Release Notes

1.0 Introduction

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.

2.0 Release History

2.1.1 Version

2.1.2 Defects Fixed

EdDSA verifiers now reset correctly after rejecting overly long signatures.

BCJSSE: SSLSession.getPeerCertificateChain could throw NullPointerException. This has been fixed.

qTESLA-I verifier would reject some valid signatures. This has been fixed.

qTESLA verifiers now reject overly long signatures.

PGP regression caused failure to preserve existing version header when headers were reset. This has now been fixed.

PKIXNameConstraintValidator had a bad cast preventing use of multiple OtherName constraints. This has been fixed.

Serialisation of the non-CRT RSA Private Key could cause a NullPointerException. This has been fixed.

An extra 4 bytes was included in the start of HSS public key encodings. This has been fixed.

CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256. This has been fixed.

Use of GCMParameterSpec could cause an AccessControlException under some circumstances. This has been fixed.

DTLS: Fixed high-latency HelloVerifyRequest handshakes.

An encoding bug for rightEncoded() in KMAC has been fixed.

For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced encoded data that was block aligned. This has been fixed.

There were a few circumstances where Argon2BytesGenerator might hit an unexpected null. These have been removed.

2.1.3 Additional Features and Functionality

The qTESLA signature algorithm has been updated to v2.8 (20191108).

BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.

Support has been added for PKIXRevocationChecker for users of Java 8 and later.

Support has been added for "ocsp.enable", "ocsp.responderURL" for users of Java 8 and later.

Support has been added for "org.bouncycastle.x509.enableCRLDP" to the PKIX validator.

BCJSSE: Now supports system property 'jsse.enableFFDHE'

BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'.

Multi-release support has been added for Java 11 XECKeys.

Multi-release support has been added for Java 15 EdECKeys.

The MiscPEMGenerator will now output general PrivateKeyInfo structures.

A new property "org.bouncycastle.pkcs8.v1_info_only" has been added to make the provider only produce version 1 PKCS8 PrivateKeyInfo structures.

The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific certificate is given to the selector.

BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list.

BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards).

Performance of the Base64 encoder has been improved.

The PGPPublicKey class will now include direct key signatures when checking for key expiry times.

2.1.4 Notes

Release: 1.66Date: 2020, July 4th.

The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public key at the end, and signatures are no longer interoperable with previous versions.

2.2.1 Version

2.2.2 Defects Fixed

DLExternal would encode using DER encoding for tagged SETs. This has been fixed.

ChaCha20Poly1305 could fail for large (>~2GB) files. This has been fixed.

ChaCha20Poly1305 could fail for small updates when used via the provider. This has been fixed.

Properties.getPropertyValue could ignore system property when other local overrides set. This has been fixed.

The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application shutting down due to it. This has been fixed.

A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS. This has been fixed.

BCJSSE: TrustManager now tolerates having no trusted certificates.

BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension properly.

BCJSSE: KeyManager for KeyStoreBuilderParameters no longer leaks memory.

2.2.3 Additional Features and Functionality

LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider.

SipHash128 support has been added to the low level library and the JCE provider.

BCJSSE: BC API now supports explicitly specifying the session to resume.

BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).

BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret .

BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains.

BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any).

BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch).

BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support).

TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in default provider.

2.3.1 Version

2.3.2 Defects Fixed

OpenSSH: Fixed padding in generated Ed25519 private keys.

Validation of headers in PemReader now looks for tailing dashes in header.

PKIXNameConstraintValidator was throwing a NullPointerException on OtherName. This has been fixed.

Some compatibility issues around the signature encryption algorithm field in CMS SignedData and the GOST algorithms have been addressed.

GOST3410-2012-512 now uses the GOST3411-2012-256 as its KDF digest.

2.3.3 Additional Features and Functionality

PKCS12: key stores containing only certificates can now be created without the need to provide passwords.

BCJSSE: Initial support for AlgorithmConstraints; protocol versions and cipher suites.

BCJSSE: Initial support for 'jdk.tls.disabledAlgorithms'; protocol versions and cipher suites.

BCJSSE: Add SecurityManager check to access session context.

BCJSSE: Improved SunJSSE compatibility of the NULL_SESSION.

BCJSSE: SSLContext algorithms updated for SunJSSE compatibility (default enabled protocols).

The digest functions Haraka-256 and Haraka-512 have been added to the provider and the light-weight API

XMSS/XMSS^MT key management now allows for allocating subsets of the private key space using the extraKeyShard() method. Use of StateAwareSignature is now deprecated.

Support for Java 11's NamedParameterSpec class has been added (using reflection) to the EC and EdEC KeyPairGenerator implementations.

2.3.4 Removed Features and Functionality

Deprecated ECPoint 'withCompression' tracking has been removed.

2.3.5 Security Advisory

A change to the ASN.1 parser in 1.63 introduced a regression that can cause an OutOfMemoryError to occur on parsing ASN.1 data. We recommend upgrading to 1.64, particularly where an application might be parsing untrusted ASN.1 data from third parties.

2.4.1 Version

2.4.2 Defects Fixed

The ASN.1 parser would throw a large object exception for some objects which could be safely parsed. This has been fixed.

GOST3412-2015 CTR mode was unusable at the JCE level. This has been fixed.

The DSTU MACs were failing to reset fully on doFinal(). This has been fixed.

The DSTU MACs would throw an exception if the key was a multiple of the size as the MAC's underlying buffer size. This has been fixed.

EdEC and QTESLA were not previously usable with the post Java 9 module structure. This is now fixed.

ECNR was not correctly bounds checking the input and could produce invalid signatures. This is now fixed.

ASN.1: Enforce no leading zeroes in OID branches (longer than 1 character).

TLS: Fix X448 support in JcaTlsCrypto.

Fixed field reduction for secp128r1 custom curve.

Fixed unsigned multiplications in X448 field squaring.

Some issues over subset Name Constraint validation in the CertPath analyser have now been fixed.

TimeStampResponse.getEncoded() could throw an exception if the TimeStampToken was null. This has been fixed.

Unnecessary memory usage in the ARGON2 implementation has been removed.

Param-Z in the GOST-28147 algorithm was not resolving correctly. This has been fixed.

It is now possible to specify different S-Box parameters for the GOST 28147-89 MAC.

2.4.3 Additional Features and Functionality

QTESLA is now updated with the round 2 changes. Note: the security catergories, and in some cases key generation and signatures, have changed. For people interested in comparison, the round 1 version is now moved to org.bouncycastle.pqc.crypto.qteslarnd1 - this package will be deleted in 1.64. Please keep in mind that QTESLA may continue to evolve.

Support has been added for generating Ed25519/Ed448 signed certificates.

A method for recovering the message/digest value from an ECNR signature has been added.

Support for the ZUC-128 and ZUC-256 ciphers and MACs has been added to the provider and the lightweight API.

Support has been added for ChaCha20-Poly1305 AEAD mode from RFC 7539.

Improved performance for multiple ECDSA verifications using same public key.

Support for PBKDF2withHmacSM3 has been added to the BC provider.

The S/MIME API has been fixed to avoid unnecessary delays due to DNS resolution of a hosts name in internal MimeMessage preparation.

The valid path for EST services has been updated to cope with the characters used in the Aruba clearpass EST implementation.

2.5.1 Version

2.5.2 Defects Fixed

DTLS: Fixed infinite loop on IO exceptions.

DTLS: Retransmission timers now properly apply to flights monolithically.

BCJSSE: setEnabledCipherSuites ignores unsupported cipher suites.

BCJSSE: SSLSocket implementations store passed-in 'host' before connecting.

BCJSSE: Handle SSLEngine closure prior to handshake.

BCJSSE: Provider now configurable using security config under Java 11 and later.

EdDSA verifiers now reject overly long signatures.

XMSS/XMSS^MT OIDs now using the values defined in RFC 8391.

XMSS/XMSS^MT keys now encoded with OID at start.

An error causing valid paths to be rejected due to DN based name constraints has been fixed in the CertPath API.

Name constraint resolution now includes special handling of serial numbers.

Cipher implementations now handle ByteBuffer usage where the ByteBuffer has no backing array.

CertificateFactory now enforces presence of PEM headers when required.

A performance issue with RSA key pair generation that was introduced in 1.61 has been mostly eliminated.

2.5.3 Additional Features and Functionality

Builders for X509 certificates and CRLs now support replace and remove extension methods.

DTLS: Added server-side support for HelloVerifyRequest.

DTLS: Added support for an overall handshake timeout.

DTLS: Added support for the heartbeat extension (RFC 6520).

DTLS: Improve record seq. behaviour in HelloVerifyRequest scenarios.

TLS: BasicTlsPSKIdentity now reusable (returns cloned array from getPSK).

BCJSSE: Improved ALPN support, including selectors from Java 9.

Lightweight RSADigestSigner now support use of NullDigest.

SM2Engine now supports C1C3C2 mode.

SHA256withSM2 now added to provider.

BCJSSE: Added support for ALPN selectors (including in BC extension API for earlier JDKs).

BCJSSE: Support 'SSL' algorithm for SSLContext (alias for 'TLS').

The BLAKE2xs XOF has been added to the lightweight API.

Utility classes added to support journaling of SecureRandom and algorithms to allow persistance and later resumption.

PGP SexprParser now handles some unprotected key types.

NONEwithRSA support added to lightweight RSADigestSigner.

Support for the Ethereum flavor of IES has been added to the lightweight API.

2.6.1 Version

2.6.2 Defects Fixed

Use of EC named curves could be lost if keys were constructed via a key factory and algorithm parameters. This has been fixed.

RFC3211WrapEngine would not properly handle messages longer than 127 bytes. This has been fixed.

The JCE implementations for RFC3211 would not return null AlgorithmParameters. This has been fixed.

TLS: Don't check CCS status for hello_request.

TLS: Tolerate unrecognized hash algorithms.

TLS: Tolerate unrecognized SNI types.

An incompatibility issue in ECIES-KEM encryption in cofactor mode has been fixed.

An issue with XMSS/XMSSMT private key loading which could result in invalid signatures has been fixed.

StateAwareSignature.isSigningCapable() now returns false when the key has reached it's maximum number of signatures.

The McEliece KeyPairGenerator was failing to initialize the underlying class if a SecureRandom was explicitly passed.

The McEliece cipher would sometimes report the wrong value on a call to Cipher.getOutputSize(int). This has been fixed.

CSHAKEDigest.leftEncode() was using the wrong endianness for multi byte values. This has been fixed.

Some ciphers, such as CAST6, were missing AlgorithmParameters implementations. This has been fixed.

An issue with the default "m" parameter for 1024 bit Diffie-Hellman keys which could result in an exception on key pair generation has been fixed.

The SPHINCS256 implementation is now more tolerant of parameters wrapped with a SecureRandom and will not throw an exception if it receives one.

A regression in PGPUtil.writeFileToLiteralData() which could cause corrupted literal data has been fixed.

Several parsing issues related to the processing of CMP PKIPublicationInfo have been fixed.

The ECGOST curves for id-tc26-gost-3410-12-256-paramSetA and id-tc26-gost-3410-12-512-paramSetC had incorrect co-factors. These have been fixed.

2.6.3 Additional Features and Functionality

The qTESLA signature algorithm has been added to PQC light-weight API and the PQC provider.

The password hashing function, Argon2 has been added to the lightweight API.

BCJSSE: Added support for endpoint ID validation (HTTPS, LDAP, LDAPS).

BCJSSE: Added support for 'useCipherSuitesOrder' parameter.

BCJSSE: Added support for ALPN.

BCJSSE: Various changes for improved compatibility with SunJSSE.

BCJSSE: Provide default extended key/trust managers.

TLS: Added support for TLS 1.2 features from RFC 8446.

TLS: Removed support for EC point compression.

TLS: Removed support for record compression.

TLS: Updated to RFC 7627 from draft-ietf-tls-session-hash-04.

TLS: Improved certificate sig. alg. checks.

TLS: Finalised support for RFC 8442 cipher suites.

Support has been added to the main Provider for the Ed25519 and Ed448 signature algorithms.

Support has been added to the main Provider for the X25519 and X448 key agreement algorithms.

Utility classes have been added for handling OpenSSH keys.

Support for processing messages built using GPG and Curve25519 has been added to the OpenPGP API.

The provider now recognises the standard SM3 OID.

A new API for directly parsing and creating S/MIME documents has been added to the PKIX API.

SM2 in public key cipher mode has been added to the provider API.

The BCFKSLoadStoreParameter has been extended to allow the use of certificates and digital signatures for verifying the integrity of BCFKS key stores.

2.6.4 Removed Features and Functionality

Deprecated methods for EC point construction independent of curves have been removed.

2.7.1 Version

2.7.2 Defects Fixed

Base64/UrlBase64 would throw an exception on a zero length string. This has been fixed.

Base64/UrlBase64 would throw an exception if there was whitespace in the last 4 characters. This has been fixed.

The SM2 Signature JCE class now properly resets of Signature.sign() is called.

XMSS applies further validation to deserialisation of the BDS tree so that failure occurs as soon as tampering is detected (see CVE below).

An off by one error in the JsseDefaultHostnameAuthorizer isValidNameMatch method has been fixed.

BCJSSE: Return empty byte array instead of null, for the null session ID.

If a checksum calculator was passed to a PGPSecretKey constructor, but the encryptor was set to null, the wrong checksum would be calculated for the S2K usage. This has been fixed.

The CRMF EncryptedValue, when containing a private key, held an encoding of an EncryptedPrivateKeyInfo, rather than just the encrypted bytes. This has been fixed.

EC point precomputations could fail due to race conditions in concurrent settings. Point precomputation was reworked to fix this.

PGP key rings containing EdDSA signatures would cause an exception on parsing. This has been fixed.

BCJSSE: a mixed case error for brainpool curves in the supported groups set has been fixed.

getVersion() on the CRMF CertTemplate class could cause a null pointer exception if the optional version field was left out. This has been fixed.

Use of a short buffer with RSA via the JCE could result in an escaping ArrayIndexOutOfBoundsException. This has been fixed so that a ShortBufferException is now thrown.

SM2Engine.decrypt() ignored the offset parameter and assumed zero. This has been fixed.

A PEM encoded TRUSTED CERTIFICATE missing a trust block would result in a NullPointerException. This has been fixed.

If the Sun provider was removed entirely the BC SecureRandom was unable to seed and caused an InstantiationException. A back up seeding strategy has been added to prevent this.

In some situations the use of sm2p256v1 would result in "unknown curve name". This has been fixed.

CMP PollReqContent now supports multiple certificate request IDs.

2.7.3 Additional Features and Functionality

TLS: Extended CBC padding is now optional (and disabled by default).

TLS: Now supports channel binding 'tls-server-end-point'.

TLS: InterruptedIOException (e.g. socket timeout) during app-data reads no longer fails connection; handshake is optionally resumable after IIOE using 'TlsProtocol.setResumableHandshake()'.

TLS: Added utility methods and constants for ALPN (RFC 7301).

BCJSSE: Now supports system property 'jdk.tls.client.protocols'

BCJSSE: Now supports SSLParameters.setSNIMatchers.

BCJSSE: SNI can now be used in earlier JDKs via BC extensions.

BCJSSE: Session context now holds sessions via soft references.

An implementation of CryptoServicesRegistrar has been added to allow configuring of DSA/DH parameters and global setting of the SecureRandom used in the APIs.

Support has been added for the Unified Model of key agreement for both regular Diffie-Hellman and ECCDH.

Standard key-wrapping ciphers can now be used for wrapping other data where the cipher supports it.

BCFKS can now support the use of generalised wrapping algorithms.

A parser has now been added for the GNU keybox file format.

The GPG SExpr parser now covers a wider range of key types and validates associated checksums as well.

PGP EC operations now support more than just NIST curves.

Restrictions on the output sizes of the Blake2b/s digests in the lightweight API have been removed.

The Whirlpool digest OID has been added to its corresponding mappings for the JCA.

Support has been added for SHA-3 based signatures to the CMS API.

Support has been added to the CMS API for the generation of ECGOST key transport messages.

The ECElGamalEncryptor now supports the use of ECGOST curves.

The number of signature subpackets in OpenPGP signatures that are converted into explicit types automatically has been increased.

RFC 8032: Added low-level implementations of Ed25519 and Ed448.

The provider jars now include a services entry for the 2 providers they hold.

Support has been added for the German BSI KAEG Elliptic Curve key agreement algorithm with X9.63 as the KDF to the JCE.

Support has been added for the German BSI KAEG Elliptic Curve session key KDF to the lightweight API.

2.7.4 Security Related Changes and CVE's Addressed by this Release

CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API.

CVE-2018-1000613: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information.

2.8.1 Version

2.8.2 Defects Fixed

Issues with using PQC based keys with the provided BC KeyStores have now been fixed.

ECGOST-2012 public keys were being encoded with the wrong OID for the digest parameter in the algorithm parameter set. This has been fixed.

SM3 has now been added as an acceptable algorithm for TSP timestamps.

SM2 signatures were using the wrong default identity value. This has now been fixed.

An edge condition in Blake2b for hashes on data with a length in the range of 2**64 - 127 to 2**64 has been identifed and fixed.

The ISO Trailer for SHA512/256 used in X9.31 and ISO9796-2 signatures was incorrect. This has been fixed.

The BCJSSE SSLEngine implementation now correctly wraps/unwraps application data only in whole records.

The curve parameters for tc26_gost_3410_12_256_paramSetA were incorrect. These have been fixed.

Further work has been done to try and prevent escaping exceptions on opening random files as BCFKS files or PKCS#12 files.

An off-by-one error for the max N check for SCRYPT has been fixed. SCRYPT should now be compliant with RFC 7914.

ASN1GeneralizedTime will now accept a broader range of input strings.

2.8.3 Additional Features and Functionality

GOST3410-94 private keys encoded using ASN.1 INTEGER are now accepted in private key info objects.

SCRYPT is now supported as a SecretKeyFactory in the provider and in the PKCS8 APIs

The BCJSSE provider now supports session resumption in clients.

The BCJSSE provider now supports Server Name Indication.

The BCJSSE provider now supports the jdk.tls.namedGroups system property.

The BCJSSE provider now supports the org.bouncycastle.jsse.ec.disableChar2 system property, which optionally disables the use of characteristic-2 elliptic curves.

EC key generation and signing now use cache-timing resistant table lookups.

Performance of the DSTU algorithms has been greatly improved.

Support has been added for generating certificates and signatures in the PKIX API using SHA-3 based digests.

Further work has been done on improving SHA-3 performance.

The organizationIdentifier (2.5.4.97) attribute has been added to BCStyle.

GOST3412-2015 has been added to the JCE provider and the lightweight API.

The Blake2s message digest has been added to the provider and the lightweight API.

Unified Cofactor Diffie-Hellman (ECCDHU) is now supported for EC in the JCE and the lightweight API.

A DEROtherInfo generator for key agreement using NewHope as the source of the shared private info has been added that can be used in conjunction with regular key agreement algorithms.

RFC 7748: Added low-level implementations of X25519 and X448.

2.8.4 Security Related Changes and CVE's Addressed by this Release

CVE-2017-13098 ("ROBOT"), a Bleichenbacher oracle in TLS when RSA key exchange is negotiated. This potentially affected BCJSSE servers and any other TLS servers configured to use JCE for the underlying crypto - note the two TLS implementations using the BC lightweight APIs are not affected by this.

2.9.1 Version

2.9.2 Defects Fixed

NewHope and SPHINCS keys are now correctly created off certificates by the BC provider.

Use of the seeded constructor with SecureRandom() and the BC provider in first position could cause a stack overflow error. This has been fixed.

The boolean flag on ECDSAPublicKey in CVCertficate was hard coded. This has been fixed.

An edge condition in IV processing for GOFB mode has been found and fixed.

ANSSI named EC curves were not being recognised in PKCS#10 and certificate parsing. This has been fixed.

BaseStreamCipher.engineSetMode() could sometimes throw an IllegalArgumentException rather than a NoSuchAlgorithmException. This has been fixed.

Some class resolving used by the provider would fail if the BC jar was loaded on the boot class path. This has been fixed.

An off-by-one range check in SM2Signer has been fixed.

Retrieving an SM2 key from a certificate could result in a NullPointerException due to a problem with the curve lookup. This has been fixed.

A race condition that could occur inside the HybridSecureRandom on reseed and result in an exception has been fixed.

DTLS now supports records containing multiple handshake messages.

2.9.3 Additional Features and Functionality

An implementation of GOST3410-2012 has been added to light weight API and the JCA provider.

Support for ECDH GOST3410-2012 and GOST3410-2001 have been added. The CMS API can also handle reading ECDH GOST3410 key transport messages.

Additional mappings have been added for a range of CVC-ECDSA algorithms.

XMMS and XMSSMT are now available via the BCPQC provider. Support has been added for using these keys in certificates as well.

Support has been added for DSTU-7564 message digest and the DSTU-7624 ciphers, together with their associated modes.

A new system property org.bouncycastle.asn1.allow_unsafe_integer has been added to allow parsing of malformed ASN.1 integers in a similar fashion to what BC 1.56 did. The default behavior remains as reject malformed integers.

SignedMailValidator would only pick up the first email address in a DN, even when there was more than one. This has been fixed.

PEMParser will now support a broader range of PBKDFs in encrypted private key files.

Work has been done on speeding up the SHA-3 family. The functions are now 3 to 4 times faster.

Some EC aliases in the provider had no corresponding implementations. These have been cleaned up.

TimeStampResponses now support definite-length encoding to allow the preservation of order in certificates sets for legacy responses.

The TSP API now supports SM2withSM3.

The BCJSSE provider now has a FIPS mode.

The BCJSSE provider now supports layered sockets.

The new TLS API now has protocol/API support for the status_request extension (OCSP stapling).

The new TLS API now supports RFC 7633 - X.509v3 TLS Feature Extension (e.g. "must staple"), enabled in default clients.

TLS exceptions have been made more directly informative.

2.9.4 Removed Features and Functionality

Per RFC 7465, removed support for RC4 in the new TLS API.

Per RFC 7568, removed support for SSLv3 in the new TLS API.

2.10.1 Version

2.10.2 Defects Fixed

A class cast exception for master certification removal in PGPPublicKey.removeCertification() by certification has been fixed.

GOST GOFB 28147-89 mode had an edge condition concerning the incorrect calculation of N4 (see section 6.1 of RFC 5830) affecting about 1% of IVs. This has been fixed.

The X.509 PolicyConstraints class was using implicit rather than explicit tagging for the SkipCerts field. This has been fixed.

Key expiration in the OpenPGP is now calculated for ambiguous self signatures using the most recently created self-signature, in line with GPG and the recommendation in RFC 4880.

Multiple validity periods in PGP keys were resolved in an adhoc fashion, in line with GPG's approach the PGP has been changed to return the most recent validity period signed.

An occasional class cast exception that could occur with nested multi-parts in the S/MIME API has been fixed.

A couple of bogus aliases associated AlgorithmParameters that did not resolve in the provider have been removed.

The CMS API will now correctly verify PSS signatures with odd length salts.

Choosing an invalid mode on a stream cipher in the JCE could result in an IllegalArgumentException. This has now been corrected to throw a NoSuchAlgorithmException.

Optional parameters for ECDSA public keys in CVCertificates were hard coded to non-optional. This has been fixed.

Passing a PKCS12 key to a Mac in the BC JCE always resulted in SHA-1 being used to process the password regardless of the underlying MAC algorithm. This has been fixed. An unrecognised HMAC will also now result in an exception.

The Base64 encoder now explicitly validates 2 character padding as being "==".

EC FixedPointCombMultiplier avoids 'infinity' point in lookup tables, reducing timing side-channels.

Reuse of a Blake2b digest with a call to reset() rather than doFinal() could result in incorrect padding being introduced and the wrong digest result produced. This has been fixed.

2.10.3 Additional Features and Functionality

ARIA (RFC 5794) is now supported by the provider and the lightweight API.

ARIA Key Wrapping (RFC 5649 style) is now supported by the provider and the lightweight API.

SM2 signatures, key exchange, and public key encryption has been added to the lightweight API.

XMSS has been added to the lightweight PQ API. Note: this should be treated as beta code.

API support for client side EST (RFC 7030), as well as some CMC (RFC 5273) has been added to the PKIX API. A full set of ASN.1 classes for both protocols has been added as well.

A test client for EST which will interop with the 7030 test server at http://testrfc7030.com/ has been added to the general test module in the current source tree.

The BCJSSE provider now supports SSLContext.getDefault(), with very similar behaviour to the SunJSSE provider, including checks of the relevant javax.net.ssl.* system properties and auto-loading of jssecacerts or cacerts as the default trust store.

2.10.4 Security Related Changes

The default parameter sizes for DH and DSA are now 2048. If you have been relying on key pair generation without passing in parameters generated keys will now be larger.

Further work has been done on preventing accidental re-use of a GCM cipher without first changing its key or iv.

2.11.1 Version

2.11.2 Defects Fixed

See section 2.1.4 for Security Defects.

Using unknown status with the ASN.1 CertStatus primitive could result in an IllegalArgumentException on construction. This has been fixed.

A potentional NullPointerException in a precomputation in WNafUtil has been removed.

PGPUtil.getDecoderStream() would throw something other than an IOException for empty and very small data. This has been fixed.

2.11.3 Additional Features and Functionality

Support for the explicit setting of AlgorithmParameters has been added to the JceCMSContentEncryptorBuilder and the JceCMSMacCaculatorBuilder classes to allow configuration of the session cipher/MAC used.

EC, ECGOST3410, and DSTU4145 Public keys are now validated on construction in the JCA/JCE and the light weight API.

DSA Public keys are now validated on construction in the JCA/JCE and the light weight API.

Diffie-Hellman public keys are now validated where parameters allow it.

Some validations are now applied to RSA moduli and public exponents.

The ASN.1 Object Identifier cache now uses a Concurrent HashMap for additional speed.

AES-CCM MAC support has been added to the provider.

Support for ChaCha7539 (ChaCha20 as defined in RFC 7539) and Poly1305 have been added to the provider.

Support has been added for defining your own curves and making them available to the key generators and factories.

Methods have been added for specifying that a PGPPublicKey/PGPPublicKeyRing is being encoded for export and trust packets are not required.

Plain-ECDSA and SHA-3 support has been added to DefaultDigestAlgorithmIdentifierFinder.

SHA-3 support has been added to BcDefaultDigestProvider.

A higher level TLS API and JSSE provider have been added to the project.

2.11.4 Security Related Changes and CVE's Addressed by this Release

It is now possible to configure the provider to only import keys for specific named curves.

Work has been done to improve the "constant time" behaviour of the RSA padding mechanisms.

The GCM ciphers in the JCE and lightweight API will now fail if an attempt is made to use them for encryption after a doFinal or without changing the IV.

The constructor for IESParameterSpec that allows the use of cipher without a nonce has been deleted. See also details for CVE-2016-1000344, CVE-2016-1000352.

Strict encoding enforcement has been introduced for ASN1Integer.

CVE-2016-1000338: DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of "invisible" data into a signed structure.

CVE-2016-1000339: AESFastEngine has a side channel leak if table accesses can be observed. The use of lookup large static lookup tables in AESFastEngine means that where data accesses by the CPU can be observed, it is possible to gain information about the key used to initialize the cipher. We now recommend not using AESFastEngine where this might be a concern. The BC provider is now using AESEngine by default.

CVE-2016-1000340: Static ECDH vulnerable to carry propagation bug. Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.

CVE-2016-1000341: DSA signature generation vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55 or earlier, may allow an attacker to gain information about the signatures k value and ultimately the private value as well.

CVE-2016-1000342: ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of "invisible" data into a signed structure.

CVE-2016-1000343: DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

CVE-2016-1000344: DHIES allows the use of unsafe ECB mode. This algorithm is now removed from the provider.

CVE-2016-1000345: DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.

CVE-2016-1000346: Other party DH public key not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of this release the key parameters are checked on agreement calculation.

CVE-2016-1000352: ECIES allows the use of unsafe ECB mode. This algorithm is now removed from the provider.

2.11.5 Security Advisory

We consider the carry propagation bugs fixed in this release to have been exploitable in previous releases (1.51-1.55), for static ECDH, to reveal the long-term key, per "Practical realisation and elimination of an ECC-related software bug attack", Brumley et.al.. The most common case of this would be the non-ephemeral ECDH ciphersuites in TLS. These are not enabled by default in our TLS implementations, but they can be enabled explicitly by users. We recommend that users DO NOT enable static ECDH ciphersuites for TLS.

2.12.1 Version

2.12.2 Defects Fixed

Issues with cloning of blake digests with salts and personalisation strings have been fixed.

The JceAsymmetricValueDecryptor in the CRMF package now attempts to recognise a wider range of parameters for the key wrapping algorithm, rather than relying on a default.

GCM now fails if an attempt is made to go past 2^32-1 blocks.

(r, k) ordering for Poly1305 has been modified to be brought into line with RFC 7539.

An occasional error in Poly1305 due to sign-extension has been fixed.

TimeStampRequest was always failing to validate if extensions were present. This has been fixed.

ECIES/IES algorithm parameters encoding failed on default parameters. This has been fixed.

PGPObjectFactory.iterator() could fail when called on data with multiple stream packets. This has been fixed.

The McEliece implementation in the BCPQC provider has been revised and now has working key factories associated with it.

The X.509 UserNotice class can now cope with empty sequences.

Creation of multiple providers concurrently could cause issues with a non-synchronized Map in the provider. Code is now synchronized.

If the lightweight OAEP encoder is fed oversized input it will now throw something more informative than an ArrayOutOfBoundsException or simply truncate.

Attempting to use the PasswordRecipientInfoGenerator without explicitly setting the salt would cause a NullPointerException. This has been fixed.

The BasicConstraintsValidation in the CertPath API would throw a NullPointerException on an unconstrained path length. This has been fixed.

A shift error for > 24 bit numbers in TlsUtils has been fixed.

OAEP encryption for a zero length message would create invalid cipher text. This has been fixed.

Trying to use of non-default parameters for OAEP in CRMF would resort to the default parameter set. This has been fixed.

If the BC provider was not registered, creating a CertificateFactory would cause a new provider object to be created. This has been fixed.

2.12.3 Additional Features and Functionality

The DANE API has been updated to reflect the latest standard changes.

The signature algorithm SPHINCS-256 has been added to the post-quantum provider (BCPQC). Support is in place for SHA-512 and SHA3-512 (using trees based around SHA512_256 and SHA3_256 respectively).

The key exchange algorithm NewHope has been added to the post-quantum provider (BCPQC). Support is in place for the regular configuration using SHA3-256 as the flattening algorithm for the agreed value.

The CMS password recipient generator now allows the PRF to be changed to something other than SHA-1

Direct support for the SignatureTarget packet has been added to the OpenPGP API.

TLS: support for ClientHello Padding Extension (RFC 7685).

TLS: support for ECDH_anon key exchange.

Support has been added for HMAC SHA-3. Aliases have been added for NIST OIDs for SHA-3 HMAC as well.

Support has been added for SHA-3 in DSA, ECDSA, DDSA, and ECDDSA. Aliases have been added for NIST OIDs for DSA and ECDSA as well.

Support has been added for SHA-3 with RSA PKCS 1.5, PSS, and OAEP.

Support has been added for GOST R 34.11-2012 to the provider and the lightweight API.

PGP armored output can now be generated without a version string.

The TimeStampTokenGenerator will now generate timestamps down to a millisecond resolution.

Additional search methods have been added to PGP public and secret key rings.

2.13.1 Version

2.13.2 Defects Fixed

Blake2b-160, Blake2b-256, Blake2b-384, and Blake2b-512 are now actually in the provider and an issue with cloning Blake2b digests has been fixed.

PKCS#5 Scheme 2 using DESede CBC is now supported by the PKCS#12 implementation.

The IES engine would sometimes throw a "too short" exception on small messages which were the right length. This has been fixed.

Cipher.getOutputSize() for IES ciphers would throw a ClassCastException. This has been fixed.

It turns out, after advice one way and another that the NESSIE test vectors for Serpent are now what should be followed and that the vectors in the AES submission are regarded as an algorithm called Tnepres. The Serpent version now follows the NESSIE vectors, and the Tnepres cipher has been added to the provider and the lightweight API for compatibility.

Problems with DTLS record-layer version handling were resolved, making version negotiation work properly.

2.13.3 Additional Features and Functionality

Camellia and SEED key wrapping are now supported for CMS key agreement

The BC TLS/DTLS code now includes a non-blocking API.

CTR/SIC mode now support an internal counter. The internal counter can be turned on by passing an IV smaller than the block size of the cipher's algorithm.

The lightweight CMS API operators now support CAST5 and RC2 CBC encryption.

The CMS API now supports Diffie-Hellman as specified in RFC 3370.

Support has been added to the CMS API for PKCS#7 ANY type encapsulated content where the encapsulated content is not an OCTET STRING.

PSSSigner in the lightweight API now supports fixed salts.

2.13.4 Security Advisory

(D)TLS 1.2: Motivated by CVE-2015-7575, we have added validation that the signature algorithm received in DigitallySigned structures is actually one of those offered (in signature_algorithms extension or CertificateRequest). With our default TLS configuration, we do not believe there is an exploitable vulnerability in any earlier releases. Users that are customizing the signature_algorithms extension, or running a server supporting client authentication, are advised to double-check that they are not offering any signature algorithms involving MD5.

2.13.5 Notes

Release: 1.65Date: 2020, March 31st.Release: 1.64Date: 2019, October 7th.Release: 1.63Date: 2019, September 10th.Release: 1.62Date: 2019, June 3rd.Release: 1.61Date: 2019, February 4th.Release: 1.60Date: 2018, June 30Release: 1.59Date: 2017, December 28Release: 1.58Date: 2017, August 18Release: 1.57Date: 2017, May 11Release: 1.56Date: 2016, December 23Release: 1.55Date: 2016, August 18Release: 1.54Date: 2015, December 29

If you have been using Serpent, you will need to either change to Tnepres, or take into account the fact that Serpent is now byte-swapped compared to what it was before.

2.14.1 Version

2.14.2 Defects Fixed

The BC JCE cipher implementations could sometimes fail when used in conjunction with the JSSE and NIO. This has been fixed.

PGPPublicKey.getBitStrength() always returned 0 for EC keys. This has been fixed.

A PKCS12 key store containing a looping certificate chain could cause an OutOfMemoryException. This has been fixed.

A change in JDK 1.8 meant that X509Certificate.verify(PublicKey, Provider) would cause a stack overflow. This has been fixed.

Nested multiparts with irregular post-amble could cause verification issues for the SMIMESigned classes. This has been fixed.

CMSSignedData now supports verification of signed attributes where the calculated digest uses a different algorithm from the digest used in the signature.

TRUSTED CERTIFICATE parsing in PEM files was ignoring the attribute block. A new class X509TrustedCertificateBlock is now returned containing both the certificate and the trust information.

Adding a password to a PGP key which did not previously have one would result in an improperly formatted key. This has been fixed.

ECIES/IES was only using a 4 byte label length for the MAC tag when it should have been an 8 byte one. This has now been fixed and OldECIES/OldIES has been added for backwards compatibility.

The JceCRMFEncryptorBuilder was not recognising key size specific object identifiers properly. This has been fixed.

The OpenPGP ClearSignedFileProcessor would not handle verification of single line files properly. This has been fixed.

The BC X509Certificate class was no longer in agreement with the standard class for hashCode(). The BC X509Certificate class will now track the changes made in the standard Java distribution.

PGP signature hashed sub-packets with long length encodings would fail to validate on signature checking. This has been fixed.

The S/MIME API would occasionally leak InputStreams which could cause issues with custom DataSource implementations. This has been fixed.

The PKCS#12 KeyStore implementation would sometimes leave orphaned chain certificates in the key store after private key deletion. This has been fixed.

A bug in the DirectKeySignature OpenPGP example which could lead to extra data appearing in the signature has been fixed.

Explicit configuration of a BcAsymmetricKeyWrapper with a SecureRandom was not properly propagated internally. This has been fixed.

A CRL with a null certificate issuer would sometimes result in a NullPointerException during CertPathProcessing. This has been fixed.

The CertPath processor would occasionally fail to match a DistributionPoint name correctly. This has been fixed.

In order to avoid confusion about thread safety, BCrypt now uses a new instance for hash calculation every time it is invoked.

Some decidedly odd argument casting in the PKIXCertPathValidator has been fixed to throw an InvalidAlgorithmParameterException.

Presenting an empty array of certificates to the PKIXCertPathValidator would cause an IndexOutOfRangeException instead of a CertPathValidatorException. This has been fixed.

2.14.3 Additional Features and Functionality

It is now possible to specify that an unwrapped key must be usable by a software provider in the asymmetric unwrappers for CMS.

A Blake2b implementation has been added to the provider and lightweight API.

SHA3 has now been added to the provider and the lightweight API. SHAKE128 and SHAKE256 have also been added to the lightweight API. The original implementation of the draft standard has been renamed to Keccak.

The CMS API now supports RFC 6211 for both SignedData and AuthenticatedData.

The ASN.1 parser for ECGOST private keys will now parse keys encoded with a private value represented as an ASN.1 INTEGER.

EAX mode and CMAC is now supported for ciphers such as SHACAL-2 and Threefish.

The SM4 block cipher has been added to the provider and the lightweight API.

X9.31, ISO9796/2, and PSS signature support has been added for SHA512/224, SHA512/256.

SubjectPublicKeyInfoFactory now supports DSA parameters.

A range of new algorithms are now support for EC key agreement.

EC ContentSigners and EC ContentVerifiers have been added to the lightweight operator package in the PKIX APIs.

The PKCS#12 key store will now garbage collect orphaned certificates on saving.

Caching for ASN.1 ObjectIdentifiers has been rewritten to make use of an intern method. The "usual suspects" are now interned automatically, and the cache is used by the parser. Other OIDs can be added to the cache by calling ASN1ObjectIdentifier.intern().

2.14.4 Notes

Release: 1.53Date: 2015, October 10

It turns out there was a similar, but different, issue in Crypto++ to the BC issue with ECIES. Crypto++ 6.0 now offers a corrected version of ECIES which is compatible with that which is now in BC.

2.15.1 Version

2.15.2 Defects Fixed

GenericSigner in the lightweight API would fail if the digest started with a zero byte, occasionally causing a TLS negotiation to fail. This has been fixed.

Some BC internal classes expected the BC provider to be accessible within the provider. This has been fixed.

Email based policy constraints in CertPath validation did not include '@'domain.name as a possible match. This has been fixed.

The Shacal2Engine would throw an ArrayIndexOutOfBoundsException if presented with input longer than a block size. This has been fixed.

Using PKCS5/PKCS7 with pad values greater than 127 would result in an exception on decryption. This has been fixed.

EC private key values could encode to an OCTET STRING which was shorter than that described in RFC 5915/SEC 1. This has been fixed.

Providing multiple trust anchors to the CertPath validator could cause a StackOverflowError on an invalid CertPath. This has been fixed.

TLS: bad-padding handling when encrypt-then-MAC enabled is now fixed.

ECDH KeyAgreement.init() was not properly honoring the JCE API in respect to non-null parameters. This has been fixed.

PKCS symmetric padding now takes into account pad lengths of more than 127 bytes.

Corrupted input to RFC5649WrapEngine could cause an out of memory error. This has been fixed.

OSGI import issues for bcmail have been fixed.

A badly formed issuer in a X.509 certificate could cause a null pointer exception in X509CertificateHolder.toString(). This has been fixed.

CMSSignedData.verifySignatures() could fail on a correct counter signature due to a mismatch of the SID. This has been fixed.

2.15.3 Additional Features and Functionality

The CMP support class CMPCertificate restricted the types of certificates that could be added. A more flexible method has been introduced to allow for other certificate types.

Support classes have be added for DNS-based Authentication of Named Entities (DANE) to the PKIX distribution.

Work has been done to reduce computation requirements for long skips associated with implementations of the SkippingCipher interface.

AES GCM mode is now supported by CMS EnvelopedData.

Iteration count is now settable in BcPKCS12MacCalculatorBuilder.

Support for BCrypt and it's OpenBSD variant has been added to the lightweight API.

It's now possible to specify the direction of the underlying cipher used for key wrapping with NIST/RFC3394 wrappers.

TLS: server-side support for DHE key exchange.

TLS: server-side support for PSK and SRP ciphersuites.

TLS: (EC)DSA now supports signatures with non-SHA1 digests.

TLS: support for ECDHE_ECDSA/AES/CCM ciphersuites from RFC 7251.

Cipher.getIV() now returns nonces for AEAD modes.

OIDs for dhPublicNumber and dhKeyAgreement are now supported by the provider.

OIDs for several signature types using the RIPEMD family of digests have been added to the provider.

JcaJceUtils.getDigestAlgName() has been added to assist in converting OIDs representing message digests into JCA algorithm names.

BasicOCSPResp.getSignatureAlgorithmID() has been added to allow algorithm indentifier details to be returned from a basic OCSP response.

Additional OIDs have been added for OCSP.

X509CRLObject.getSignAlgName() now attempts to return an actual name, rather than an OID for, for the signature algorithm.

SignedMailValidator now pays attention to the date in the PKIXParameters object if it is set.

A missing signing time in a signature no longer causes SignedMailValidator to fail a signature, but provide a warning instead.

An AlgorithmNameFinder implementation has been added to the PKIX API to provide "human friendly" translations of algorithm OIDs.

Support has been added for X9.31-1998 DRBG and X9.31-1998 RSA signatures to the lightweight API and the provider.

CertPath validator will now make use of the issuer key identifier and the issuer name if a key identifier is available for the issuer.

Support for some JDK1.5+ language features has finally made its way into the repository.

2.15.4 Security Advisory

The CTR DRBGs would not populate some bytes in the requested block of random bytes if the size of the block requested was not an exact multiple of the block size of the underlying cipher being used in the DRBG. If you are using the CTR DRBGs with "odd" keysizes, we strongly advise upgrading to this release, or contacting us for a work around.

2.16.1 Version

2.16.2 Defects Fixed

The AEAD GCM AlgorithmParameters object was unable to return a GCMParameterSpec object. This has been fixed.

Cipher.getIV() was returning null for AEAD mode ciphers. This has been fixed.

CipherInputStream would fail for some AEAD mode ciphers if the message was over 4k in length. This has been fixed.

The JCE provider will now produce simple RSAPrivateKey objects where CRT coefficients are not provided.

PGP key signature certifications did not support DIRECT KEY signatures. This has been fixed.

User Attribute subpackets in PGP with long length encodings could result in certification verification failing. This has been fixed.

Calls to CommandMap.setDefaultCommandMap() in the SMIME API are now wrapped in doPrivileged() blocks to allow them to work with a security manager.

The encoding of the certificate_authorities field of a TLS CertificateRequest has been fixed.

EC point formats are now strictly enforced in the TLS API.

The provider implementation was failing to throw an exception if algorithm parameters were passed in when none were required for EC key agreement. This has been fixed.

PKCS#12 files containing keys/certificates with empty attribute sets attached to them no longer cause an ArrayIndexOutOfBoundsException to be thrown.

Issues with certificate verification and server side DTLS/TLS 1.2 have now been fixed.

2.16.3 Additional Features and Functionality

The range of key algorithm names that will be interpreted by KeyAgreement.generateSecret() has been expanded for ECDH derived algorithms in the provider. A KeyAgreement of ECDHwithSHA1KDF can now be explicitly created.

ECIES now supports the use of IVs with the underlying block cipher and CBC mode in both the lightweight and the JCE APIs.

Support has been add for RFC5649 key wrapping using AES.

The PGP API now allows access and handling of User IDs as raw byte arrays, to deal with keyrings not using UTF-8.

The PGP API now provides automatic conversion of embedded signatures in signature sub-packet vectors.

The PGP API now fully supports ECDH as outlined in RFC 6637.

GCM and GMAC now support tag lengths down to 32 bits.

Custom implementations for many of the SEC Fp curves have been added, resulting in drastically improved performance. The current list includes all secp***k1 and secp***r1 curves from 192 to 521 bits. They can be accessed via the org.bouncycastle.crypto.ec.CustomNamedCurves class and are generally selected by other internal APIs in place of the generic implementations.

Automatic EC point validation added, both for decoded inputs and multiplier outputs.

A SkippingCipher interface has been added for ciphers that can be moved into a specific state for a given byte address. The lightweight class StreamBlockCipher has been generalised to support any BlockCipher object that can support a streaming mode.

ASN.1 date/time objects now support the passing in of a Locale to allow for constructing the object using a Date interpreted from a different locale to the default for the JVM.

The range of Diffie-Hellman OIDs recognised by the provider has been extended.

Some utility methods for interpreting OIDs have been exposed in the JcaJceUtils class.

A method has been added to CMSSignedData for replacing the OCSP responses associated with a signed message.

Use of RC2/RC4 in the CMS is now provider independent.

TlsInputStream now provides a means of supporting InputStream.available().

Dependencies on the JCA have been removed from PGPObjectFactory.

Further work has been done on improving key quality with EC and DSA algorithms.

KDFCounterBytesGenerator now supports suffix and prefix fixed input data, as outlined in NIST SP 800-108.

Support has been added to allow retrieval and resetting the internal state of the SHA/SHA-2 digests in the lightweight API using an encoded format.

BSI plain ECDSA is now supported by the provider.

The provider now advertises RSA PSS signature implementations directly using the standard naming.

Full support is now provided for client-side auth in the D/TLS server code.

Compatibility issues with some OSGI containers have been addressed.

2.16.4 Notes

Support for NTRUSigner has been deprecated as the algorithm has been withdrawn.

Some changes have affected the return values of some methods. If you are migrating from an earlier release, it is recommended to recompile before using this release.

There has been further clean out of deprecated methods in this release. If your code has previously been flagged as using a deprecated method you may need to change it. The OpenPGP API is the most heavily affected.

2.17.1 Version

2.17.2 Defects Fixed

The DualECSP800DRBG sometimes truncated the last block in the generated stream incorrectly. This has been fixed.

Keys produced from RSA certificates with specialised parameters would lose the parameter settings. This has been fixed.

OAEP parameters were being ignored on CMS key trans recipient processing. This has been fixed.

OpenPGP NotationData was restricting the name and value lengths to 255 characters and truncating silently. This has been fixed.

CTS mode is now in alignment with the errata for RFC 2040, as detailed in RFC 3962.

Occasionally the provider implementation of DH KeyAgreement would drop a leading zero byte off the start of the shared secret (see RFC 2631 2.1.2). This has been fixed.

RFC3394WrapEngine was ignoring the offset parameter inOff and using zero instead. This has been fixed.

GOST keys would not encode using the CryptoPro parameter set, even if it was available. This has been fixed.

The TimeStampRequest stream constructor was not setting the extensions field correctly. This has been fixed.

Default RC2 parameters for 40 bit RC2 keys in CMSEnvelopedData were encoding incorrectly. This has been fixed.

In case of a long hash the DSTU4145 implementation would sometimes remove one bit too much during truncation. This has been fixed.

2.17.3 Additional Features and Functionality

Additional work has been done on CMS recipient generation to simplify the generation of OAEP encrypted messages and allow for non-default parameters.

OCB implementation updated to account for changes in draft-irtf-cfrg-ocb-03.

RFC 6637 ECDSA and ECDH support has been added to the OpenPGP API.

Implementations of Threefish and Skein have been added to the provider and the lightweight API.

Implementations of the SM3 digest have been added to the provider and the lightweight API.

The 3 MAC based KDF generators in NIST SP 800-108 have been added to the lightweight API.

Support has been added for the GOST PKCS#5 PBKDF2 PBE function and handling of GOST PKCS#12 files.

Support has been added for the CryptoPro GOST CFB mode key meshing.

Implementations of XSalsa20 and ChaCha have been added. Support for reduced round Salas20 has been added.

Support has been added for RFC 6979 Determinstic DSA/ECDSA to the provider and the lightweight API.

Support for RC2 and RC4 in the CMS API has been generalised to work for other JCE providers.

Support for the Poly1305 MAC has been added to the lightweight API and the JCE Provider.

OpenSSL JcaPEMKeyConverter now supports OIDs for RSA and DSA as well as ECDSA.

A simplified certificate path API has been added to the PKIX package. It is not fully NIST compliant yet, however it does provide a range of basic validations without having to use the JCA.

Package version information is now included in the jar MANIFEST.MF.

The JDK 1.5+ provider will now recognise and use GCMParameterSpec if it is run in a 1.7 JVM.

Client side support and some server side support has been added for TLS/DTLS 1.2.

2.17.4 Notes

org.bouncycastle.crypto.DerivationFunction is now a base interface, the getDigest() method appears on DigestDerivationFunction.

Recent developments at NIST indicate the SHA-3 may be changed before final standardisation. Please bare this in mind if you are using it.

Other recent developments have raised concerns about the DualECDRBG. We have left the class in place for now, but it is now possible to provide your own parameter values, rather than using the NIST defined ones, if you choose to do so.

Most deprecated methods have been removed from the PKIX API.

As the IDEA patent has finally expired, IDEA is now supported by the standard provider.

ECDH support for OpenPGP should still be regarded as experimental. It is still possible there will be compliance issues with other implementations.

2.18.1 Version

2.18.2 Defects Fixed

Occasional ArrayOutOfBounds exception in DSTU-4145 signature generation has been fixed.

The handling of escaped characters in X500 names is much improved.

The BC CertificateFactory no longer returns null for CertificateFactory.getCertPathEncodings().

PKCS10CertificationRequestBuilder now encodes no attributes as empty by default. Encoding as absent is still available via a boolean flag.

DERT61String has been reverted back to its previous implementation. A new class DERT61UTF8String has been introduced which defaults to UTF-8 encoding.

OAEPEncoding could throw an array output bounds exception for small keys with large mask function digests. This has been fixed.

PEMParser would throw a NullPointerException if it ran into explicit EC curve parameters, it would also throw an Exception if the named curve was not already defined. The parser now returns X9ECParmameters for explicit parameters and returns an ASN1ObjectIdentifier for a named curve.

The V2TBSCertListGenerator was adding the wrong date type for CRL invalidity date extensions. This has been fixed.

2.18.3 Additional Features and Functionality

A SecretKeyFactory has been added that enables use of PBKDF2WithHmacSHA.

Support has been added to PKCS12 KeyStores and PfxPdu to handle PKCS#5 encrypted private keys.

Support has been added for SHA-512/224, SHA-512/256, as well as a general SHA-512/t in the lightweight API.

The JcaPGPPrivateKey class has been added to provide better support in the PGP API for HSM private keys.

A new KeyStore type, BKS-V1, has been added for people needing to create key stores compatible with earlier versions of Bouncy Castle.

Some extra generation methods have been added to TimeStampResponseGenerator to allow more control in the generation of TimeStampResponses.

It is now possible to override the SignerInfo attributes during TimeStampTokenGeneration.

The TSP API now supports generation of certIDs based on digests other than SHA-1.

OCSP responses can now be included in CMS SignedData objects.

The SipHash MAC algorithm has been added to the lightweight API and the provider.

ISO9796-2 PSS signatures can now be initialised with a signature to allow the signer to deal with odd recovered message lengths on verification.

The 4 DRBGs described in NIST SP 800-90A have been added to the prng package together with SecureRandom builders.

Support has been added for OCB mode in the lightweight API.

DSA version 2 parameter and key generation is now supported in the provider and lightweight API.

A new interface Memoable has been added for objects that can copy in and out their state. The digest classes now support this. A special class NonMemoableDigest has been added which hides the Memoable interface where it should not be available.

TDEA is now recognised as an alias for DESede.

A new package org.bouncycastle.crypto.ec has been introduced to the light wieght API with a range of EC based cryptographic operators.

The OpenPGP API now supports password changing on V3 keys if the appropriate PBEKeyEncryptor is used.

The OpenPGP API now supports password changing on secret key rings where only the private keys for the subkeys have been exported.

Support has been added to the lightweight API for RSA-KEM and ECIES-KEM.

Support has been added for NIST SP 800-38D - GMAC to AES and other 128 bit block size algorithms.

The org.bouncycastle.crypto.tls package has been extended to support client and server side TLS 1.1.

The org.bouncycastle.crypto.tls package has been extended to support client and server side DTLS 1.0.

A basic commitment package has been introduced into the lightweight API containing a digest based commitment scheme.

It is now possible to set the NotAfter and NotBefore date in the CRMF CertificateRequestMessageBuilder class.

2.18.4 Notes

The NTRU implementation has been moved into the org.bouncycastle.pqc package hierarchy.

The change to PEMParser to support explicit EC curves is not backward compatible. If you run into a named curve you need to use org.bouncycastle.asn1.x9.ECNamedCurveTable.getByOID() to look the curve up if required.

2.19.1 Version

2.19.2 Defects Fixed

Occasional key compatibility issues in IES due to variable length keys have been fixed.

PEMWriter now recognises the new PKCS10CertificationRequest object.

The provider implementation for RSA now resets when the init method is called.

SignerInformation has been rewritten to better support signers without any associated signed attributes.

An issue with an incorrect version number of SignedData associated with the use of SubjectKeyIdentifiers has now been fixed.

An issue with the equals() check in BCStrictStyle has been fixed.

The BC SSL implementation has been modified to deal with the "Lucky Thirteen" attack.

A regression in 1.47 which prevented key wrapping with regular symmetric PBE algorihtms has been fixed.

2.19.3 Additional Features and Functionality

IES now supports auto generation of ephemeral keys in both the JCE and the lightweight APIs.

A new class PEMParser has been added to return the new CertificateHolder and Request objects introduced recently.

An implementation of Password Authenticated Key Exchange by Juggling (J-PAKE) has now been added to the lightweight API.

Support has now been added for the DSTU-4145-2002 to the lightweight API and the provider.

The BC X509Certificate implementation now provides support for the JCA methods X509Certificate.getSubjectAlternativeNames() and X509Certificate.getIssuerAlternativeNames().

PEMReader can now be configured to support different providers for encyrption and public key decoding.

Some extra DSA OIDs have been added to the supported list for the provider.

The BC provider will now automatically try to interpret other provider software EC private keys. It is no longer necessary to use a KeyFactory for conversion.

A new provider, the BCPQ (for BC Post Quantum) provider has been added with support for the Rainbow signature algorithm and the McEliece family of encryption algorithms.

Support has been added for the SHA3 family of digests to both the provider and the lightweight API.

T61String now uses UTF-8 encoding by default rather than a simple 8 bit transform.

2.20.1 Version

2.20.2 Defects Fixed

OpenPGP ID based certifications now support UTF-8. Note: this may mean that some old certifications no longer validate - if this happens a retry can be added using by converting the ID using Strings.fromByteArray(Strings.toByteArray(id)) - this will strip out the top byte in each character.

IPv4/IPv6 parsing in CIDR no longer assumes octet boundaries on a mask.

The CRL PKIX routines will now only rebuild the CRL as a last resort when looking for the certificate issuer.

The DEK-Info header in PEM generation was lower case. It is now upper case in accordance with RFC 1421.

An occasional issue causing an OutOfMemoryException for PGP compressed data generation has now been fixed.

An illegal argument exception that could occur with multi-valued RDNs in the X509v3CertificateBuilder has been fixed.

Shared secret calculation in IES could occasionally add a leading zero byte. This has been fixed.

PEMReader would choke on a private key with an empty password. This has been fixed.

The default MAC for a BKS key store was 2 bytes, this has been upgraded to 20 bytes. This fix is now also referred to in CVE-2018-5382.

BKS key store loading no longer freezes on negative iteration counts.

A regression in 1.46 which prevented parsing of PEM files with extra text at the start has been fixed.

CMS secret key generation now attempts to stop use of invalid lengths with OIDs that predefine a key length.

Check of DH parameter L could reject some valid keys. This is now fixed.

2.20.3 Additional Features and Functionality

Support is now provided via the RepeatedKey class to enable IV only re-initialisation in the JCE layer. The same effect can be acheived in the light weight API by using null as the key parameter when creating a ParametersWithIV object.

CRMF now supports empty poposkInput.

The OpenPGP API now supports operator based interfaces for most operations and lightweight implementations have been added for JCE related functionality.

JcaSignerId and JceRecipientId will now match on serial number, issuer, and the subject key identifier if it's available.

CMS Enveloped and AuthenticatedData now support OriginatorInfo.

NTRU encryption and signing is now provided in the lightweight source and the ext version of the provider.

There is now API support for Extended Access Control (EAC).

The performance of CertPath building and validation has been improved.

The TLS Java Client API has been updated to make support for GSI GSSAPI possible.

Support for ECDSA_fixed_ECDH authentication has been added to the TLS client.

Support for the Features signature sub-packet has been added to the PGP API.

The number of lightweight operators for PGP and CMS/SMIME has been increased.

Classes involved in CRL manipulation have been rewritten to reduce memory requirements for handling and parsing extremely large CRLs.

RFC 5751 changed the definition of the micalg parameters defined in RFC 3851. The SMIMESignedGenerator is now up to date with the latest micalg parameter set and a constructor has been added to allow the old micalg parameter set to be used.

An operator based framework has been added for processing PKCS#8 and PKCS#12 files.

The J2ME lcrypto release now includes higher level classes for handling PKCS, CMS, CRMF, CMP, EAC, OpenPGP, and certificate generation.

2.20.4 Other notes

Release: 1.52Date: 2015, March 2Release: 1.51Date: 2014, July 28Release: 1.50Date: 2013, December 3Release: 1.49Date: 2013, May 31Release: 1.48Date: 2013, February 10Release: 1.47Date: 2012, March 30

Okay, so we have had to do another release. The issue we have run into is that we probably didn't go far enough in 1.46, but we are now confident that moving from this release to 2.0 should be largely just getting rid of deprecated methods. While this release does change a lot it is relatively straight forward to do a port and we have a porting guide which explains the important ones. The area there has been the most change in is the ASN.1 library which was in bad need of a rewrite after 10 years of patching. On the bright side the rewrite did allow us to eliminate a few problems and bugs in the ASN.1 library, so we have some hope anyone porting to it will also have similar benefits. As with 1.46 the other point of emphasis has been making sure interface support is available for operations across the major APIs, so the lightweight API or some local role your own methods can be used instead for doing encryption and signing.

2.21.1 Version

2.21.2 Defects Fixed

An edge condition in ECDSA which could result in an invalid signature has been fixed.

Exhaustive testing has been performed on the ASN.1 parser, eliminating another potential OutOfMemoryException and several escaping run time exceptions.

BC generated certificates generated different hashCodes from other equivalent implementations. This has been fixed.

Parsing an ESSCertIDv2 would fail if the object did not include an IssuerSerialNumber. This has been fixed.

DERGeneralizedTime.getDate() would produce incorrect results for fractional seconds. This has been fixed.

PSSSigner would produce incorrect results if the MGF digest and content digest were not the same. This has been fixed.

2.21.3 Additional Features and Functionality

A null genTime can be passed to TimeStampResponseGenerator.generate() to generate timeNotAvailable error responses.

Support has been added for reading and writing of openssl PKCS#8 encrypted keys.

New streams have been added for supporting general creation of PEM data, and allowing for estimation of output size on generation. Generators have been added for some of the standard OpenSSL objects.

CRL searching for CertPath validation now supports the optional algorithm given in Section 6.3.3 of RFC 5280, allowing the latest CRL to be used for a set time providing the certificate is unexpired.

AES-CMAC and DESede-CMAC have been added to the JCE provider.

Support for CRMF (RFC 4211) and CMP (RFC 4210) has been added.

BufferedBlockCipher will now always reset after a doFinal().

Support for CMS TimeStampedData (RFC 5544) has been added.

JCE EC keypairs are now serialisable.

TLS now supports client-side authentication.

TLS now supports compression.

TLS now supports ECC cipher suites (RFC 4492).

PGP public subkeys can now be separately decoded and encoded.

An IV can now be passed to an ISO9797Alg3Mac.

2.21.4 Other notes

Release: 1.46 Date: 2011, February 23

Baring security patches we expect 1.46 will be the last of the 1.* releases. The next release of BC will be version 2.0. For this reason a lot of things in 1.46 that relate to CMS have been deprecated and new methods have been added to the CMS and certificate handling APIs which provide greater flexibility in how digest and signature algorithms get used. It is now possible to use the lightweight API or a simple custom API with CMS and for certificate generation. In addition a lot of methods and some classes that were deprecated for reasons of been confusing, or in some cases just plan wrong, have been removed.

So there are four things useful to know about this release:

It's not a simple drop in like previous releases, if you wish migrate to it you will need to recompile your application.

If you avoid deprecated methods it should be relatively painless to move to version 2.0

The X509Name class will utlimately be replacde with the X500Name class, the getInstance() methods on both these classes allow conversion from one type to another.

The org.bouncycastle.cms.RecipientId class now has a collection of subclasses to allow for more specific recipient matching. If you are creating your own recipient ids you should use the constructors for the subclasses rather than relying on the set methods inherited from X509CertSelector. The dependencies on X509CertSelector and CertStore will be removed from the version 2 CMS API.

2.22.1 Version

2.22.2 Defects Fixed

OpenPGP now supports UTF-8 in file names for literal data.

The ASN.1 library was losing track of the stream limit in a couple of places, leading to the potential of an OutOfMemoryError on a badly corrupted stream. This has been fixed.

The provider now uses a privileged block for initialisation.

JCE/JCA EC keys are now serialisable.

2.22.3 Additional Features and Functionality

Support for EC MQV has been added to the light weight API, provider, and the CMS/SMIME library.

2.22.4 Security Advisory

This version of the provider has been specifically reviewed to eliminate possible timing attacks on algorithms such as GCM and CCM mode.

2.22.1 Version

2.22.2 Defects Fixed

The reset() method in BufferedAsymmetricBlockCipher is now fully clearing the buffer.

Use of ImplicitlyCA with KeyFactory and Sun keyspec no longer causes NullPointerException.

X509DefaultEntryConverter was not recognising telephone number as a PrintableString field. This has been fixed.

The SecureRandom in the J2ME was not using a common seed source, which made cross seeeding of SecureRandom's impossible. This has been fixed.

Occasional uses of "private final" on methods were causing issues with some J2ME platforms. The use of "private final" on methods has been removed.

NONEwithDSA was not resetting correctly on verify() or sign(). This has been fixed.

Fractional seconds in a GeneralisedTime were resulting in incorrect date conversions if more than 3 decimal places were included due to the Java date parser. Fractional seconds are now truncated to 3 decimal places on conversion.

The micAlg in S/MIME signed messages was not always including the hash algorithm for previous signers. This has been fixed.

SignedMailValidator was only including the From header and ignoring the Sender header in validating the email address. This has been fixed.

The PKCS#12 keystore would throw a NullPointerException if a null password was passed in. This has been fixed.

CertRepMessage.getResponse() was attempting to return the wrong underlying field in the structure. This has been fixed.

PKIXCertPathReviewer.getTrustAnchor() could occasionally cause a null pointer exception or an exception due to conflicting trust anchors. This has been fixed.

Handling of explicit CommandMap objects with the generation of S/MIME messages has been improved.

2.22.3 Additional Features and Functionality

PEMReader/PEMWriter now support encrypted EC keys.

BC generated EC private keys now include optional fields required by OpenSSL.

Support for PSS signatures has been added to CMS and S/MIME.

CMS processing will attempt to recover if there is no AlgorithmParameters object for a provider and use an IvParameterSpec where possible.

CertificateID always required a provider to be explicitly set. A null provider is now interpreted as a request to use the default provider.

SubjectKeyIdentifier now supports both methods specified in RFC 3280, section 4.2.1.2 for generating the identifier.

Performance of GCM mode has been greatly improved (on average 10x).

The BC provider has been updated to support the JSSE in providing ECDH.

Support for mac lengths of 96, 104, 112, and 120 bits has been added to existing support for 128 bits in GCMBlockCipher.

General work has been done on trying to propagate exception causes more effectively.

Support for loading GOST 34.10-2001 keys has been improved in the provider.

Support for raw signatures has been extended to RSA and RSA-PSS in the provider. RSA support can be used in CMSSignedDataStreamGenerator to support signatures without signed attributes.

2.23.1 Version

2.23.2 Defects Fixed

Multiple countersignature attributes are now correctly collected.

Two bugs in HC-128 and HC-256 related to sign extension and byte swapping have been fixed. The implementations now pass the latest ecrypt vector tests.

X509Name.hashCode() is now consistent with equals.

2.23.3 Security Advisory

The effect of the sign extension bug was to decrease the key space the HC-128 and HC-256 ciphers were operating in and the byte swapping inverted every 32 bits of the generated stream. If you are using either HC-128 or HC-256 you must upgrade to this release.

2.24.1 Version

2.24.2 Defects Fixed

A NullPointer exception which could be result from generating a diffie-hellman key has been fixed.

CertPath validation could occasionally mistakenly identify a delta CRL. This has been fixed.

'=' inside a X509Name/X509Principal was not being properly escaped. This has been fixed.

ApplicationSpecific ASN.1 tags are now recognised in BER data. The getObject() method now handles processing of arbitrary tags.

X509CertStoreSelector.getInstance() was not propagating the subjectAlternativeNames attribute. This has been fixed.

Use of the BC PKCS#12 implementation required the BC provider to be registered explicitly with the JCE. This has been fixed.

OpenPGP now fully supports use of the Provider object.

CMS now fully supports use of the Provider object.

Multiplication by negative powers of two is fixed in BigInteger.

OptionalValidity now encodes correctly.

2.24.3 Additional Features and Functionality

Support for NONEwithECDSA has been added.

Support for Grainv1 and Grain128 has been added.

Support for EAC algorithms has been added to CMS/SMIME.

Support for basic CMS AuthenticatedData to the CMS package.

Jars are now packaged using pack200 for JDK1.5 and JDK 1.6.

ASN1Dump now supports a verbose mode for displaying the contents of octet and bit strings.

Support for the SRP-6a protocol has been added to the lightweight API.

2.25.1 Version

2.25.2 Defects Fixed

The GeneralName String constructor now supports IPv4 and IPv6 address parsing.

An issue with nested-multiparts with postamble for S/MIME that was causing signatures to fail verification has been fixed.

ESSCertIDv2 encoding now complies with RFC 5035.

ECDSA now computes correct signatures for oversized hashes when the order of the base point is not a multiple of 8 in compliance with X9.62-2005.

J2ME SecureRandom now provides additional protection against predictive and backtracking attacks when high volumes of random data are generated.

Fix to regression from 1.38: PKIXCertPathCheckers were not being called on intermediate certificates.

Standard name "DiffieHellman" is now supported in the provider.

Better support for equality tests for '#' encoded entries has been added to X509Name.

2.25.3 Additional Features and Functionality

Camellia is now 12.5% faster than previously.

A smaller version (around 8k compiled) of Camellia, CamelliaLightEngine has also been added.

CMSSignedData generation now supports SubjectKeyIdentifier as well as use of issuer/serial.

A CMSPBE key holder for UTF8 keys has been added to the CMS API.

Salt and iteration count can now be recovered from PasswordRecipientInformation.

Methods in the OpenPGP, CMS, and S/MIME APIs which previously could only take provider names can now take providers objects as well (JDK1.4 and greater).

Support for reading and extracting personalised certificates in PGP Secret Key rings has been added.

2.26.1 Version

2.26.2 Defects Fixed

EAX mode ciphers were not resetting correctly after a doFinal/reset. This has been fixed.

The SMIME API was failing to verify doubly nested multipart objects in signatures correctly. This has been fixed.

Some boolean parameters to IssuingDistributionPoint were being reversed. This has been fixed.

A zero length RDN would cause an exception in an X509Name. This has been fixed.

Passing a null to ExtendedPKIXParameters.setTrustedACIssuers() would cause a NullPointerException. This has been fixed.

CertTemplate was incorrectly encoding issuer and subject fields when set.

hashCode() for X509CertificateObject was very poor. This has been fixed.



Specifying a greater than 32bit length for a stream and relying on the default BCPGOutputStream resulted in corrupted data. This has been fixed.

PKCS7Padding validation would not fail if pad length was 0. This has been fixed.

javax.crypto classes no longer appear in the JDK 1.3 provider jar.

Signature creation time was not being properly initialised in new V4 PGP signature objects although the encoding was correct. This has been fixed.

The '+' character can now be escaped or quoted in the constructor for X509Name, X509Prinicipal.

Fix to regression from 1.38: PKIXCertPathValidatorResult.getPublicKey was returning the wrong public key when the BC certificate path validator was used.

2.26.3 Additional Features and Functionality

Galois/Counter Mode (GCM) has been added to the lightweight API and the JCE provider.

SignedPublicKeyAndChallenge and PKCS10CertificationRequest can now take null providers if you need to fall back to the default provider mechanism.

The TSP package now supports validation of responses with V2 signing certificate entries.

Unnecessary local ID attributes on certificates in PKCS12 files are now automatically removed.

The PKCS12 store types PKCS12-3DES-3DES and PKCS12-DEF-3DES-3DES have been added to support generation of PKCS12 files with both certificates and keys protected by 3DES.

2.26.4 Additional Notes

Due to problems for some users caused by the presence of the IDEA algorithm, an implementation is no longer included in the default signed jars. Only the providers of the form bcprov-ext-*-*.jar now include IDEA.

2.27.1 Version

2.27.2 Defects Fixed

A bug causing the odd NullPointerException has been removed from the LocalizedMessage class.

IV handling in CMS for the SEED and Camellia was incorrect. This has been fixed.

ASN.1 stream parser now throws exceptions for unterminated sequences.

EAX mode was not handling non-zero offsetted data correctly and failing. This has been fixed.

The BC X509CertificateFactory now handles multiple certificates and CRLs in streams that don't support marking.

The BC CRL implementation could lead to a NullPointer exception being thrown if critical extensions were missing. This has been fixed.

Some ASN.1 structures would cause a class cast exception in AuthorityKeyIdentifier. This has been fixed.

The CertID class used by the TSP library was incomplete. This has been fixed.

A system property check in PKCS1Encoding to cause a AccessControlException under some circumstances. This has been fixed.

A decoding issue with a mis-identified tagged object in CertRepMessage has been fixed.

\# is now properly recognised in the X509Name class.

2.27.3 Additional Features and Functionality

Certifications associated with user attributes can now be created, verified and removed in OpenPGP.

API support now exists for CMS countersignature reading and production.

The TSP package now supports parsing of responses with V2 signing certificate entries.

Lazy evaluation of DER sequences has been introduced to ASN1InputStream to allow support for larger sequences.

KeyPurposeId class has been updated for RFC 4945.

CertPath processing has been further extended to encompass the NIST CertPath evaluation suite.

Initial support has been added for HP_CERTIFICATE_REQUEST in the TLS API.

Providers for JDK 1.4 and up now use SignatureSpi directly rather than extending Signature. This is more in track with the way dynamic provider selection now works.

PGP example programs now handle blank names in literal data objects.

The ProofOfPossession class now better supports the underlying ASN.1 structure.

Support has been added to the provider for the VMPC MAC.

2.28.1 Version

2.28.2 Defects Fixed

SMIME signatures containing non-standard quote-printable data could be altered by SMIME encryption. This has been fixed.

CMS signatures that do not use signed attributes were vulnerable to one of Bleichenbacher's RSA signature forgery attacks. This has been fixed.

The SMIMESignedParser(Part) constructor was not producing a content body part that cleared itself after writeTo() as indicated in the JavaDoc. This has been fixed.

BCPGInputStream now handles data blocks in the 2**31->2**32-1 range.

A bug causing second and later encrypted objects to be ignored in KeyBasedFileProcessor example has been fixed.

Value of the TstInfo.Tsa field is now directly accessible from TimeStampTokenInfo.

Generating an ECGOST-3410 key using an ECGenParameterSpec could cause a ClassCastException in the key generator. This has been fixed.

Use of the parameters J and L in connection with Diffie-Hellman parameters in the light weight API was ambiguous and confusing. This has been dealt with.

Some entities were not fully removed from a PKCS#12 file when deleted due to case issues. This has been fixed.

Overwriting entities in a PKCS#12 file was not fully compliant with the JavaDoc for KeyStore. This has been fixed.

TlsInputStream.read() could appear to return end of file when end of file had not been reached. This has been fixed.

2.28.3 Additional Features and Functionality

Buffering in the streaming CMS has been reworked. Throughput is now usually higher and the behaviour is more predictable.

It's now possible to pass a table of hashes to a CMS detached signature rather than having to always pass the data.

Classes supporting signature policy and signer attributes have been added to the ASN.1 ESS/ESF packages.

Further work has been done on optimising memory usage in ASN1InputStream. In some cases memory usage has been reduced to 25% of previous.

Pre-existing signers can now be added to the SMIMESignedGenerator.

Support has been added to the provider for the VMPC stream cipher.

CertPathReviewer has better handling for problem trust anchors.

Base64 encoder now does initial size calculations to try to improve resource usage.

2.30.1 Version

2.30.2 Defects Fixed

The ClearSignedFileProcessor example for OpenPGP did not take into account trailing white space in the file to be signed. This has been fixed.

A possible infinite loop in the CertPathBuilder and SignedMailValidator have been removed.

Requesting DES, DESede, or Blowfish keys using regular Diffie-Hellman now returns the same length keys as the regular JCE provider.

Some uncompressed EC certificates were being interpreted as compressed and causing an exception. This has been fixed.

Adding a CRL with no revocations on it to the CRL generator could cause an exception to be thrown. This has been fixed.

Using the default JDK provider with the CMS library would cause exceptions in some circumstances. This has been fixed.

BC provider DSAKeys are now serializable.

Using only a non-sha digest in S/MIME signed data would produce a corrupt MIME header. This has been fixed.

The default private key length in the lightweght API for generated DiffieHellman parameters was absurdly small, this has been fixed.

Cipher.getParameters() for PBEwithSHAAndTwofish-CBC was returning null after intialisation. This has been fixed.

2.30.3 Additional Features and Functionality

The block cipher mode CCM has been added to the provider and light weight API.

The block cipher mode EAX has been added to the provider and light weight API.

The stream cipher HC-128 and HC-256 has been added to the provider and lightwieght API.

The stream cipher ISAAC has been added to the lightweight API.

Support for producing and parsing notation data signature subpackets has been added to OpenPGP.

Support for implicit tagging has been added to DERApplicationSpecific.

CMS better supports basic Sun provider.

A full set of SEC-2 EC curves is now provided in the SEC lookup table.

Specifying a null provider in CMS now always uses the default provider, rather than causing an exception.

Support has been added to the OpenPGP API for parsing experimental signatures

CertPath validator now handles inherited DSA parameters and a wider range of name constraints.

Further work has been done on improving the performance of ECDSA - it is now about two to six times faster depending on the curve.

The Noekeon block cipher has been added to the provider and the lightweight API.

Certificate generation now supports generation of certificates with an empty Subject if the subjectAlternativeName extension is present.

The JCE provider now supports RIPEMD160withECDSA.

2.31.1 Version

2.31.2 Defects Fixed

DSA key generator now checks range and keysize.

Class loader issues with i18n classes should now be fixed.

X.500 name serial number value now output as unambiguous long form SERIALNUMBER

The fix for multipart messages with mixed content-transfer-encoding in 1.35 caused a regression for processing some messages with embedded multiparts that contained blank lines of preamble text - this should now be fixed.

Another regression which sometimes affected the SMIMESignedParser has also been fixed.

SharedFileInputStream compatibility issues with JavaMail 1.4 have been addressed.

JDK 1.5 and later KeyFactory now accepts ECPublicKey/ECPrivateKey to translateKey.

JDK 1.5 and later KeyFactory now produces ECPublicKeySpec/ECPrivateKeySpec on getKeySpec.

Some surrogate pairs were not assembled correctly by the UTF8 decoder. This has been fixed.

Alias resolution in PKCS#12 is now case insensitive.

2.31.3 Additional Features and Functionality

CMS/SMIME now supports basic EC KeyAgreement with X9.63.

CMS/SMIME now supports RFC 3211 password based encryption.

Support has been added for certificate, CRL, and certification request generation for the regular SHA algorithms with RSA-PSS.

Further work has been done in speeding up prime number generation in the lightweight BigInteger class.

Support for the SEED algorithm has been added to the provider and the lightweight API.

Support for the Salsa20 algorithm has been added to the provider and the lightweight API.

CMS/SMIME now support SEED and Camellia

A table of TeleTrusT curves has been added.

CMSSignedData creation and Collection CertStore now preserves the order of certificates/CRls if the backing collection is ordered.

CMS Signed objects now use BER encoding for sets containing certificates and CRLs, allowing specific ordering to be specified for the objects contained.

CMS enveloped now works around providers which throw UnsupportedOperationException if key wrap is attempted.

DSASigner now handles long messages. SHA2 family digest support for DSA has been added to the provider.

2.32.1 Version

2.32.2 Defects Fixed

Test data files are no longer in the provider jars.

SMIMESignedParser now handles indefinite length data in SignerInfos.

Under some circumstances the SMIME library was failing to canonicalize mixed-multipart data correctly. This has been fixed.

The l parameter was being ignored for the DH and ElGamal key generation. This has been fixed.

The ASN1Sequence constructor for OtherRecipientInfo was broken. It has been fixed

Regression - DN fields SerialNumber and Country were changed to encode as UTF8String in 1.34 in the X509DefaultEntryConverter, these now encode as PrintableString.

CMSSignedData.replaceSigners() was not replacing the digest set as well as the signers. This has been fixed.

DERGeneralizedTime produced a time string without a GMT offset if they represented local time. This has been fixed.

Some temp files were still being left on Windows by the SMIME library. All of the known problems have been fixed.

Comparing ASN.1 object for equality would fail in some circumstances. This has been fixed.

The IESEngine could incorrectly encrypt data when used in block cipher mode. This has been fixed.

An error in the encoding of the KEKRecipientInfo has been fixed. Compatability warning: this may mean that versions of BC mail prior to 1.35 will have trouble processing KEK messages produced by 1.35 or later.

2.32.3 Additional Features and Functionality

Further optimisations to elliptic curve math libraries.

API now incorporates a CertStore which should be suitable for use with LDAP.

The streaming ASN.1 API is now integrated into the base one, the sasn1 package has been deprecated.

The OpenPGP implementation now supports SHA-224 and BZIP2.

The OpenPGP implementation now supports SHA-1 checksumming on secret keys.

The JCE provider now does RSA blinding by default.

CMSSignedDataParser now provides methods for replacing signers and replacing certificates and CRLs.

A generic store API has been added to support CRLs, Certificates and Attribute certificates.

The CMS/SMIME API now supports inclusion and retrieval of version 2 attribute certificates.

Support for generating CertificationRequests and Certificates has been added for GOST-3410-2001 (ECGOST)

CMS/SMIME now support ECGOST

Basic BER Octet Strings now encode in a canonical fashion by default.

DERUTCTime can now return Date objects

Validating constructors have been added to DERPrintableString, DERIA5String, and DERNumericString.

A lightweight API for supporting TLS has been added.

Implementations of the TEA and XTEA ciphers have been added to the light weight API and the provider.

PEMReader now supports OpenSSL ECDSA key pairs.

PGP packet streams can now be closed off using close() on the returned stream as well as closing the generator.

2.33.1 Version

2.33.2 Defects Fixed

Endianess of integer conversion in KDF2BytesGenerator was incorrect. This has been fixed.

Generating critical signature subpackets in OpenPGP would result in a zero packet tag. This has been fixed.

Some flags in PKIFailure info were incorrect, and the range of values was incomplete. The range of values has been increased and the flags corrected.

The helper class for AuthorityKeyExtension generation was including the subject rather than the issuer DN of the CA certificate. This has been fixed.

SMIMESignedParser now avoids JavaMail quoted-printable recoding issue.

Verification of RSA signatures done with keys with public exponents of 3 was vunerable to Bleichenbacher's RSA signature forgery attack. This has been fixed.

PGP Identity strings were only being interpreted as ASCII rather than UTF8. This has been fixed.

CertificateFactory.generateCRLs now returns a Collection rather than null.

2.33.3 Additional Features and Functionality

An ISO18033KDFParameters class had been added to support ISO18033 KDF generators.

An implemention of the KDF1 bytes generator algorithm has been added.

An implementation of NaccacheStern encryption has been added to the lightweight API.

X509V2CRLGenerator can now be loaded from an existing CRL.

The CMS enveloped data generators will now attempt to use the default provider for encryption if the passed in provider can only handle key exchange.

OpenPGP file processing has been substantially speeded up.

The PKCS1Encoder would accept PKCS1 packets which were one byte oversize. By default this will now cause an error. However, as there are still implementations which still produce such packets the older behaviour can be turned on by setting the VM system property org.bouncycastle.pkcs1.strict to false before creating an RSA cipher using PKCS1 encoding.

A target has been added to the bc-build.xml to zip up the source code rather than leaving it in a directory tree. The build scripts now run this target by default.

Use of toUpperCase and toLowerCase has been replaced with a locale independent converter where appropriate.

Support for retrieving the issuers of indirect CRLs has been added.

Classes for doing incremental path validation of PKIX cert paths have been added to the X.509 package and S/MIME.

Locale issues with String.toUpperCase() have now been worked around.

Optional limiting has been added to ASN1InputStream to avoid possible OutOfMemoryErrors on corrupted streams.

Support has been added for SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA for the generation of signatures, certificates, CRLs, and certification requests.

Performance of the prime number generation in the BigInteger library has been further improved.

In line with RFC 3280 section 4.1.2.4 DN's are now encoded using UTF8String by default rather than PrintableString.

2.33.4 Security Advisory

If you are using public exponents with the value three you *must* upgrade to this release, otherwise it will be possible for attackers to exploit some of Bleichenbacher's RSA signature forgery attacks on your applications.

2.34.1 Version

2.34.2 Defects Fixed

OCSPResponseData was including the default version in its encoding. This has been fixed.

BasicOCSPResp.getVersion() would throw a NullPointer exception if called on a default version response. This has been fixed.

Addition of an EC point under Fp could result in an ArithmeticException. This has been fixed.

The n value for prime192v2 was incorrect. This has been fixed.

ArmoredInputStream was not closing the underlying stream on close. This has been fixed.

Small base64 encoded strings with embedded white space could decode incorrectly using the Base64 class. This has been fixed.

2.34.3 Additional Features and Functionality

The X509V2CRLGenerator now supports adding general extensions to CRL entries.

A RoleSyntax implementation has been added to the x509 ASN.1 package, and the AttributeCertificateHolder class now support the IssuerSerial option.

The CMS API now correctly recognises the OIW OID for DSA with SHA-1.

DERUTF8String now supports surrogate pairs.

2.35.1 Version

2.35.2 Defects Fixed

Further work has been done on RFC 3280 compliance.

The ASN1Sequence constructor for SemanticsInformation would sometimes throw a ClassCastException on reconstruction an object from a byte stream. This has been fixed.

The SharedInputStream.read(buf, 0, len) method would return 0 at EOF, rather than -1. This has been fixed.

X9FieldElement could fail to encode a Fp field element correctly. This has been fixed.

The streaming S/MIME API was occasionally leaving temporary files around. The SIMEUtil class responsible for creating the files now returns a FileBackedMimeBodyPart object which has a dispose method on it which should allow removal of the file backing the body part.

An encoding defect in EnvelopedData generation in the CMS streaming, S/MIME API has been fixed.

DER constructed octet strings could cause exceptions in the streaming ASN.1 library. This has been fixed.

Several compatibility issues connected