Details
-
Task
-
Resolution: Fixed
-
Major
-
14.8-rc-1
-
None
Description
See https://www.bouncycastle.org/releasenotes.html
1.72
Defects Fixed
There were parameter errors in XMSS^MT OIDs for XMSSMT_SHA2_40/4_256 and XMSSMT_SHA2_60/3_256. These have been fixed.
There was an error in Merkle tree construction for the Evidence Records (ERS) implementation which could result in invalid roots been timestamped. ERS now produces an ArchiveTimeStamp for each data object/group with an associated reduced hash tree. The reduced hash tree is now calculated as a simple path to the root of the tree for each record.
OpenPGP will now ignore signatures marked as non-exportable on encoding.
A tagging calculation error in GCMSIV which could result in incorrect tags has been fixed.
Issues around Java 17 which could result in failing tests have been addressed.
Additional Features and Functionality
BCJSSE: TLS 1.3 is now enabled by default where no explicit protocols are supplied (e.g. "TLS" or "Default" SSLContext algorithms, or SSLContext.getDefault() method).
BCJSSE: Rewrite SSLEngine implementation to improve compatibility with SunJSSE.
BCJSSE: Support export of keying material via extension API.
(D)TLS: Add support for 'tls-exporter' channel binding per RFC 9266.
(D)TLS (low-level API): By default, only (D)TLS 1.2 and TLS 1.3 are offered now. Earlier versions are still supported if explicitly enabled. Users may need to check they are offering suitable cipher suites for TLS 1.3.
(D)TLS (low-level API): Add support for raw public keys per RFC 7250.
CryptoServicesRegistrar now has a setServicesConstraints() method on it which can be used to selectively turn off algorithms.
The NIST PQC Alternate Candidate, Picnic, has been added to the low level API and the BCPQC provider.
SPHINCS+ has been upgraded to the latest submission, SPHINCS+ 3.1 and support for Haraka has been added.
Evidence records now support timestamp renewal and hash renewal.
The SIKE Alternative Candidate NIST Post Quantum Algorithm has been added to the low-level PQC API.
The NTRU Round 3 Finalist Candidate NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.
The Falcon Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.
The CRYSTALS-Kyber Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.
Argon2 Support has been added to the OpenPGP API.
XDH IES has now been added to the BC provider.
The OpenPGP API now supports AEAD encryption and decryption.
The NTRU Prime Alternative Candidate NIST Post Quantum Algorithms have been added to the low-level API and the BCPQC provider.
The CRYSTALS-Dilithium Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.
The BIKE NIST Post Quantum Alternative/Round-4 Candidate has been added to the low-level API and the BCPQC provider.
The HQC NIST Post Quantum Alternative/Round-4 Candidate has been added to the low-level API and the BCPQC provider.
Grain128AEAD has been added to the lightweight API.
A fast version of CRC24 has been added for use with the PGP API.
Some additional methods and fields have been exposed in the PGPOnePassSignature class to (hopefully) make it easier to deal with nested signatures.
CMP support classes have been updated to reflect the latest editions to the the draft RFC "Lightweight Certificate Management Protocol (CMP) Profile".
Support has been added to the PKCS#12 implementation for the Oracle trusted certificate attribute.
Performance of our BZIP2 classes has been improved.
Notes
Keep in mind the PQC algorithms are still under development and we are still at least a year and a half away from published standards. This means the algorithms may still change so by all means experiment, but do not use the PQC algoritms for anything long term.
The legacy "Rainbow" and "McEliece" implementations have been removed from the BCPQC provider. The underlying classes are still present if required. Other legacy algorithm implementations can be found under the org.bouncycastle.pqc.legacy package.
Security Notes
The PQC SIKE algorithm is provided for research purposes only. It should now be regarded as broken. The SIKE implementation will be withdrawn in BC 1.73.
1.71
Defects Fixed
In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters.
An accidental partial dependency on Java 1.7 has been removed from the TLS API.
JcaPKIXIdentityBuilder would fail to process File objects correctly. This is now fixed.
Some byte[] parameters to the CMP API were not being defensively cloned to prevent accidental changes. Extra defensive cloning has been added.
CMS primitives would sometimes convert ASN.1 definite-length encodings into indefinite-length encodings. The primitives will now try and preserve the original encoding where possible.
CMSSignedData.getAttributeCertificates() now properly restricts the tag values checked to just 1 (the obsolete v1 tag) and 2 (for the more current v2 certificates).
BCJSSE now tries to validate a custom KeyManager selection in order to catch errors around a key manager ignoring key type early.
Compressed streams in PGP ending with zero length partial packets could cause failure on parsing the OpenPGP API. This has been fixed.
The fallback mode for JceAsymmetricKeyWrapper/Unwrapper would lose track of any algorithm parameters generated in the initial attempt. The algorithm parameters are now propagated.
An accidental regression introduced by a fix for another issue in PKIXCertPathReviewer around use of the AuthorityKeyIdentifier extension and it failing to match a certificate uniquely when the serial number field is missing has been fixed.
An error was found in the creation of TLS 1.3 Export Keying Material which could cause compatibility issues. This has been fixed.
Additional Features and Functionality
Support has been added for OpenPGP regular expression signature packets.
Support has been added for OpenPGP PolicyURI signature packets.
A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.
A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.
The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider.
The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider.
The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider.
The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider.
KMAC128, KMAC256 has been added to the BC provider (empty customization string).
TupleHash128, TupleHash256 has been added to the BC provider (empty customization string).
ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string, block size 1024 bits).
Two new properties: "org.bouncycastle.rsa.max_size" (default 15360) and "org.bouncycastle.ec.fp_max_size" (default 1042) have been added to cap the maximum size of RSA and EC keys.
RSA modulus are now checked to be provably composite using the enhanced MR probable prime test.
Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level of the prime test can be determined by "org.bouncycastle.ec.fp_certainty" (default 100).
The BC entropy thread now has a specific name: "BC-ENTROPY-GATHERER".
Utility methods have been added for joining/merging PGP public keys and signatures.
Blake3-256 has been added to the BC provider.
DTLS: optimisation to delayed handshake hash.
Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message generation and verification now supported.
CMSSignedDataGenerator now supports the direct generation of definite-length data.
The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string.
Support for additional input has been added for deterministic (EC)DSA.
The OpenPGP API provides better support for subkey generation.
BCJSSE: Added boolean system properties "org.bouncycastle.jsse.client.dh.disableDefaultSuites" and "org.bouncycastle.jsse.server.dh.disableDefaultSuites". Default "false". Set to "true" to disable inclusion of DH cipher suites in the default cipher suites for client/server respectively.
ASN.1 object support has been added for the Lightweight Certificate Management Protocol (CMP), currently in draft.
A HybridValueParamterSpec class has been added for use with KeyAgreement to support SP 800-56C hybrid (so classical/post-quantum) key agreement.
Notes
The deprecated QTESLA implementation has been removed from the BCPQC provider.
The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly deterministic ones.