Revisions of bouncycastle
Fridrich Strba (fstrba)
committed
(revision 65)
Fridrich Strba (fstrba)
committed
(revision 64)
buildservice-autocommit
accepted
request 857871
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 63)
baserev update by copy to link target
Pedro Monreal Gonzalez (pmonrealgonzalez)
accepted
request 857837
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 62)
- Version update to 1.67 [bsc#1180215, CVE-2020-28052] * CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password * Defects Fixed: - BCJSSE: SunJSSE compatibility fix - override of getChannel() removed and 'urgent data' behaviour should now conform to what the SunJSSE expects - Nested BER data could sometimes cause issues in octet strings - Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate implmentation - In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on engineGetParameters() - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec based on an RSAPrivateKey - CMSTypedStream$FullReaderStream now handles zero length reads correctly - Unecessary padding was added on KMAC when the key string was block aligned - Zero length data would cause an unexpected exception from RFC5649WrapEngine - OpenBSDBcrypt was failing to handle some valid prefixes * Additional Features and Functionality - Performance improvement of Argon2 and Noekeon - A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key obfuscation (default is on, method primarily to get around early version GPG issues with AES-128 keys) - Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers. This improves side-channel protection, and also gives a significant performance boost - Performance of custom binary ECC curves and Edwards Curves has been improved
buildservice-autocommit
accepted
request 823297
from
Fridrich Strba (fstrba)
(revision 61)
baserev update by copy to link target
Fridrich Strba (fstrba)
accepted
request 823216
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 60)
- Version update to 1.66 * Defects Fixed: - EdDSA verifiers now reset correctly after rejecting overly long signatures. - BCJSSE: SSLSession.getPeerCertificateChain could throw NullPointerException. - qTESLA-I verifier would reject some valid signatures. - qTESLA verifiers now reject overly long signatures. - PGP regression caused failure to preserve existing version header when headers were reset. - PKIXNameConstraintValidator had a bad cast preventing use of multiple OtherName constraints. - Serialisation of the non-CRT RSA Private Key could cause a NullPointerException. - An extra 4 bytes was included in the start of HSS public key encodings. - CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256. - Use of GCMParameterSpec could cause an AccessControlException under some circumstances. - DTLS: Fixed high-latency HelloVerifyRequest handshakes. - An encoding bug for rightEncoded() in KMAC has been fixed. - For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced encoded data that was block aligned. - There were a few circumstances where Argon2BytesGenerator might hit an unexpected null. These have been removed. * Additional Features and Functionality - The qTESLA signature algorithm has been updated to v2.8 (20191108). - BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension. - Support has been added for "ocsp.enable", "ocsp.responderURL" and PKIXRevocationChecker for users of Java 8 and later. - Support has been added for "org.bouncycastle.x509.enableCRLDP" to the PKIX validator. - BCJSSE: Now supports system property 'jsse.enableFFDHE' - BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes'
buildservice-autocommit
accepted
request 798864
from
Fridrich Strba (fstrba)
(revision 59)
baserev update by copy to link target
Fridrich Strba (fstrba)
accepted
request 798842
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 58)
- Version update to 1.65 * Defects Fixed: - DLExternal would encode using DER encoding for tagged SETs. - ChaCha20Poly1305 could fail for large (>~2GB) files. - ChaCha20Poly1305 could fail for small updates when used via the provider. - Properties.getPropertyValue could ignore system property when other local overrides set. - The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application shutting down due to it. - A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS. - BCJSSE: TrustManager now tolerates having no trusted certificates. - BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension properly. - BCJSSE: KeyManager for KeyStoreBuilderParameters no longer leaks memory. * Additional Features and Functionality: - LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider. - SipHash128 support has been added to the low level library and the JCE provider. - BCJSSE: BC API now supports explicitly specifying the session to resume. - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret . - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains. - BCJSSE: KeyManager selection of server credentials now prefers matching
buildservice-autocommit
accepted
request 788316
from
Fridrich Strba (fstrba)
(revision 57)
baserev update by copy to link target
Fridrich Strba (fstrba)
committed
(revision 56)
buildservice-autocommit
accepted
request 746073
from
Tomáš Chvátal (scarabeus_iv)
(revision 55)
baserev update by copy to link target
Tomáš Chvátal (scarabeus_iv)
accepted
request 746071
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 54)
- Fix arch dependent macros in noarch package [bsc#1109539]
buildservice-autocommit
accepted
request 738177
from
Tomáš Chvátal (scarabeus_iv)
(revision 53)
baserev update by copy to link target
Tomáš Chvátal (scarabeus_iv)
accepted
request 737921
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 52)
- Update pom files with those from Maven repository.
Fridrich Strba (fstrba)
accepted
request 737444
from
Pedro Monreal Gonzalez (pmonrealgonzalez)
(revision 51)
- Version update to 1.64 [bsc#1153385, CVE-2019-17359] [bsc#1096291, CVE-2018-1000180][bsc#1100694, CVE-2018-1000613] * Security Advisory: - CVE-2019-17359: A change to the ASN.1 parser in 1.63 introduced a regression that can cause an OutOfMemoryError to occur on parsing ASN.1 data. * Defects Fixed: - OpenSSH: Fixed padding in generated Ed25519 private keys. - GOST3410-2012-512 now uses the GOST3411-2012-256 as its KDF digest. - Validation of headers in PemReader now looks for tailing dashes in header. - Some compatibility issues around the signature encryption algorithm field in CMS SignedData and the GOST algorithms have been addressed. * Additional Features and Functionality: - PKCS12 key stores containing only certificates can now be created without the need to provide passwords. - BCJSSE: Initial support for AlgorithmConstraints; protocol versions and cipher suites. - BCJSSE: Initial support for 'jdk.tls.disabledAlgorithms'; protocol versions and cipher suites. - BCJSSE: Add SecurityManager check to access session context. - BCJSSE: Improved SunJSSE compatibility of the NULL_SESSION. - BCJSSE: SSLContext algorithms updated for SunJSSE compatibility (default enabled protocols). - The digest functions Haraka-256 and Haraka-512 have been added to the provider and the light-weight API - XMSS/XMSS^MT key management now allows for allocating subsets of the private key space using the extraKeyShard() method. Use of StateAwareSignature is now deprecated. - Support for Java 11's NamedParameterSpec class has been added (using reflection) to the EC and EdEC KeyPairGenerator implementations.
buildservice-autocommit
accepted
request 733042
from
Fridrich Strba (fstrba)
(revision 50)
baserev update by copy to link target
Fridrich Strba (fstrba)
committed
(revision 49)
Fridrich Strba (fstrba)
committed
(revision 48)
Fridrich Strba (fstrba)
committed
(revision 47)
Fridrich Strba (fstrba)
committed
(revision 46)
Displaying revisions 41 - 60 of 105