A class cast exception for master certification removal in PGPPublicKey.removeCertification() by certification has been fixed.
GOST GOFB 28147-89 mode had an edge condition concerning the incorrect calculation of N4 (see section 6.1 of RFC 5830) affecting about 1% of IVs. This has been fixed.
The X.509 PolicyConstraints class was using implicit rather than explicit tagging for the SkipCerts field. This has been fixed.
Key expiration in the OpenPGP is now calculated for ambiguous self signatures using the most recently created self-signature, in line with GPG and the recommendation in RFC 4880.
Multiple validity periods in PGP keys were resolved in an adhoc fashion, in line with GPG's approach the PGP has been changed to return the most recent validity period signed.
An occasional class cast exception that could occur with nested multi-parts in the S/MIME API has been fixed.
A couple of bogus aliases associated AlgorithmParameters that did not resolve in the provider have been removed.
The CMS API will now correctly verify PSS signatures with odd length salts.
Choosing an invalid mode on a stream cipher in the JCE could result in an IllegalArgumentException. This has now been corrected to throw a NoSuchAlgorithmException.
Optional parameters for ECDSA public keys in CVCertificates were hard coded to non-optional. This has been fixed.
Passing a PKCS12 key to a Mac in the BC JCE always resulted in SHA-1 being used to process the password regardless of the underlying MAC algorithm. This has been fixed. An unrecognised HMAC will also now result in an exception.
The Base64 encoder now explicitly validates 2 character padding as being "==".
EC FixedPointCombMultiplier avoids 'infinity' point in lookup tables, reducing timing side-channels.
Reuse of a Blake2b digest with a call to reset() rather than doFinal() could result in incorrect padding being introduced and the wrong digest result produced. This has been fixed.
Additional Features and Functionality
ARIA (RFC 5794) is now supported by the provider and the lightweight API.
ARIA Key Wrapping (RFC 5649 style) is now supported by the provider and the lightweight API.
SM2 signatures, key exchange, and public key encryption has been added to the lightweight API.
XMSS has been added to the lightweight PQ API. Note: this should be treated as beta code.
API support for client side EST (RFC 7030), as well as some CMC (RFC 5273) has been added to the PKIX API. A full set of ASN.1 classes for both protocols has been added as well.
A test client for EST which will interop with the 7030 test server at http://testrfc7030.com/ has been added to the general test module in the current source tree.
The BCJSSE provider now supports SSLContext.getDefault(), with very similar behaviour to the SunJSSE provider, including checks of the relevant javax.net.ssl.* system properties and auto-loading of jssecacerts or cacerts as the default trust store.
Security Related Changes
The default parameter sizes for DH and DSA are now 2048. If you have been relying on key pair generation without passing in parameters generated keys will now be larger.
Further work has been done on preventing accidental re-use of a GCM cipher without first changing its key or iv.