Loading...

XML

Word

Printable

Details

Type: Task
Resolution: Fixed
Priority: Major
Fix Version/s: 9.8-rc-1
Affects Version/s: 9.7
Component/s: Dependency Upgrades
Labels:
None

Documentation:
N/A
Documentation in Release Notes:
http://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/9.8RC1/#HUpgrades
Similar issues:

Description

See https://www.bouncycastle.org/releasenotes.html

= Defects Fixed

* NewHope and SPHINCS keys are now correctly created off certificates by the BC provider.
* Use of the seeded constructor with SecureRandom() and the BC provider in first position could cause a stack overflow error. This has been fixed.
* The boolean flag on ECDSAPublicKey in CVCertficate was hard coded. This has been fixed.
* An edge condition in IV processing for GOFB mode has been found and fixed.
* ANSSI named EC curves were not being recognised in PKCS#10 and certificate parsing. This has been fixed.
* BaseStreamCipher.engineSetMode() could sometimes throw an IllegalArgumentException rather than a NoSuchAlgorithmException. This has been fixed.
* Some class resolving used by the provider would fail if the BC jar was loaded on the boot class path. This has been fixed.
* An off-by-one range check in SM2Signer has been fixed.
* Retrieving an SM2 key from a certificate could result in a NullPointerException due to a problem with the curve lookup. This has been fixed.
* DTLS now supports records containing multiple handshake messages.

= Additional Features and Functionality

* An implementation of GOST3410-2012 has been added to light weight API and the JCA provider.
* Support for ECDH GOST3410-2012 and GOST3410-2001 have been added. The CMS API can also handle reading ECDH GOST3410 key transport messages.
* Additional mappings have been added for a range of CVC-ECDSA algorithms.
* XMMS and XMSSMT are now available via the BCPQC provider. Support has been added for using these keys in certificates as well.
* Support has been added for DSTU-7564 message digest and the DSTU-7624 ciphers, together with their associated modes.
* A new system property org.bouncycastle.asn1.allow_unsafe_integer has been added to allow parsing of malformed ASN.1 integers in a similar fashion to what BC 1.56 did. The default behavior remains as reject malformed integers.
* SignedMailValidator would only pick up the first email address in a DN, even when there was more than one. This has been fixed.
* PEMParser will now support a broader range of PBKDFs in encrypted private key files.
* Work has been done on speeding up the SHA-3 family. The functions are now 3 to 4 times faster.
* Some EC aliases in the provider had no corresponding implementations. These have been cleaned up.
* TimeStampResponses now support definite-length encoding to allow the preservation of order in certificates sets for legacy responses.
* The TSP API now supports SM2withSM3.
* The BCJSSE provider now has a FIPS mode.
* The BCJSSE provider now supports layered sockets.
* The new TLS API now has protocol/API support for the status_request extension (OCSP stapling).
* The new TLS API now supports RFC 7633 - X.509v3 TLS Feature Extension (e.g. "must staple"), enabled in default clients.
* TLS exceptions have been made more directly informative.

= Removed Features and Functionality

* Per RFC 7465, removed support for RC4 in the new TLS API.
* Per RFC 7568, removed support for SSLv3 in the new TLS API.

Attachments

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Thomas Mortagne

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 29/Aug/17 11:05

Updated:: 18/Sep/17 11:45

Resolved:: 29/Aug/17 11:07