Uploaded image for project: 'XWiki Commons'
  1. XWiki Commons
  2. XCOMMONS-1244

Upgrade to Bouncy Castle 1.58



    • Task
    • Resolution: Fixed
    • Major
    • 9.8-rc-1
    • 9.7
    • Dependency Upgrades
    • None
    • N/A


      See https://www.bouncycastle.org/releasenotes.html

      = Defects Fixed
          * NewHope and SPHINCS keys are now correctly created off certificates by the BC provider.
          * Use of the seeded constructor with SecureRandom() and the BC provider in first position could cause a stack overflow error. This has been fixed.
          * The boolean flag on ECDSAPublicKey in CVCertficate was hard coded. This has been fixed.
          * An edge condition in IV processing for GOFB mode has been found and fixed.
          * ANSSI named EC curves were not being recognised in PKCS#10 and certificate parsing. This has been fixed.
          * BaseStreamCipher.engineSetMode() could sometimes throw an IllegalArgumentException rather than a NoSuchAlgorithmException. This has been fixed.
          * Some class resolving used by the provider would fail if the BC jar was loaded on the boot class path. This has been fixed.
          * An off-by-one range check in SM2Signer has been fixed.
          * Retrieving an SM2 key from a certificate could result in a NullPointerException due to a problem with the curve lookup. This has been fixed.
          * DTLS now supports records containing multiple handshake messages.
      = Additional Features and Functionality
          * An implementation of GOST3410-2012 has been added to light weight API and the JCA provider.
          * Support for ECDH GOST3410-2012 and GOST3410-2001 have been added. The CMS API can also handle reading ECDH GOST3410 key transport messages.
          * Additional mappings have been added for a range of CVC-ECDSA algorithms.
          * XMMS and XMSSMT are now available via the BCPQC provider. Support has been added for using these keys in certificates as well.
          * Support has been added for DSTU-7564 message digest and the DSTU-7624 ciphers, together with their associated modes.
          * A new system property org.bouncycastle.asn1.allow_unsafe_integer has been added to allow parsing of malformed ASN.1 integers in a similar fashion to what BC 1.56 did. The default behavior remains as reject malformed integers.
          * SignedMailValidator would only pick up the first email address in a DN, even when there was more than one. This has been fixed.
          * PEMParser will now support a broader range of PBKDFs in encrypted private key files.
          * Work has been done on speeding up the SHA-3 family. The functions are now 3 to 4 times faster.
          * Some EC aliases in the provider had no corresponding implementations. These have been cleaned up.
          * TimeStampResponses now support definite-length encoding to allow the preservation of order in certificates sets for legacy responses.
          * The TSP API now supports SM2withSM3.
          * The BCJSSE provider now has a FIPS mode.
          * The BCJSSE provider now supports layered sockets.
          * The new TLS API now has protocol/API support for the status_request extension (OCSP stapling).
          * The new TLS API now supports RFC 7633 - X.509v3 TLS Feature Extension (e.g. "must staple"), enabled in default clients.
          * TLS exceptions have been made more directly informative.
      = Removed Features and Functionality
          * Per RFC 7465, removed support for RC4 in the new TLS API.
          * Per RFC 7568, removed support for SSLv3 in the new TLS API.




            tmortagne Thomas Mortagne
            tmortagne Thomas Mortagne
            0 Vote for this issue
            1 Start watching this issue