscalculation of
      the length of the KEM packet. This has been fixed.
    - There was exposure to a Java 7 method in the Java 5 to Java 8
      BCTLS jar which could cause issues with some TLS 1.2 cipher
      suites running on older JVMs. This is now fixed.
  * Additional Features and Functionality:
    - BCJSSE: Following OpenJDK, finalizers have been removed from
      SSLSocket subclasses. Applications should close sockets and
      not rely on garbage collection.
    - BCJSSE: Added support for boolean system property
      "jdk.tls.client.useCompatibilityMode" (default "true").
    - DTLS: Added server support for session resumption.
    - JcaPKCS10CertificationRequest will now work with EC on the
      OpenJDK provider.
    - TimeStamp generation now supports the SHA3 algorithm set.
    - The SPHINCS+ simple parameters are now fully supported in the
      BCPQC provider.
    - Kyber, Classic McEliece, HQC, and Bike now supported by the
      CRMF/CMS/CMP APIs.
    - Builder classes have been add for PGP ASCII Armored streams
      allowing CRCs and versions to now be optional.

OBS-URL: https://build.opensuse.org/request/show/1118599
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=99
2023-10-18 15:39:06 +00:00
Fridrich Strba
faa1927d4a Accepting request 1114358 from Java:packages:test
javapackages >= 6

OBS-URL: https://build.opensuse.org/request/show/1114358
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=98
2023-09-29 13:18:38 +00:00
Fridrich Strba
6fc0a8125c OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=96 2023-06-21 06:26:06 +00:00
Fridrich Strba
14f682e6b5 Accepting request 1094146 from home:pmonrealgonzalez:branches:Java:packages
- Update to version 1.74: [bsc#1212508, CVE-2023-33201]
  * Defects Fixed:
    - AsconEngine: Fixed a buffering bug when decrypting across
      multiple processBytes calls (ascon128a unaffected).
    - Context based sanity checking on PGP signatures has been added.
    - The ParallelHash clone constructor was not copying all fields.
    - The maximimum number of blocks for CTR/SIC modes was 1 block
      less than it should have been.
  * Additional Features and Functionality:
    - The PGP API now supports wildcard key IDs for public key
      based data encryption.
    - LMS now supports SHA256/192, SHAKE256/192, and SHAKE256/256
      (the additional SP 8000-208 parameter sets).
    - The PGP API now supports V5 and V6 AEAD encryption for
      encrypted data packets.
    - The PGP examples have been updated to reflect key size and algorithm
      changes that have occurred since they were first written (10+ years...).
    - (D)TLS: A new callback 'TlsPeer.notifyConnectionClosed' will be called
      when the connection is closed (including by failure).
    - BCJSSE: Improved logging of connection events and include unique IDs
      in connection-specific log messages.
    - BCJSSE: Server now logs the offered cipher suites when it fails to
      select one.
    - BCJSSE: Added support for SSLParameters namedGroups and
      signatureSchemes properties (can also be used via BCJSSE
      extension API in earlier Java versions).
    - DTLS: The initial handshake re-send time is now configurable by
      overriding 'TlsPeer.getHandshakeResendTimeMillis'.
    - DTLS: Added support for connection IDs per RFC 9146.
    - DTLS: Performance of DTLSVerifier has been improved so that it can

OBS-URL: https://build.opensuse.org/request/show/1094146
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=95
2023-06-20 18:37:28 +00:00
Fridrich Strba
21fc031a26 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=94 2023-06-20 17:37:47 +00:00
Fridrich Strba
c748340584 Accepting request 1082715 from home:pmonrealgonzalez:branches:Java:packages
- Update to version 1.73:
  * Defects Fixed:
    - BCJSSE: Instantiating a JSSE provider in some contexts could
      cause an AccessControl exception.
    - The EC key pair generator can generate out of range private
      keys when used with SM2. A specific SM2KeyPairGenerator has
      been added to the low-level API and is used by
      KeyPairGenerator.getInstance("SM2", "BC"). The SM2 signer has
      been updated to check for out of range keys as well..
    - The attached signature type byte was still present in Falcon
      signatures as well as the detached signature byte.
    - There was an off-by-one error in engineGetOutputSize() for ECIES.
    - The method for invoking read() internally in BCPGInputStream
      could result in inconsistent behaviour if the class was extended.
    - Fixed a rounding issue with FF1 Format Preserving Encryption
      algorithm for certain radices.
    - Fixed RFC3394WrapEngine handling of 64 bit keys.
    - Internal buffer for blake2sp was too small and could result in
      an ArrayIndexOutOfBoundsException.
    - JCA PSS Signatures using SHAKE128 and SHAKE256 now support
      encoding of algorithm parameters.
    - PKCS10CertificationRequest now checks for empty extension
      parameters.
    - Parsing errors in the processing of PGP Armored Data now throw
      an explicit exception ArmoredInputException.
    - PGP AEAD streams could occassionally be truncated.
    - The ESTService class now supports processing of chunked HTTP data.
    - A constructed ASN.1 OCTET STRING with a single member would
      sometimes be re-encoded as a definite-length OCTET STRING. The
      encoding has been adjusted to preserve the BER status of the object.

OBS-URL: https://build.opensuse.org/request/show/1082715
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=92
2023-04-25 11:19:32 +00:00
OBS User buildservice-autocommit
30664b8131 Updating link to change in openSUSE:Factory/bouncycastle revision 37
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=92dd974ab68a847665fd91666104d4b3
2023-03-17 16:08:11 +00:00
Fridrich Strba
0d89504f88 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=91 2023-03-17 15:14:25 +00:00
Fridrich Strba
2856f4a614 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=90 2023-03-17 02:24:31 +00:00
Fridrich Strba
d09e96776f OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=88 2022-10-20 06:37:03 +00:00
Fridrich Strba
ae79d27cb1 Accepting request 1030002 from home:pmonrealgonzalez:branches:Java:packages
- Update to version 1.72:
  * Defects Fixed:
    - There were parameter errors in XMSS^MT OIDs for
      XMSSMT_SHA2_40/4_256 and XMSSMT_SHA2_60/3_256. These have
      been fixed.
    - There was an error in Merkle tree construction for the
      Evidence Records (ERS) implementation which could result in
      invalid roots been timestamped. ERS now produces an
      ArchiveTimeStamp for each data object/group with an associated
      reduced hash tree. The reduced hash tree is now calculated as
      a simple path to the root of the tree for each record.
    - OpenPGP will now ignore signatures marked as non-exportable
      on encoding.
    - A tagging calculation error in GCMSIV which could result in
      incorrect tags has been fixed.
    - Issues around Java 17 which could result in failing tests
      have been addressed.
  * Additional Features and Functionality:
    - BCJSSE: TLS 1.3 is now enabled by default where no explicit
      protocols are supplied (e.g. "TLS" or "Default" SSLContext
      algorithms, or SSLContext.getDefault() method).
    - BCJSSE: Rewrite SSLEngine implementation to improve compatibility
      with SunJSSE.
    - BCJSSE: Support export of keying material via extension API.
    - (D)TLS: Add support for 'tls-exporter' channel binding per RFC 9266.
    - (D)TLS (low-level API): By default, only (D)TLS 1.2 and TLS 1.3 are
      offered now. Earlier versions are still supported if explicitly
      enabled. Users may need to check they are offering suitable
      cipher suites for TLS 1.3.
    - (D)TLS (low-level API): Add support for raw public keys per RFC 7250.

OBS-URL: https://build.opensuse.org/request/show/1030002
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=87
2022-10-20 06:34:10 +00:00
Fridrich Strba
92805dd9df OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=85 2022-05-24 08:17:51 +00:00
Fridrich Strba
146cbda882 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=83 2022-04-23 09:14:00 +00:00
Fridrich Strba
7768f3fd28 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=82 2022-04-23 08:51:25 +00:00
Fridrich Strba
f3740be104 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=81 2022-04-23 08:39:05 +00:00
Fridrich Strba
ac926a385b OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=80 2022-04-23 08:31:37 +00:00
Fridrich Strba
0c299bdc08 Accepting request 972261 from home:urbic:java
- Version update to 1.71
  * Defects Fixed
    - In line with GPG the PGP API now attempts to preserve
      comments containing non-ascii UTF8 characters.
    - An accidental partial dependency on Java 1.7 has been removed
      from the TLS API.
    - JcaPKIXIdentityBuilder would fail to process File objects
      correctly. This is now fixed.
    - Some byte[] parameters to the CMP API were not being
      defensively cloned to prevent accidental changes. Extra
      defensive cloning has been added.
    - CMS primitives would sometimes convert ASN.1 definite-length
      encodings into indefinite-length encodings. The primitives
      will now try and preserve the original encoding where possible.
    - CMSSignedData.getAttributeCertificates() now properly
      restricts the tag values checked to just 1 (the obsolete
      v1 tag) and 2 (for the more current v2 certificates).
    - BCJSSE now tries to validate a custom KeyManager selection
      in order to catch errors around a key manager ignoring
      key type early.
    - Compressed streams in PGP ending with zero length partial
      packets could cause failure on parsing the OpenPGP API.
      This has been fixed.
    - The fallback mode for JceAsymmetricKeyWrapper/Unwrapper
      would lose track of any algorithm parameters generated
      in the initial attempt. The algorithm parameters are now
      propagated.
    - An accidental regression introduced by a fix for another
      issue in PKIXCertPathReviewer around use of the
      AuthorityKeyIdentifier extension and it failing to match
      a certificate uniquely when the serial number field
      is missing has been fixed.
    - An error was found in the creation of TLS 1.3 Export Keying
      Material which could cause compatibility issues. This has
      been fixed.
  * Additional Features and Functionality
    - Support has been added for OpenPGP regular expression
      signature packets.
    - Support has been added for OpenPGP PolicyURI signature
      packets.
    - A utility method has been added to PGPSecretKeyRing to allow
      for inserting or replacing a PGPPublicKey.
    - The NIST PQC Finalist, Classic McEliece has been added to the
      low level API and the BCPQC provider.
    - The NIST PQC Alternate Candidate, SPHINCS+ has been added to
      the BCPQC provider.
    - The NIST PQC Alternate Candidate, FrodoKEM has been added to
      the low level API and the BCPQC provider.
    - The NIST PQC Finalist, SABER has been added to the low level
      API and the BCPQC provider.
    - KMAC128, KMAC256 has been added to the BC provider (empty
      customization string).
    - TupleHash128, TupleHash256 has been added to the BC provider
      (empty customization string).
    - ParallelHash128, ParallelHash256 has been added to the BC
      provider (empty customization string, block size 1024 bits).
    - Two new properties: "org.bouncycastle.rsa.max_size" (default
      15360) and "org.bouncycastle.ec.fp_max_size" (default 1042)
      have been added to cap the maximum size of RSA and EC keys.
    - RSA modulus are now checked to be provably composite using
      the enhanced MR probable prime test.
    - Imported EC Fp basis values are now validated against the MR
      prime number test before use. The certainty level of the
      prime test can be determined by
      "org.bouncycastle.ec.fp_certainty" (default 100).
    - The BC entropy thread now has a specific name:
      "BC-ENTROPY-GATHERER".
    - Utility methods have been added for joining/merging PGP
      public keys and signatures.
    - Blake3-256 has been added to the BC provider.
    - DTLS: optimisation to delayed handshake hash.
    - Further additions to the ETSI 102 941 support in the ETSI/ITS
      package: certification request, signed message generation and
      verification now supported.
    - CMSSignedDataGenerator now supports the direct generation of
      definite-length data.
    - The NetscapeCertType class now has a hasUsages() method on it
      for querying usage settings on its bit string.
    - Support for additional input has been added for deterministic
      (EC)DSA.
    - The OpenPGP API provides better support for subkey
      generation.
    - BCJSSE: Added boolean system properties
      "org.bouncycastle.jsse.client.dh.disableDefaultSuites" and
      "org.bouncycastle.jsse.server.dh.disableDefaultSuites".
      Default "false". Set to "true" to disable inclusion of DH
      cipher suites in the default cipher suites for client/server
      respectively.
  * Notes
    - The deprecated QTESLA implementation has been removed from
      the BCPQC provider.
    - The submission update to SPHINCS+ has been added. This
      changes the generation of signatures - particularly
      deterministic ones.
- Version update to 1.70
  * Defects Fixed
    - Blake 3 output limit is enforced.
    - The PKCS12 KeyStore was relying on default precedence for its
      key Cipher implementation so was sometimes failing if used
      from the keytool. The KeyStore class now makes sure it uses
      the correct Cipher implementation.
    - Fixed bzip2 compression for empty contents (GH #993).
    - ASN.1: More robust handling of high tag numbers and
      definite-length forms.
    - BCJSSE: Fix a concurrent modification issue in session
      contexts (GH#968).
    - BCJSSE: Don't log sensitive system property values (GH#976).
    - BCJSSE: Fixed a priority issue amongst imperfect-match
      credentials in KeyManager classes.
    - The IES AlgorithmParameters object has been re-written to
      properly support all the variations of IESParameterSpec.
    - getOutputSize() for ECIES has been corrected to avoid
      occassional underestimates.
    - The lack of close() in the ASN.1 Dump command line utility
      was triggering false positives in some code analysis tools. A
      close() call has been added.
    - PGPPublicKey.getBitStrength() now properly recognises EdDSA
      keys.
  * Additional Features and Functionality
    - Missing PGP CRC checksums can now be optionally ignored using
      setDetectMissingCRC() (default false) on ArmoredInputStream.
    - PGPSecretKey.copyWithNewPassword() now has a variant which
      uses USAGE_SHA1 for key protection if a PGPDigestCalculator
      is passed in.
    - PGP ASCII armored data now skips "\t", "\v", and "\f".
    - PKCS12 files with duplicate localKeyId attributes on
      certificates will now have the incorrect attributes filtered
      out, rather than the duplicate causing an exception.
    - PGPObjectFactory will now ignore packets representing
      unrecognised signature versions in the input stream.
    - The X.509 extension generator will now accumulate some
      duplicate X.509 extensions into a single extension where it
      is possible to do so.
    - Removed support for maxXofLen in Kangaroo digest.
    - Ignore marker packets in PGP Public and Secret key ring
      collection.
    - An implementation of LEA has been added to the low-level API.
    - Access, recovery, and direct use for PGP session keys has
      been added to the OpenPGP API for processing encrypted data.
    - A PGPCanonicalizedDataGenerator has been added which converts
      input into canonicalized literal data for text and UTF-8
      mode.
    - A getUserKeyingMaterial() method has been added to the
      KeyAgreeRecipientInformation class.
    - ASN.1: Tagged objects (and parsers) now support all tag
      classes. Special code for ApplicationSpecific has been
      deprecated and re-implemented in terms of TaggedObject.
    - ASN.1: Improved support for nested tagging.
    - ASN.1: Added support for GraphicString, ObjectDescriptor,
      RelativeOID.
    - ASN.1: Added support for constructed BitString encodings,
      including efficient parsing for large values.
    - TLS: Added support for external PSK handshakes.
    - TLS: Check policy restrictions on key size when determining
      cipher suite support.
    - A performance issue in KeccakDigest due to left over debug
      code has been identified and dealt with.
    - BKS key stores can now be used for collecting protected keys
      (note: any attempt to store such a store will cause an
      exception).
    - A method for recovering user keying material has been added
      to KeyAgreeRecipientInformation.
    - Support has been added to the CMS API for SHA-3 based
      PLAIN-ECDSA.
    - The low level BcDefaultDigestProvider now supports the SHAKE
      family of algorithms and the SM3 alogirthm.
    - PGPKeyRingGenerator now supports creation of key-rings with
      direct-key identified keys.
    - The PQC NIST candidate, signature algorithm SPHINCS+ has been
      added to the low-level API.
    - ArmoredInputStream now explicitly checks for a '\n' if in
      crLF mode.
    - Direct support for NotationDataOccurances, Exportable,
      Revocable, IntendedRecipientFingerPrints, and AEAD algorithm
      preferences has been added to PGPSignatureSubpacketVector.
    - Further support has been added for keys described using
      S-Expressions in GPG 2.2.X.
    - Support for OpenPGP Session Keys from the (draft) Stateless
      OpenPGP CLI has been added.
    - Additional checks have been added for PGP marker packets in
      the parsing of PGP objects.
    - A CMSSignedData.addDigestAlgorithm() has been added to allow
      for adding additional digest algorithm identifiers to CMS
      SignedData structures when required.
    - Support has been added to CMS for the LMS/HSS signature
      algorithm.
    - The system property
      "org.bouncycastle.jsse.client.assumeOriginalHostName"
      (default false) has been added for dealing with SNI problems
      related to the host name not being propagate by the JVM.
    - The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with
      ciphers that do not have algorithm parameters (e.g. AESKWP).
    - Support is now added for certificates using ETSI TS 103 097,
      "Intelligent Transport Systems (ITS)" in the bcpkix package.
  * Notes.
    - While this release should maintain source code compatibility,
      developers making use of some parts of the ASN.1 library will
      find that some classes need recompiling. Apologies for the
      inconvenience.
- Version update to 1.69
  * Defects Fixed
    - Lightweight and JCA conversion of Ed25519 keys in the PGP API
      could drop the leading byte as it was zero. This has been
      fixed.
    - Marker packets appearing at the start of PGP public key rings
      could cause parsing failure. This has been fixed.
    - ESTService could fail for some valid Content-Type headers.
      This has been fixed.
    - Originator key algorithm parameters were being passed as NULL
      in key agreement recipients. The parameters now reflect the
      value of the parameters in the key's SubjectPublicKeyInfo.
    - ContentType on encapsulated data was not been passed through
      correctly for authenticated and enveloped data. This has been
      fixed.
    - NTRUEncryptionParameters and
      NTRUEncryptionKeyGenerationParameters were not correctly
      cloning the contained message digest. This has been fixed.
    - CertificateFactory.generateCertificates()/generateCRLs()
      would throw an exception if extra data was found at the end
      of a PEM file even if valid objects had been found. Extra
      data is now ignored providing at least one object found.
    - Internal class PKIXCRLUtil could throw a NullPointerException
      for CRLs with an absent nextUpdate field. This has been
      fixed.
    - PGP ArmoredInputStream now fails earlier on malformed
      headers.
    - The McElieceKobaraImaiCipher was randomly throwing "Bad
      Padding: invalid ciphertext" exception while decrypting due
      to leading zeroes been missed during processing of the cipher
      text. This has been fixed.
    - Ed25519 keys being passed in via OpenSSH key spec are now
      validated in the KeyFactory.
    - Blowfish keys are now range checked on cipher construction.
    - In some cases PGPSecretKeyRing was failing to search its
      extraPubKeys list when searching for public keys.
    - The BasicConstraintsValidation class in the BC cert path
      validation tools has improved conformance to RFC 5280.
    - AlgorithmIdentifiers involving message digests now attempt to
      follow the latest conventions for the parameters field
      (basically DER NULL appears less).
    - Fix various conversions and interoperability for XDH and
      EdDSA between BC and SunEC providers.
    - TLS: Prevent attempts to use KeyUpdate mechanism in versions
      before TLS 1.3.
  * Additional Features and Functionality
    - GCM-SIV has been added to the lightweight API and the
      provider.
    - Blake3 has been added to the lightweight API.
    - The OpenSSL PEMParser can now be extended to add specialised
      parsers.
    - Base32 encoding has now been added, the default alphabet is
      from RFC 4648.
    - The KangarooTwelve message digest has been added to the
      lightweight API.
    - An implementation of the two FPE algorithms, FF1 and FF3-1 in
      SP 800-38G has been added to the lightweight API and the JCE
      provider.
    - An implementation of ParallelHash has been added to the
      lightweight API.
    - An implementation of TupleHash has been added to the
      lightweight API.
    - RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the
      mask generation function and digest.
    - ECDSA now supports the use of SHAKE128 and SHAKE256.
    - PGPPBEEncryptedData will now reset the stream if the initial
      checksum fails so another password can be tried.
    - Iterators on public and secret key ring collections in PGP
      now reflect the original order of the public/secret key rings
      they contain.
    - KeyAgreeRecipientInformation now has a getOriginator() method
      for retrieving the underlying orginator information.
    - PGPSignature now has a getDigestPrefix() method for people
      wanting exposure to the signature finger print details.
    - The old BKS-V1 format keystore is now disabled by default. If
      you need to use BKS-V1 for legacy reasons, it can be
      re-enabled by adding: org.bouncycastle.bks.enable_v1=true to
      the java.security file. We would be interested in hearing
      from anyone that needs to do this.
    - PLAIN-ECDSA now supports the SHA3 digests.
    - Some highlevel support for RFC 4998 ERS has been added for
      ArchiveTimeStamp and EvidenceRecord. The new classes are in
      the org.bouncycastle.tsp.ers package.
    - ECIES has now also support SHA256, SHA384, and SHA512.
    - digestAlgorithms filed in CMS SignedData now includes counter
      signature digest algorithms where possible.
    - A new property "org.bouncycastle.jsse.config" has been added
      which can be used to configure the BCJSSE provider when it is
      created using the no-args constructor.
    - In line with changes in OpenSSL 1.1.0,
      OpenSSLPBEParametersGenerator can now be configured with a
      digest.
    - PGPKeyRingGenerator now includes a method for adding a subkey
      with a primary key binding signature.
    - Support for ASN.1 PRIVATE tags has been added.
    - Performance enhancements to Nokeon, AES, GCM, and
      SICBlockCipher.
    - Support for ecoding/decoding McElieceCCA2 keys has been added
      to the PQC API
    - BCJSSE: Added support for jdk.tls.maxCertificateChainLength
      system property (default is 10).
    - BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize
      system property (default is 32768).
    - BCJSSE: Added support for jdk.tls.client.enableCAExtension
      (default is 'false').
    - BCJSSE: Added support for jdk.tls.client.cipherSuites system
      property.
    - BCJSSE: Added support for jdk.tls.server.cipherSuites system
      property.
    - BCJSSE: Extended ALPN support via standard JSSE API to JDK 8
      versions after u251/u252.
    - BCJSSE: Key managers now support EC credentials for use with
      TLS 1.3 ECDSA signature schemes (including brainpool).
    - TLS: Add TLS 1.3 support for brainpool curves per RFC 8734.
  * Notes
    - There is a small API change in the PKIX package to the
      DigestAlgorithmIdentifierFinder interface as a find() method
      that takes an ASN1ObjectIdentifier has been added to it. For
      people wishing to extend their own implementations, see
      DefaultDigestAlgorithmIdentifierFinder for a sample
      implementation.
    - A version of the bcmail API supporting Jakarta Mail has now
      been added (see bcjmail jar).
    - Some work has been done on moving out code that does not need
      to be in the provider jar. This has reduced the size of the
      provider jar and should also make it easier for developers to
      patch the classes involved as they no longer need to be
      signed. bcpkix and bctls are both dependent on the new bcutil
      jar.
- Add build dependencies on
  mvn(jakarta.activation:jakarta.activation-api) and
  mvn(jakarta.mail:jakarta.mail-api)
- Remove unneeded script bouncycastle_getpoms.sh from sources

OBS-URL: https://build.opensuse.org/request/show/972261
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=79
2022-04-23 08:04:44 +00:00
Fridrich Strba
f5ae8f84c4 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=77 2022-03-30 10:27:32 +00:00
Fridrich Strba
843f475c76 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=75 2022-03-20 07:43:11 +00:00
Fridrich Strba
6f517de642 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=74 2022-03-18 18:48:15 +00:00
Fridrich Strba
cb71cbe25c OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=73 2022-03-18 09:00:47 +00:00
Fridrich Strba
87e03ab720 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=72 2022-03-17 10:17:41 +00:00
Fridrich Strba
63367728e5 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=71 2022-03-17 03:36:52 +00:00
Fridrich Strba
65ead1190f OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=70 2021-07-27 16:04:01 +00:00
9bfd3c6261 Accepting request 895363 from home:pmonrealgonzalez:branches:Java:packages
- Add bouncycastle_getpoms.sh to get pom files from Maven repos

- Version update to 1.66 [bsc#1186328, CVE-2020-15522]

OBS-URL: https://build.opensuse.org/request/show/895363
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=68
2021-05-25 11:51:48 +00:00
Fridrich Strba
ada743e4db OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=66 2021-01-13 09:50:30 +00:00
Fridrich Strba
74c8888358 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=65 2021-01-11 15:35:48 +00:00
Fridrich Strba
6ed97bbe3e OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=64 2021-01-11 15:21:09 +00:00
5eae70dad1 Accepting request 857837 from home:pmonrealgonzalez:branches:Java:packages
- Version update to 1.67 [bsc#1180215, CVE-2020-28052]
  * CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method
    compared incorrect data when checking the password
  * Defects Fixed:
    - BCJSSE: SunJSSE compatibility fix - override of getChannel()
      removed and 'urgent data' behaviour should now conform to
      what the SunJSSE expects
    - Nested BER data could sometimes cause issues in octet strings
    - Certificates/CRLs with short signatures could cause an exception
      in toString() in the BC X509 Certificate implmentation
    - In line with latest changes in the JVM, SignatureSpis which
      don't require parameters now return null on engineGetParameters()
    - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey
      where it can on requests for a KeySpec based on an RSAPrivateKey
    - CMSTypedStream$FullReaderStream now handles zero length reads correctly
    - Unecessary padding was added on KMAC when the key string was block aligned
    - Zero length data would cause an unexpected exception from RFC5649WrapEngine
    - OpenBSDBcrypt was failing to handle some valid prefixes
  * Additional Features and Functionality
    - Performance improvement of Argon2 and Noekeon
    - A setSessionKeyObfuscation() method has been added to
      PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key
      obfuscation (default is on, method primarily to get around early version
      GPG issues with AES-128 keys)
    - Implemented 'safegcd' constant-time modular inversion (as well as a
      variable-time variant). It has replaced Fermat inversion in all our EC
      code, and BigInteger.modInverse in several other places, particularly
      signers. This improves side-channel protection, and also gives a
      significant performance boost
    - Performance of custom binary ECC curves and Edwards Curves has been improved

OBS-URL: https://build.opensuse.org/request/show/857837
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=62
2020-12-21 15:42:49 +00:00
Fridrich Strba
e17cf6e6b9 Accepting request 823216 from home:pmonrealgonzalez:branches:Java:packages
- Version update to 1.66
  * Defects Fixed:
    - EdDSA verifiers now reset correctly after rejecting overly long signatures.
    - BCJSSE: SSLSession.getPeerCertificateChain could throw NullPointerException.
    - qTESLA-I verifier would reject some valid signatures.
    - qTESLA verifiers now reject overly long signatures.
    - PGP regression caused failure to preserve existing version header when
      headers were reset.
    - PKIXNameConstraintValidator had a bad cast preventing use of multiple
      OtherName constraints.
    - Serialisation of the non-CRT RSA Private Key could cause a NullPointerException.
    - An extra 4 bytes was included in the start of HSS public key encodings.
    - CMS with Ed448 using a direct signature was using id-shake256-len
      rather than id-shake256.
    - Use of GCMParameterSpec could cause an AccessControlException under
      some circumstances.
    - DTLS: Fixed high-latency HelloVerifyRequest handshakes.
    - An encoding bug for rightEncoded() in KMAC has been fixed.
    - For a few values the cSHAKE implementation would add unnecessary pad bytes
      where the N and S strings produced encoded data that was block aligned.
    - There were a few circumstances where Argon2BytesGenerator might hit an
      unexpected null. These have been removed.
  * Additional Features and Functionality
    - The qTESLA signature algorithm has been updated to v2.8 (20191108).
    - BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.
    - Support has been added for "ocsp.enable", "ocsp.responderURL" and
      PKIXRevocationChecker for users of Java 8 and later.
    - Support has been added for "org.bouncycastle.x509.enableCRLDP" to the PKIX validator.
    - BCJSSE: Now supports system property 'jsse.enableFFDHE'
    - BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes'

OBS-URL: https://build.opensuse.org/request/show/823216
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=60
2020-07-29 05:46:14 +00:00
Fridrich Strba
0c8c1f0bf9 Accepting request 798842 from home:pmonrealgonzalez:branches:Java:packages
- Version update to 1.65
  * Defects Fixed:
    - DLExternal would encode using DER encoding for tagged SETs.
    - ChaCha20Poly1305 could fail for large (>~2GB) files.
    - ChaCha20Poly1305 could fail for small updates when used via the provider.
    - Properties.getPropertyValue could ignore system property when other
       local overrides set.
    - The entropy gathering thread was not running in daemon mode, meaning there
       could be a delay in an application shutting down due to it.
    - A recent change in Java 11 could cause an exception with the BC Provider's
       implementation of PSS.
    - BCJSSE: TrustManager now tolerates having no trusted certificates.
    - BCJSSE: Choice of credentials and signing algorithm now respect the peer's
       signature_algorithms extension properly.
    - BCJSSE: KeyManager for KeyStoreBuilderParameters no longer leaks memory.
  * Additional Features and Functionality:
    - LMS and HSS (RFC 8554) support has been added to the low level library and
       the PQC provider.
    - SipHash128 support has been added to the low level library and the JCE provider.
    - BCJSSE: BC API now supports explicitly specifying the session to resume.
    - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is
       negotiated (except in FIPS mode).
    - BCJSSE: Added support for extended_master_secret system properties:
       jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption,
       jdk.tls.useExtendedMasterSecret .
    - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is
       negotiated (except in FIPS mode).
    - BCJSSE: KeyManager and TrustManager now check algorithm constraints for
       keys and certificate chains.
    - BCJSSE: KeyManager selection of server credentials now prefers matching

OBS-URL: https://build.opensuse.org/request/show/798842
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=58
2020-04-29 10:37:17 +00:00
Fridrich Strba
2e5255ad6b OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=56 2020-03-25 15:44:21 +00:00
Tomáš Chvátal
d399f16cba Accepting request 746071 from home:pmonrealgonzalez:branches:Java:packages
- Fix arch dependent macros in noarch package [bsc#1109539]

OBS-URL: https://build.opensuse.org/request/show/746071
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=54
2019-11-06 18:44:40 +00:00
Tomáš Chvátal
f70e0bf39f Accepting request 737921 from home:pmonrealgonzalez:branches:Java:packages
- Update pom files with those from Maven repository.

OBS-URL: https://build.opensuse.org/request/show/737921
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=52
2019-10-14 06:56:12 +00:00
Fridrich Strba
daf896ac30 Accepting request 737444 from home:pmonrealgonzalez:branches:Java:packages
- Version update to 1.64 [bsc#1153385, CVE-2019-17359]
  [bsc#1096291, CVE-2018-1000180][bsc#1100694, CVE-2018-1000613]
  * Security Advisory:
    - CVE-2019-17359: A change to the ASN.1 parser in 1.63 introduced
      a regression that can cause an OutOfMemoryError to occur on
      parsing ASN.1 data.
  * Defects Fixed:
    - OpenSSH: Fixed padding in generated Ed25519 private keys.
    - GOST3410-2012-512 now uses the GOST3411-2012-256 as its KDF digest.
    - Validation of headers in PemReader now looks for tailing dashes in header.
    - Some compatibility issues around the signature encryption algorithm
      field in CMS SignedData and the GOST algorithms have been addressed.
  * Additional Features and Functionality:
    - PKCS12 key stores containing only certificates can now be created
      without the need to provide passwords.
    - BCJSSE: Initial support for AlgorithmConstraints; protocol versions
      and cipher suites.
    - BCJSSE: Initial support for 'jdk.tls.disabledAlgorithms'; protocol
      versions and cipher suites.
    - BCJSSE: Add SecurityManager check to access session context.
    - BCJSSE: Improved SunJSSE compatibility of the NULL_SESSION.
    - BCJSSE: SSLContext algorithms updated for SunJSSE compatibility
      	      (default enabled protocols).
    - The digest functions Haraka-256 and Haraka-512 have been added to
      the provider and the light-weight API
    - XMSS/XMSS^MT key management now allows for allocating subsets of the
      private key space using the extraKeyShard() method. Use of
      StateAwareSignature is now deprecated.
    - Support for Java 11's NamedParameterSpec class has been added
      (using reflection) to the EC and EdEC KeyPairGenerator implementations.

OBS-URL: https://build.opensuse.org/request/show/737444
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=51
2019-10-11 10:59:50 +00:00
Fridrich Strba
860a2da908 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=49 2019-09-25 04:06:30 +00:00
Fridrich Strba
a0ba9364d9 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=48 2019-09-24 17:12:45 +00:00
Fridrich Strba
d243b119b9 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=47 2019-09-24 16:36:50 +00:00
Fridrich Strba
7b7d8aad80 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=46 2019-09-24 15:36:03 +00:00
Tomáš Chvátal
0a13462ec2 Accepting request 635776 from home:pmonrealgonzalez:branches:Java:packages
* CVE-2018-1000180: issue around primality tests for RSA key pair generation
    if done using only the low-level API [bsc#1096291]

OBS-URL: https://build.opensuse.org/request/show/635776
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=44
2018-09-14 18:50:05 +00:00
Tomáš Chvátal
8251734ae4 - Version update to 1.59:
* CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of
    signature on verification (boo#1095722).
  * CVE-2016-1000339: Fix AESEngine key information leak via lookup
    table accesses (boo#1095853).
  * CVE-2016-1000340: Fix carry propagation bugs in the
    implementation of squaring for several raw math classes
    (boo#1095854).
  * CVE-2016-1000341: Fix DSA signature generation vulnerability to
    timing attack (boo#1095852).
  * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of
    signature on verification (boo#1095850).
  * CVE-2016-1000343: Fix week default settings for private DSA key
    pair generation (boo#1095849).
  * CVE-2016-1000344: Remove DHIES from the provider to disable the
    unsafe usage of ECB mode (boo#1096026).
  * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle
    attack (boo#1096025).
  * CVE-2016-1000346: Fix other party DH public key validation
    (boo#1096024).
  * CVE-2016-1000352: Remove ECIES from the provider to disable the
    unsafe usage of ECB mode (boo#1096022).
- bumb target to 1.6

OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=42
2018-07-19 10:30:58 +00:00
Tomáš Chvátal
090feffdfa * CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of
signature on verification (boo#1095722).                                  
  * CVE-2016-1000339: Fix AESEngine key information leak via lookup           
    table accesses (boo#1095853).                                             
  * CVE-2016-1000340: Fix carry propagation bugs in the                       
    implementation of squaring for several raw math classes                   
    (boo#1095854).                                                            
  * CVE-2016-1000341: Fix DSA signature generation vulnerability to           
    timing attack (boo#1095852).                                              
  * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of           
    signature on verification (boo#1095850).                                  
  * CVE-2016-1000343: Fix week default settings for private DSA key           
    pair generation (boo#1095849).                                            
  * CVE-2016-1000344: Remove DHIES from the provider to disable the           
    unsafe usage of ECB mode (boo#1096026).                                   
  * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle                 
    attack (boo#1096025).                                                     
  * CVE-2016-1000346: Fix other party DH public key validation                
    (boo#1096024).                                                            
  * CVE-2016-1000352: Remove ECIES from the provider to disable the           
    unsafe usage of ECB mode (boo#1096022).

OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=41
2018-07-19 10:29:31 +00:00
Tomáš Chvátal
3732846574 - Version update to 1.60 bsc#1100694:
* CVE-2018-1000613 Use of Externally-ControlledInput to Select Classes or Code
  * Release notes:
    http://www.bouncycastle.org/releasenotes.html

OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=40
2018-07-19 10:27:49 +00:00
Tomáš Chvátal
fc7e760697 Accepting request 616094 from home:abergmann:branches:Java:packages
- Version update to 1.59: 
  * CVE-2017-13098: Fix against Bleichenbacher oracle when not
    using the lightweight APIs (boo#1072697).
  * Release notes:
    http://www.bouncycastle.org/releasenotes.html
- Removed patch:
  * ambiguous-reseed.patch

OBS-URL: https://build.opensuse.org/request/show/616094
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=38
2018-06-11 17:11:15 +00:00
Fridrich Strba
ee751cb7dd OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=37 2018-05-17 19:52:34 +00:00
Fridrich Strba
29bb0c3954 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=36 2018-05-15 17:45:32 +00:00
Fridrich Strba
5f6294423a Update to 1.58
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=34
2017-09-15 07:30:46 +00:00
Fridrich Strba
b5841290e1 OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=32 2017-09-07 13:05:15 +00:00
Tomáš Chvátal
d409fe03c2 Accepting request 496612 from home:pcervinka:branches:Java:packages
- New build dependency: javapackages-local
- Fixed requires
- Spec file cleaned

OBS-URL: https://build.opensuse.org/request/show/496612
OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=30
2017-05-19 11:13:45 +00:00
Tomáš Chvátal
9998a3d8e3 - Version update to 1.54:
* No obvious changelog to be found
  * Fixes bnc#967521 CVE-2015-7575

OBS-URL: https://build.opensuse.org/package/show/Java:packages/bouncycastle?expand=0&rev=28
2016-02-20 08:37:37 +00:00