Accepting request 1253095 from Java:packages

bsc#1239551, CVE-2020-36843

OBS-URL: https://build.opensuse.org/request/show/1253095
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ed25519-java?expand=0&rev=6

ed25519-java-CVE-2020-36843.patch

@@ -0,0 +1,39 @@
+--- ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java	2025-03-14 14:47:43.404137953 +0100
++++ ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java	2025-03-14 14:50:31.859888550 +0100
+@@ -12,6 +12,7 @@
+ package net.i2p.crypto.eddsa;
+ 
+ import java.io.ByteArrayOutputStream;
++import java.math.BigInteger;
+ import java.nio.ByteBuffer;
+ import java.security.InvalidAlgorithmParameterException;
+ import java.security.InvalidKeyException;
+@@ -29,6 +30,7 @@
+ import net.i2p.crypto.eddsa.math.Curve;
+ import net.i2p.crypto.eddsa.math.GroupElement;
+ import net.i2p.crypto.eddsa.math.ScalarOps;
++import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
+ 
+ /**
+  * Signing and verification for EdDSA.
+@@ -69,6 +71,8 @@
+ public final class EdDSAEngine extends Signature {
+     public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
+ 
++    private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
++
+     private MessageDigest digest;
+     private ByteArrayOutputStream baos;
+     private EdDSAKey key;
+@@ -306,6 +310,11 @@
+         h = key.getParams().getScalarOps().reduce(h);
+ 
+         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
++        // RFC 8032
++        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
++        if (Sbigint.compareTo(ORDER) >= 0)
++            return false;
++ 
+         // R = SB - H(Rbar,Abar,M)A
+         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
+                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);

ed25519-java-build.xml

@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project name="eddsa" default="package" basedir=".">
+
+  <!-- ====================================================================== -->
+  <!-- Build environment properties                                           -->
+  <!-- ====================================================================== -->
+
+  <property name="compiler.release" value="8"/>
+  <property name="compiler.source" value="1.${compiler.release}"/>
+  <property name="compiler.target" value="${compiler.source}"/>
+
+  <property name="project.groupId" value="net.i2p.crypto"/>
+  <property name="project.artifactId" value="eddsa"/>
+  <property name="project.version" value="0.3.0"/>
+
+  <property name="build.finalName" value="${project.artifactId}-${project.version}"/>
+  <property name="build.dir" value="target"/>
+  <property name="build.outputDir" value="${build.dir}/classes"/>
+  <property name="build.srcDir" value="src"/>
+
+  <property name="reporting.outputDirectory" value="${build.dir}/site"/>
+
+  <!-- ====================================================================== -->
+  <!-- Cleaning up target                                                     -->
+  <!-- ====================================================================== -->
+
+  <target name="clean" description="Clean the output directory">
+    <delete dir="${build.dir}"/>
+  </target>
+
+  <!-- ====================================================================== -->
+  <!-- Compilation target                                                     -->
+  <!-- ====================================================================== -->
+
+  <target name="compile" description="Compile the code">
+    <mkdir dir="${build.outputDir}"/>
+    <javac destdir="${build.outputDir}" 
+           encoding="UTF-8" 
+           nowarn="false" 
+           debug="true" 
+           optimize="false" 
+           deprecation="true" 
+           release="${compiler.release}"
+           target="${compiler.target}"
+           verbose="false"
+           fork="false"
+           source="${compiler.source}">
+      <src>
+        <pathelement location="${build.srcDir}"/>
+      </src>
+    </javac>
+  </target>
+
+  <!-- ====================================================================== -->
+  <!-- Javadoc target                                                         -->
+  <!-- ====================================================================== -->
+
+  <target name="javadoc" description="Generates the Javadoc of the application">
+    <javadoc sourcepath="${build.srcDir}" 
+             packagenames="*" 
+             destdir="${reporting.outputDirectory}/apidocs" 
+             access="protected" 
+             encoding="UTF-8" 
+             source="${compiler.source}"
+             verbose="false" 
+             version="true" 
+             use="true" 
+             author="true" 
+             splitindex="false" 
+             nodeprecated="false" 
+             nodeprecatedlist="false" 
+             notree="false" 
+             noindex="false" 
+             nohelp="false" 
+             nonavbar="false" 
+             serialwarn="false" 
+             linksource="false" 
+             breakiterator="false"/>
+  </target>
+
+  <!-- ====================================================================== -->
+  <!-- Package target                                                         -->
+  <!-- ====================================================================== -->
+
+  <target name="package" depends="compile" description="Package the application">
+    <jar jarfile="${build.dir}/${build.finalName}.jar" 
+         compress="true" 
+         index="false" 
+         basedir="${build.outputDir}" 
+         excludes="**/package.html">
+      <manifest>
+        <attribute name="Automatic-Module-Name" value="${project.groupId}.${project.artifactId}"/>
+        <attribute name="Bundle-Description" value="Implementation of EdDSA in Java"/>
+        <attribute name="Bundle-License" value="https://creativecommons.org/publicdomain/zero/1.0/"/>
+        <attribute name="Bundle-ManifestVersion" value="2"/>
+        <attribute name="Bundle-Name" value="EdDSA-Java"/>
+        <attribute name="Bundle-SymbolicName" value="${project.groupId}.${project.artifactId}"/>
+        <attribute name="Bundle-Version" value="${project.version}"/>
+        <attribute name="Export-Package" value="net.i2p.crypto.eddsa.spec;version=&quot;${project.version}&quot;,net.i2p.crypto.eddsa;uses:=&quot;net.i2p.crypto.eddsa.spec&quot;;version=&quot;${project.version}&quot;"/>
+        <attribute name="Import-Package" value="sun.security.x509;resolution:=optional"/>
+        <attribute name="JavaPackages-ArtifactId" value="${project.artifactId}"/>
+        <attribute name="JavaPackages-GroupId" value="${project.groupId}"/>
+        <attribute name="JavaPackages-Version" value="${project.version}"/>
+        <attribute name="Require-Capability" value="osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=${compiler.target}))&quot;"/>
+      </manifest>
+    </jar>
+  </target>
+
+  <!-- ====================================================================== -->
+  <!-- A dummy target for the package named after the type it creates         -->
+  <!-- ====================================================================== -->
+
+  <target name="jar" depends="package" description="Builds the jar for the application"/>
+
+</project>

ed25519-java.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Fri Mar 14 13:57:24 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Added patch:
+  * ed25519-java-CVE-2020-36843.patch
+    + backport commit https://github.com/i2p/i2p.i2p/commit/
+      /d7d1dcb5399c61cf2916ccc45aa25b0209c88712
+    + Fixes bsc#1239551, CVE-2020-36843: no check performed on
+      scalar to avoid signature malleability
+
+-------------------------------------------------------------------
+Wed Oct 30 09:18:41 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Rewrite the build using ant
+
 -------------------------------------------------------------------
 Wed Feb 21 10:42:44 UTC 2024 - Gus Kenion <gus.kenion@suse.com>
 

ed25519-java.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ed25519-java
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,6 +16,7 @@
 #
 
 
+%global artifactId eddsa
 Name:           ed25519-java
 Version:        0.3.0
 Release:        0
@@ -23,12 +24,14 @@ Summary:        Implementation of EdDSA (Ed25519) in Java
 License:        CC0-1.0
 URL:            https://github.com/str4d/ed25519-java
 Source0:        https://github.com/str4d/ed25519-java/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1:        %{name}-build.xml
 Patch0:         0001-EdDSAEngine.initVerify-Handle-any-non-EdDSAPublicKey.patch
 Patch1:         0002-Disable-test-that-relies-on-internal-sun-JDK-classes.patch
+Patch2:         %{name}-CVE-2020-36843.patch
+BuildRequires:  ant
 BuildRequires:  fdupes
 BuildRequires:  java-devel >= 1.8
-BuildRequires:  maven-local
-BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
+BuildRequires:  javapackages-local >= 6
 BuildArch:      noarch
 
 %description
@@ -52,38 +55,38 @@ This package contains javadoc for %{name}.
 
 %prep
 %setup -q
+cp %{SOURCE1} build.xml
 %patch -P 0 -p1
 %patch -P 1 -p1
-
-# Unwanted tasks
-%pom_remove_plugin :maven-gpg-plugin
-%pom_remove_plugin :maven-javadoc-plugin
-%pom_remove_plugin :maven-source-plugin
-# Unavailable plugin
-%pom_remove_plugin :nexus-staging-maven-plugin
-# Make dep on sun.security.x509 optional, inject an Import-Package directive
-%pom_xpath_inject "pom:configuration/pom:instructions" \
-  "<Import-Package>sun.security.x509;resolution:=optional,*</Import-Package>"
-
-%{mvn_file} net.i2p.crypto:eddsa %{name} eddsa
+%patch -P 2 -p1
 
 %build
-%{mvn_build} -f -- \
-%if %{?pkg_vcmp:%pkg_vcmp java-devel >= 9}%{!?pkg_vcmp:0}
-    -Dmaven.compiler.release=8 \
-%endif
-    -Dproject.build.outputTimestamp=$(date -u -d @${SOURCE_DATE_EPOCH:-$(date +%%s)} +%%Y-%%m-%%dT%%H:%%M:%%SZ) \
-    -Dsource=8
+ant jar javadoc
 
 %install
-%mvn_install
+
+# jar
+install -dm 0755 %{buildroot}%{_javadir}
+install -pm 0644 target/%{artifactId}-%{version}.jar %{buildroot}%{_javadir}/%{artifactId}.jar
+ln -sf %{_javadir}/%{artifactId}.jar %{buildroot}%{_javadir}/%{name}.jar
+
+# pom
+install -dm 0755 %{buildroot}%{_mavenpomdir}
+%mvn_install_pom pom.xml %{buildroot}%{_mavenpomdir}/%{artifactId}.pom
+%add_maven_depmap %{artifactId}.pom %{artifactId}.jar
+
+# javadoc
+install -dm 0755 %{buildroot}%{_javadocdir}/%{name}
+cp -r target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}/
 %fdupes -s %{buildroot}%{_javadocdir}
 
 %files -f .mfiles
+%{_javadir}/%{name}.jar
 %doc README.md
 %license LICENSE.txt
 
-%files javadoc -f .mfiles-javadoc
+%files javadoc
+%{_javadocdir}/%{name}
 %license LICENSE.txt
 
 %changelog