debian/0000755000000000000000000000000013321131673007166 5ustar debian/orig-tar.exclude0000644000000000000000000000012112171010017012245 0ustar .classpath .project .cvsignore jars/*.jar lib/*.jar zips/*.zip test/data/rfc4134 debian/libbcmail-java-doc.doc-base0000644000000000000000000000047712170777330014204 0ustar Document: libbcmail-java Title: Javadoc for the Bouncy S/MIME API Author: The Legion Of The Bouncy Castle Abstract: This is the API Javadoc provided for the libbcmail-java library. Section: Programming Format: HTML Index: /usr/share/doc/libbcmail-java-doc/api/index.html Files: /usr/share/doc/libbcmail-java-doc/api/* debian/libbcpkix-java.README.Debian0000644000000000000000000000050212170774454014124 0ustar libbcpkix-java for Debian ========================= In order to use this library, add the following to your classpath: /usr/share/java/bcpkix.jar Alternatively, the jar can be installed as an optional package by linking it from $JAVA_HOME/lib/ext. -- Charles Fry , Tue May 2 10:28:52 2006 debian/rules0000755000000000000000000000502712171013076010250 0ustar #!/usr/bin/make -f # -*- makefile -*- include /usr/share/cdbs/1/class/ant.mk include /usr/share/cdbs/1/rules/debhelper.mk UPSTREAM_VERSION = $(shell dpkg-parsechangelog | sed -rne 's,^Version: ([^-]+).*,\1,p' | sed 's/\+dfsg//') ARTIFACTS = bcprov bcpg bcmail bcpkix BUILD_DIR = build/artifacts/jdk1.5 JAVA_HOME := /usr/lib/jvm/default-java DEB_JARS := junit gnumail DEB_ANT_BUILDFILE := jdk15+.xml DEB_ANT_BUILD_TARGET := build-provider build DEB_INSTALL_CHANGELOGS_ALL := releasenotes.html clean:: mh_clean rm -f stamp-* rm -rf build rm -f *.bpg test.* large.* secret.asc pub.asc # bcprov binary-install/libbcprov-java:: build/libbcprov-java mh_installpoms -plibbcprov-java mh_installjar -plibbcprov-java -l debian/poms/bcprov.pom $(BUILD_DIR)/jars/bcprov-jdk15on-*.jar dh_installdirs -plibbcprov-java etc/java/security/security.d touch debian/libbcprov-java/etc/java/security/security.d/2000-org.bouncycastle.jce.provider.BouncyCastleProvider binary-install/libbcprov-java-doc:: mv -i $(BUILD_DIR)/javadoc/bcprov debian/libbcprov-java-doc/usr/share/doc/libbcprov-java-doc/api # bcmail binary-install/libbcmail-java:: build/libbcmail-java mh_installpoms -plibbcmail-java mh_installjar -plibbcmail-java -l debian/poms/bcmail.pom $(BUILD_DIR)/jars/bcmail-jdk15on-*.jar jh_classpath -plibbcmail-java binary-install/libbcmail-java-doc:: mv -i $(BUILD_DIR)/javadoc/bcmail debian/libbcmail-java-doc/usr/share/doc/libbcmail-java-doc/api # bcpg binary-install/libbcpg-java:: build/libbcpg-java mh_installpoms -plibbcpg-java mh_installjar -plibbcpg-java -l debian/poms/bcpg.pom $(BUILD_DIR)/jars/bcpg-jdk15on-*.jar jh_classpath -plibbcpg-java binary-install/libbcpg-java-doc:: mv -i $(BUILD_DIR)/javadoc/bcpg debian/libbcpg-java-doc/usr/share/doc/libbcpg-java-doc/api # bcpkix binary-install/libbcpkix-java:: build/libbcpkix-java mh_installpoms -plibbcpkix-java mh_installjar -plibbcpkix-java -l debian/poms/bcpkix.pom $(BUILD_DIR)/jars/bcpkix-jdk15on-*.jar jh_classpath -plibbcpkix-java binary-install/libbcpkix-java-doc:: mv -i $(BUILD_DIR)/javadoc/bcpkix debian/libbcpkix-java-doc/usr/share/doc/libbcpkix-java-doc/api get-orig-pom: mkdir -p debian/poms for pom in $(ARTIFACTS); do \ wget -O debian/poms/$${pom}.pom -U NoAgent-1.0 \ http://repo1.maven.org/maven2/org/bouncycastle/$${pom}-jdk15on/$(UPSTREAM_VERSION)/$${pom}-jdk15on-$(UPSTREAM_VERSION).pom ; \ done ; get-orig-source: -uscan --download-version `echo $(DEB_UPSTREAM_VERSION) |sed -e 's/\.//g;s/\+dfsg//'` --force-download --rename debian/libbcmail-java.poms0000644000000000000000000000002712170774454012735 0ustar debian/poms/bcmail.pom debian/libbcprov-java-doc.docs0000644000000000000000000000010312170774454013511 0ustar CONTRIBUTORS.html index.html releasenotes.html specifications.html debian/control0000644000000000000000000000714713321131712010574 0ustar Source: bouncycastle Section: java Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Brian Thomason , Emmanuel Bourg Build-Depends: cdbs (>= 0.4.27), debhelper (>= 7.0.50~), ant, libgnumail-java, junit, ant-optional, maven-repo-helper, default-jdk (>= 1:1.6), javahelper Standards-Version: 3.9.4 Vcs-Svn: svn://anonscm.debian.org/pkg-java/trunk/bouncycastle Vcs-Browser: http://anonscm.debian.org/viewvc/pkg-java/trunk/bouncycastle Homepage: http://www.bouncycastle.org Package: libbcprov-java Architecture: all Depends: ${misc:Depends} Suggests: libbcprov-java-doc Breaks: jakarta-jmeter (<< 2.8-1~), jenkins-instance-identity (<< 1.3-1~), jglobus (<< 2.0.6-1~), libitext-java (<< 2.1.7-6~), libpdfbox-java (<< 1:1.8.2+dfsg-1~), voms-api-java (<< 2.0.9-1.1~) Description: Bouncy Castle Java Cryptographic Service Provider The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. . This package contains a JCE provider and a lightweight crypto API. Package: libbcprov-java-doc Section: doc Architecture: all Depends: ${misc:Depends} Description: Bouncy Castle Java Cryptographic Service Provider (Documentation) The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. . This package contains the Javadoc for libbcprov-java. Package: libbcmail-java Architecture: all Depends: libgnumail-java, libbcprov-java (>= ${source:Version}), libbcpkix-java (>= ${source:Version}), ${misc:Depends} Suggests: libbcmail-java-doc Description: Bouncy Castle generators/processors for S/MIME and CMS The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. . This package contains generators and processors for S/MIME and CMS (PKCS7/RFC 3852). Package: libbcmail-java-doc Section: doc Architecture: all Depends: ${misc:Depends} Description: Bouncy Castle generators/processors for S/MIME and CMS (Documentation) The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. . This package contains the Javadoc for libbcmail-java. Package: libbcpkix-java Architecture: all Depends: libbcprov-java (>= ${source:Version}), ${misc:Depends} Suggests: libbcpkix-java-doc Description: Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. . This package contains generators and processors for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF. Package: libbcpkix-java-doc Section: doc Architecture: all Depends: ${misc:Depends} Description: Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... (Documentation) The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. . This package contains the Javadoc for libbcpkix-java. Package: libbcpg-java Architecture: all Depends: libbcprov-java (>= ${source:Version}), ${misc:Depends} Suggests: libbcpg-java-doc Description: Bouncy Castle generators/processors for OpenPGP The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. . This package contains generators and processors for OpenPGP (RFC 2440). Package: libbcpg-java-doc Section: doc Architecture: all Depends: ${misc:Depends} Description: Bouncy Castle generators/processors for OpenPGP (Documentation) The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. . This package contains the Javadoc for libbcpg-java. debian/poms/0000755000000000000000000000000012171004777010152 5ustar debian/poms/bcpkix.pom0000644000000000000000000000251412171004777012151 0ustar 4.0.0 org.bouncycastle bcpkix-jdk15on jar Bouncy Castle PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF APIs 1.49 The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.7. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. http://www.bouncycastle.org/java.html Bouncy Castle Licence http://www.bouncycastle.org/licence.html repo http://www.bouncycastle.org/viewcvs/viewcvs.cgi/java feedback-crypto The Legion of the Bouncy Castle feedback-crypto@bouncycastle.org org.bouncycastle bcprov-jdk15on 1.49 jar debian/poms/bcpg.pom0000644000000000000000000000270212171004777011603 0ustar 4.0.0 org.bouncycastle bcpg-jdk15on jar Bouncy Castle OpenPGP API 1.49 The Bouncy Castle Java API for handling the OpenPGP protocol. This jar contains the OpenPGP API for JDK 1.5 to JDK 1.7. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. http://www.bouncycastle.org/java.html Bouncy Castle Licence http://www.bouncycastle.org/licence.html repo Apache Software License, Version 1.1 http://www.apache.org/licenses/LICENSE-1.1 repo http://www.bouncycastle.org/viewcvs/viewcvs.cgi/java feedback-crypto The Legion of the Bouncy Castle feedback-crypto@bouncycastle.org org.bouncycastle bcprov-jdk15on 1.49 jar debian/poms/bcmail.pom0000644000000000000000000000300212171004777012111 0ustar 4.0.0 org.bouncycastle bcmail-jdk15on jar Bouncy Castle S/MIME API 1.49 The Bouncy Castle Java S/MIME APIs for handling S/MIME protocols. This jar contains S/MIME APIs for JDK 1.5 to JDK 1.7. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. The JavaMail API and the Java activation framework will also be needed. http://www.bouncycastle.org/java.html Bouncy Castle Licence http://www.bouncycastle.org/licence.html repo http://www.bouncycastle.org/viewcvs/viewcvs.cgi/java feedback-crypto The Legion of the Bouncy Castle feedback-crypto@bouncycastle.org org.bouncycastle bcprov-jdk15on 1.49 jar org.bouncycastle bcpkix-jdk15on 1.49 jar debian/poms/bcprov.pom0000644000000000000000000000201012171004777012153 0ustar 4.0.0 org.bouncycastle bcprov-jdk15on jar Bouncy Castle Provider 1.49 The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. http://www.bouncycastle.org/java.html Bouncy Castle Licence http://www.bouncycastle.org/licence.html repo http://www.bouncycastle.org/viewcvs/viewcvs.cgi/java feedback-crypto The Legion of the Bouncy Castle feedback-crypto@bouncycastle.org debian/libbcpkix-java.poms0000644000000000000000000000002712170774454012766 0ustar debian/poms/bcpkix.pom debian/watch0000644000000000000000000000024512170774454010233 0ustar version=3 opts=dversionmangle=s/\.//g;s/\+dfsg// \ http://www.bouncycastle.org/latest_releases.html \ download/crypto-([\d\.]+)\.tar\.gz debian debian/orig-tar.sh debian/libbcpg-java.classpath0000644000000000000000000000004312170775341013417 0ustar usr/share/java/bcpg.jar bcprov.jar debian/libbcmail-java.README.Debian0000644000000000000000000000050212170774454014073 0ustar libbcmail-java for Debian ========================= In order to use this library, add the following to your classpath: /usr/share/java/bcmail.jar Alternatively, the jar can be installed as an optional package by linking it from $JAVA_HOME/lib/ext. -- Charles Fry , Tue May 2 10:28:26 2006 debian/patches/0000755000000000000000000000000013321131441010606 5ustar debian/patches/CVE-2015-7940-3.patch0000644000000000000000000012401713320113334013377 0ustar Implement further updates suggested by Petter Dettman after review of the first two patches. His intructions were the following: > I think the treatment of the cofactor (h, getH()) for > ECCurve.Fp needs more attention. The current validity checks for ECPoint > rely on there being a cofactor provided to check against, but as updated > by this patch, all ECCurve.Fp simply return null from getH(). > > Specifying the cofactor for all the "built-in" curves was preparatory > work that these validation commits relied on so in their current state > the patches effectively skip an important check for most of the built-in > Fp curves, which probably defeats the purpose. > > The "h == null" in ECPoint.satisfiesCofactor is not ideal even in the > current code, but it's tolerable if all the built-in curves actually do > specify a cofactor. > > I would recommend that you add the ECCurve.Fp constructor that allows to > specify cofactor (and order if you like), then change all the curve > registry classes: > ECGOST3410NamedCurves > SECNamedCurves > TeleTrusTNamedCurves > X962NamedCurves > > so that they use the new constructor. Then change ECCurve.java so that > the cofactor (and order - can keep calling them h, n in the code) are > actually stored in the base class and returned correctly for ECCurve.Fp. > > All the values you need are of course available in the latest code. > Unfortunately there's quite a lot of them, but the changes should be > fairly mechanical. --- .../asn1/cryptopro/ECGOST3410NamedCurves.java | 21 +++- src/org/bouncycastle/asn1/sec/SECNamedCurves.java | 30 ++--- .../asn1/teletrust/TeleTrusTNamedCurves.java | 126 ++++++++++++++------- src/org/bouncycastle/asn1/x9/X962NamedCurves.java | 63 +++++++---- src/org/bouncycastle/math/ec/ECCurve.java | 31 +++++ 5 files changed, 188 insertions(+), 83 deletions(-) diff --git a/src/org/bouncycastle/asn1/cryptopro/ECGOST3410NamedCurves.java b/src/org/bouncycastle/asn1/cryptopro/ECGOST3410NamedCurves.java index e203505..d6449cb 100644 --- a/src/org/bouncycastle/asn1/cryptopro/ECGOST3410NamedCurves.java +++ b/src/org/bouncycastle/asn1/cryptopro/ECGOST3410NamedCurves.java @@ -6,6 +6,7 @@ import java.util.Hashtable; import org.bouncycastle.asn1.ASN1ObjectIdentifier; import org.bouncycastle.crypto.params.ECDomainParameters; +import org.bouncycastle.math.ec.ECConstants; import org.bouncycastle.math.ec.ECCurve; import org.bouncycastle.math.ec.ECFieldElement; import org.bouncycastle.math.ec.ECPoint; @@ -27,7 +28,9 @@ public class ECGOST3410NamedCurves ECCurve.Fp curve = new ECCurve.Fp( mod_p, // p new BigInteger("115792089237316195423570985008687907853269984665640564039457584007913129639316"), // a - new BigInteger("166")); // b + new BigInteger("166"), // b + mod_q, + ECConstants.ONE); ECDomainParameters ecParams = new ECDomainParameters( curve, @@ -44,7 +47,9 @@ public class ECGOST3410NamedCurves curve = new ECCurve.Fp( mod_p, // p new BigInteger("115792089237316195423570985008687907853269984665640564039457584007913129639316"), - new BigInteger("166")); + new BigInteger("166"), + mod_q, + ECConstants.ONE); ecParams = new ECDomainParameters( curve, @@ -61,7 +66,9 @@ public class ECGOST3410NamedCurves curve = new ECCurve.Fp( mod_p, // p new BigInteger("57896044618658097711785492504343953926634992332820282019728792003956564823190"), // a - new BigInteger("28091019353058090096996979000309560759124368558014865957655842872397301267595")); // b + new BigInteger("28091019353058090096996979000309560759124368558014865957655842872397301267595"), // b + mod_q, + ECConstants.ONE); ecParams = new ECDomainParameters( curve, @@ -78,7 +85,9 @@ public class ECGOST3410NamedCurves curve = new ECCurve.Fp( mod_p, // p new BigInteger("70390085352083305199547718019018437841079516630045180471284346843705633502616"), - new BigInteger("32858")); + new BigInteger("32858"), + mod_q, + ECConstants.ONE); ecParams = new ECDomainParameters( curve, @@ -94,7 +103,9 @@ public class ECGOST3410NamedCurves curve = new ECCurve.Fp( mod_p, // p new BigInteger("70390085352083305199547718019018437841079516630045180471284346843705633502616"), // a - new BigInteger("32858")); // b + new BigInteger("32858"), // b + mod_q, + ECConstants.ONE); ecParams = new ECDomainParameters( curve, diff --git a/src/org/bouncycastle/asn1/sec/SECNamedCurves.java b/src/org/bouncycastle/asn1/sec/SECNamedCurves.java index 44c811b..fe20c56 100644 --- a/src/org/bouncycastle/asn1/sec/SECNamedCurves.java +++ b/src/org/bouncycastle/asn1/sec/SECNamedCurves.java @@ -36,7 +36,7 @@ public class SECNamedCurves BigInteger n = fromHex("DB7C2ABF62E35E7628DFAC6561C5"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("02" //+ "09487239995A5EE76B55F9C2F098")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -62,7 +62,7 @@ public class SECNamedCurves BigInteger n = fromHex("36DF0AAFD8B8D7597CA10520D04B"); BigInteger h = BigInteger.valueOf(4); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("03" //+ "4BA30AB5E892B4E1649DD0928643")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -88,7 +88,7 @@ public class SECNamedCurves BigInteger n = fromHex("FFFFFFFE0000000075A30D1B9038A115"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("03" //+ "161FF7528B899B2D0C28607CA52C5B86")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -114,7 +114,7 @@ public class SECNamedCurves BigInteger n = fromHex("3FFFFFFF7FFFFFFFBE0024720613B5A3"); BigInteger h = BigInteger.valueOf(4); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("02" //+ "7B6AA5D85E572983E6FB32A7CDEBC140")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -140,7 +140,7 @@ public class SECNamedCurves BigInteger n = fromHex("0100000000000000000001B8FA16DFAB9ACA16B6B3"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); // ECPoint G = curve.decodePoint(Hex.decode("02" // + "3B4C382CE37AA192A4019E763036F4F5DD4D7EBB")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -166,7 +166,7 @@ public class SECNamedCurves BigInteger n = fromHex("0100000000000000000001F4C8F927AED3CA752257"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("02" //+ "4A96B5688EF573284664698968C38BB913CBFC82")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -192,7 +192,7 @@ public class SECNamedCurves BigInteger n = fromHex("0100000000000000000000351EE786A818F3A1A16B"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("02" //+ "52DCB034293A117E1F4FF11B30F7199D3144CE6D")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -218,7 +218,7 @@ public class SECNamedCurves BigInteger n = fromHex("FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("03" //+ "DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -244,7 +244,7 @@ public class SECNamedCurves BigInteger n = fromHex("FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("03" //+ "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -270,7 +270,7 @@ public class SECNamedCurves BigInteger n = fromHex("010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("03" //+ "A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -296,7 +296,7 @@ public class SECNamedCurves BigInteger n = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("02" //+ "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -322,7 +322,7 @@ public class SECNamedCurves BigInteger n = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("02" //+ "79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -348,7 +348,7 @@ public class SECNamedCurves BigInteger n = fromHex("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("03" //+ "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -374,7 +374,7 @@ public class SECNamedCurves BigInteger n = fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("03" //+ "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7")); ECPoint G = curve.decodePoint(Hex.decode("04" @@ -400,7 +400,7 @@ public class SECNamedCurves BigInteger n = fromHex("01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409"); BigInteger h = BigInteger.valueOf(1); - ECCurve curve = new ECCurve.Fp(p, a, b); + ECCurve curve = new ECCurve.Fp(p, a, b, n, h); //ECPoint G = curve.decodePoint(Hex.decode("02" //+ "00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66")); ECPoint G = curve.decodePoint(Hex.decode("04" diff --git a/src/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java b/src/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java index 17f0491..0eea748 100644 --- a/src/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java +++ b/src/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java @@ -21,16 +21,19 @@ public class TeleTrusTNamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("E95E4A5F737059DC60DF5991D45029409E60FC09", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( new BigInteger("E95E4A5F737059DC60DFC7AD95B3D8139515620F", 16), // q new BigInteger("340E7BE2A280EB74E2BE61BADA745D97E8F7C300", 16), // a - new BigInteger("1E589A8595423412134FAA2DBDEC95C8D8675E58", 16)); // b + new BigInteger("1E589A8595423412134FAA2DBDEC95C8D8675E58", 16), // b + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("04BED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC31667CB477A1A8EC338F94741669C976316DA6321")), // G - new BigInteger("E95E4A5F737059DC60DF5991D45029409E60FC09", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; @@ -38,17 +41,20 @@ public class TeleTrusTNamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("E95E4A5F737059DC60DF5991D45029409E60FC09", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( // new BigInteger("24DBFF5DEC9B986BBFE5295A29BFBAE45E0F5D0B", 16), // Z new BigInteger("E95E4A5F737059DC60DFC7AD95B3D8139515620F", 16), // q new BigInteger("E95E4A5F737059DC60DFC7AD95B3D8139515620C", 16), // a' - new BigInteger("7A556B6DAE535B7B51ED2C4D7DAA7A0B5C55F380", 16)); // b' + new BigInteger("7A556B6DAE535B7B51ED2C4D7DAA7A0B5C55F380", 16), // b' + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("04B199B13B9B34EFC1397E64BAEB05ACC265FF2378ADD6718B7C7C1961F0991B842443772152C9E0AD")), // G - new BigInteger("E95E4A5F737059DC60DF5991D45029409E60FC09", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; @@ -56,16 +62,19 @@ public class TeleTrusTNamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( new BigInteger("C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297", 16), // q new BigInteger("6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF", 16), // a - new BigInteger("469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9", 16)); // b + new BigInteger("469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9", 16), // b + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("04C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD614B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F")), // G - new BigInteger("C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; @@ -73,17 +82,20 @@ public class TeleTrusTNamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( //new BigInteger("1B6F5CC8DB4DC7AF19458A9CB80DC2295E5EB9C3732104CB") //Z new BigInteger("C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297", 16), // q new BigInteger("C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86294", 16), // a' - new BigInteger("13D56FFAEC78681E68F9DEB43B35BEC2FB68542E27897B79", 16)); // b' + new BigInteger("13D56FFAEC78681E68F9DEB43B35BEC2FB68542E27897B79", 16), // b' + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("043AE9E58C82F63C30282E1FE7BBF43FA72C446AF6F4618129097E2C5667C2223A902AB5CA449D0084B7E5B3DE7CCC01C9")), // G' - new BigInteger("C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; @@ -91,165 +103,195 @@ public class TeleTrusTNamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( new BigInteger("D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF", 16), // q new BigInteger("68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43", 16), // a - new BigInteger("2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B", 16)); // b + new BigInteger("2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B", 16), // b + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("040D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD")), // G - new BigInteger("D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", 16), //n - new BigInteger("01", 16)); // n + n, h); } }; static X9ECParametersHolder brainpoolP224t1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( //new BigInteger("2DF271E14427A346910CF7A2E6CFA7B3F484E5C2CCE1C8B730E28B3F") //Z new BigInteger("D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF", 16), // q new BigInteger("D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FC", 16), // a' - new BigInteger("4B337D934104CD7BEF271BF60CED1ED20DA14C08B3BB64F18A60888D", 16)); // b' + new BigInteger("4B337D934104CD7BEF271BF60CED1ED20DA14C08B3BB64F18A60888D", 16), // b' + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("046AB1E344CE25FF3896424E7FFE14762ECB49F8928AC0C76029B4D5800374E9F5143E568CD23F3F4D7C0D4B1E41C8CC0D1C6ABD5F1A46DB4C")), // G' - new BigInteger("D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; static X9ECParametersHolder brainpoolP256r1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 16), // q new BigInteger("7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9", 16), // a - new BigInteger("26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", 16)); // b + new BigInteger("26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6", 16), // b + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997")), // G - new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; static X9ECParametersHolder brainpoolP256t1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( //new BigInteger("3E2D4BD9597B58639AE7AA669CAB9837CF5CF20A2C852D10F655668DFC150EF0") //Z new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377", 16), // q new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374", 16), // a' - new BigInteger("662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04", 16)); // b' + new BigInteger("662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04", 16), // b' + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("04A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F42D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE")), // G' - new BigInteger("A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; static X9ECParametersHolder brainpoolP320r1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( new BigInteger("D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27", 16), // q new BigInteger("3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4", 16), // a - new BigInteger("520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6", 16)); // b + new BigInteger("520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6", 16), // b + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("0443BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E2061114FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1")), // G - new BigInteger("D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; static X9ECParametersHolder brainpoolP320t1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( //new BigInteger("15F75CAF668077F7E85B42EB01F0A81FF56ECD6191D55CB82B7D861458A18FEFC3E5AB7496F3C7B1") //Z new BigInteger("D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27", 16), // q new BigInteger("D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E24", 16), // a' - new BigInteger("A7F561E038EB1ED560B3D147DB782013064C19F27ED27C6780AAF77FB8A547CEB5B4FEF422340353", 16)); // b' + new BigInteger("A7F561E038EB1ED560B3D147DB782013064C19F27ED27C6780AAF77FB8A547CEB5B4FEF422340353", 16), // b' + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("04925BE9FB01AFC6FB4D3E7D4990010F813408AB106C4F09CB7EE07868CC136FFF3357F624A21BED5263BA3A7A27483EBF6671DBEF7ABB30EBEE084E58A0B077AD42A5A0989D1EE71B1B9BC0455FB0D2C3")), // G' - new BigInteger("D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; static X9ECParametersHolder brainpoolP384r1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( new BigInteger("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", 16), // q new BigInteger("7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826", 16), // a - new BigInteger("4A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11", 16)); // b + new BigInteger("4A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11", 16), // b + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("041D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315")), // G - new BigInteger("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; static X9ECParametersHolder brainpoolP384t1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( //new BigInteger("41DFE8DD399331F7166A66076734A89CD0D2BCDB7D068E44E1F378F41ECBAE97D2D63DBC87BCCDDCCC5DA39E8589291C") //Z new BigInteger("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53", 16), // q new BigInteger("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC50", 16), // a' - new BigInteger("7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE1D2074AA263B88805CED70355A33B471EE", 16)); // b' + new BigInteger("7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE1D2074AA263B88805CED70355A33B471EE", 16), // b' + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("0418DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AABFFC4FF191B946A5F54D8D0AA2F418808CC25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CCFE469408584DC2B2912675BF5B9E582928")), // G' - new BigInteger("8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; static X9ECParametersHolder brainpoolP512r1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( new BigInteger("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", 16), // q new BigInteger("7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA", 16), // a - new BigInteger("3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723", 16)); // b + new BigInteger("3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723", 16), // b + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("0481AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F8227DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892")), // G - new BigInteger("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; static X9ECParametersHolder brainpoolP512t1 = new X9ECParametersHolder() { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 16); + BigInteger h = new BigInteger("01", 16); + ECCurve curve = new ECCurve.Fp( //new BigInteger("12EE58E6764838B69782136F0F2D3BA06E27695716054092E60A80BEDB212B64E585D90BCE13761F85C3F1D2A64E3BE8FEA2220F01EBA5EEB0F35DBD29D922AB") //Z new BigInteger("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3", 16), // q new BigInteger("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F0", 16), // a' - new BigInteger("7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E", 16)); // b' + new BigInteger("7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E", 16), // b' + n, h); return new X9ECParameters( curve, curve.decodePoint(Hex.decode("04640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C0313D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CEE9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332")), // G' - new BigInteger("AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069", 16), //n - new BigInteger("01", 16)); // h + n, h); } }; diff --git a/src/org/bouncycastle/asn1/x9/X962NamedCurves.java b/src/org/bouncycastle/asn1/x9/X962NamedCurves.java index 764017e..25312fe 100644 --- a/src/org/bouncycastle/asn1/x9/X962NamedCurves.java +++ b/src/org/bouncycastle/asn1/x9/X962NamedCurves.java @@ -19,17 +19,20 @@ public class X962NamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("ffffffffffffffffffffffff99def836146bc9b1b4d22831", 16); + BigInteger h = BigInteger.valueOf(1); + ECCurve cFp192v1 = new ECCurve.Fp( new BigInteger("6277101735386680763835789423207666416083908700390324961279"), new BigInteger("fffffffffffffffffffffffffffffffefffffffffffffffc", 16), - new BigInteger("64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1", 16)); + new BigInteger("64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1", 16), + n, h); return new X9ECParameters( cFp192v1, cFp192v1.decodePoint( Hex.decode("03188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012")), - new BigInteger("ffffffffffffffffffffffff99def836146bc9b1b4d22831", 16), - BigInteger.valueOf(1), + n, h, Hex.decode("3045AE6FC8422f64ED579528D38120EAE12196D5")); } }; @@ -38,17 +41,20 @@ public class X962NamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("fffffffffffffffffffffffe5fb1a724dc80418648d8dd31", 16); + BigInteger h = BigInteger.valueOf(1); + ECCurve cFp192v2 = new ECCurve.Fp( new BigInteger("6277101735386680763835789423207666416083908700390324961279"), new BigInteger("fffffffffffffffffffffffffffffffefffffffffffffffc", 16), - new BigInteger("cc22d6dfb95c6b25e49c0d6364a4e5980c393aa21668d953", 16)); + new BigInteger("cc22d6dfb95c6b25e49c0d6364a4e5980c393aa21668d953", 16), + n, h); return new X9ECParameters( cFp192v2, cFp192v2.decodePoint( Hex.decode("03eea2bae7e1497842f2de7769cfe9c989c072ad696f48034a")), - new BigInteger("fffffffffffffffffffffffe5fb1a724dc80418648d8dd31", 16), - BigInteger.valueOf(1), + n, h, Hex.decode("31a92ee2029fd10d901b113e990710f0d21ac6b6")); } }; @@ -57,17 +63,20 @@ public class X962NamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("ffffffffffffffffffffffff7a62d031c83f4294f640ec13", 16); + BigInteger h = BigInteger.valueOf(1); + ECCurve cFp192v3 = new ECCurve.Fp( new BigInteger("6277101735386680763835789423207666416083908700390324961279"), new BigInteger("fffffffffffffffffffffffffffffffefffffffffffffffc", 16), - new BigInteger("22123dc2395a05caa7423daeccc94760a7d462256bd56916", 16)); + new BigInteger("22123dc2395a05caa7423daeccc94760a7d462256bd56916", 16), + n, h); return new X9ECParameters( cFp192v3, cFp192v3.decodePoint( Hex.decode("027d29778100c65a1da1783716588dce2b8b4aee8e228f1896")), - new BigInteger("ffffffffffffffffffffffff7a62d031c83f4294f640ec13", 16), - BigInteger.valueOf(1), + n, h, Hex.decode("c469684435deb378c4b65ca9591e2a5763059a2e")); } }; @@ -76,17 +85,20 @@ public class X962NamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("7fffffffffffffffffffffff7fffff9e5e9a9f5d9071fbd1522688909d0b", 16); + BigInteger h = BigInteger.valueOf(1); + ECCurve cFp239v1 = new ECCurve.Fp( new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), - new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); + new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16), + n, h); return new X9ECParameters( cFp239v1, cFp239v1.decodePoint( Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), - new BigInteger("7fffffffffffffffffffffff7fffff9e5e9a9f5d9071fbd1522688909d0b", 16), - BigInteger.valueOf(1), + n, h, Hex.decode("e43bb460f0b80cc0c0b075798e948060f8321b7d")); } }; @@ -95,17 +107,20 @@ public class X962NamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("7fffffffffffffffffffffff800000cfa7e8594377d414c03821bc582063", 16); + BigInteger h = BigInteger.valueOf(1); + ECCurve cFp239v2 = new ECCurve.Fp( new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), - new BigInteger("617fab6832576cbbfed50d99f0249c3fee58b94ba0038c7ae84c8c832f2c", 16)); + new BigInteger("617fab6832576cbbfed50d99f0249c3fee58b94ba0038c7ae84c8c832f2c", 16), + n, h); return new X9ECParameters( cFp239v2, cFp239v2.decodePoint( Hex.decode("0238af09d98727705120c921bb5e9e26296a3cdcf2f35757a0eafd87b830e7")), - new BigInteger("7fffffffffffffffffffffff800000cfa7e8594377d414c03821bc582063", 16), - BigInteger.valueOf(1), + n, h, Hex.decode("e8b4011604095303ca3b8099982be09fcb9ae616")); } }; @@ -114,17 +129,20 @@ public class X962NamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("7fffffffffffffffffffffff7fffff975deb41b3a6057c3c432146526551", 16); + BigInteger h = BigInteger.valueOf(1); + ECCurve cFp239v3 = new ECCurve.Fp( new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), - new BigInteger("255705fa2a306654b1f4cb03d6a750a30c250102d4988717d9ba15ab6d3e", 16)); + new BigInteger("255705fa2a306654b1f4cb03d6a750a30c250102d4988717d9ba15ab6d3e", 16), + n, h); return new X9ECParameters( cFp239v3, cFp239v3.decodePoint( Hex.decode("036768ae8e18bb92cfcf005c949aa2c6d94853d0e660bbf854b1c9505fe95a")), - new BigInteger("7fffffffffffffffffffffff7fffff975deb41b3a6057c3c432146526551", 16), - BigInteger.valueOf(1), + n, h, Hex.decode("7d7374168ffe3471b60a857686a19475d3bfa2ff")); } }; @@ -133,17 +151,20 @@ public class X962NamedCurves { protected X9ECParameters createParameters() { + BigInteger n = new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16); + BigInteger h = BigInteger.valueOf(1); + ECCurve cFp256v1 = new ECCurve.Fp( new BigInteger("115792089210356248762697446949407573530086143415290314195533631308867097853951"), new BigInteger("ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", 16), - new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16)); + new BigInteger("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", 16), + n, h); return new X9ECParameters( cFp256v1, cFp256v1.decodePoint( Hex.decode("036b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296")), - new BigInteger("ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", 16), - BigInteger.valueOf(1), + n, h, Hex.decode("c49d360886e704936a6678e1139d26b7819f7e90")); } }; diff --git a/src/org/bouncycastle/math/ec/ECCurve.java b/src/org/bouncycastle/math/ec/ECCurve.java index 4442413..74b71a3 100644 --- a/src/org/bouncycastle/math/ec/ECCurve.java +++ b/src/org/bouncycastle/math/ec/ECCurve.java @@ -125,6 +125,16 @@ public abstract class ECCurve BigInteger q; ECPoint.Fp infinity; + /** + * The order of the base point of the curve. + */ + private BigInteger n; // can't be final - JDK 1.1 + + /** + * The cofactor of the curve. + */ + private BigInteger h; // can't be final - JDK 1.1 + public Fp(BigInteger q, BigInteger a, BigInteger b) { this.q = q; @@ -133,6 +143,17 @@ public abstract class ECCurve this.infinity = new ECPoint.Fp(this, null, null); } + public Fp(BigInteger q, BigInteger a, BigInteger b, BigInteger n, BigInteger h) + { + this.q = q; + this.a = fromBigInteger(a); + this.b = fromBigInteger(b); + this.infinity = new ECPoint.Fp(this, null, null); + + this.n = n; + this.h = h; + } + public BigInteger getQ() { return q; @@ -208,6 +229,16 @@ public abstract class ECCurve { return a.hashCode() ^ b.hashCode() ^ q.hashCode(); } + + public BigInteger getN() + { + return n; + } + + public BigInteger getH() + { + return h; + } } /** debian/patches/CVE-2015-7940-1.patch0000644000000000000000000004250713320113334013400 0ustar From 5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Tue, 22 Jul 2014 19:23:34 +0700 Subject: [PATCH] Add automatic EC point validation for decoded points and for multiplier outputs. Origin: upstream, https://github.com/bcgit/bc-java/commit/5cb2f05 Bug-Debian: https://bugs.debian.org/802671 Backporting notes of Raphaël Hertzog: * core/src/main/java/org/bouncycastle/ in current git was src/org/bouncycastle/ in 1.44 (Markus Koschany): * DSTU4145PointEncoder.java does exist in 1.49. Applied the changes. * AbstractECMultiplier.java does not exist in 1.49 but changes to AbstractECMultiplier.java mean that we must run ECAlgorithms.validatePoint() on any result of the multiply() function of any object implementing ECMultiplier. Done on: - FpNafMultiplier.java - ReferenceMultiplier.java - WNafMultiplier.java - WTauNafMultiplier.java * …/math/ec/custom/* were not present in 1.44. Dropped the corresponding changes. * Remaining changes have been manually backported: - ECPointTest.java: done - ReferenceMultiplier.java: done, added validatePoint() call on result - ECAlgorithms.java: done - ECPoint.java: done - Fp does not yet support getCompressionYTilde(), dropped from AbstractFp - F2m does not yet support checkCurveEquation() - dropped constructors accepting 4 params (with "zs") as ECPoint() does not support it, and dropped all code path that made use of this.zs since it's not available, basically everything related to non-affine coordinate system - ECCurve.java: (Markus Koschany): - Hunk 1: validatePoint() partly backported as there is one createPoint() call to replace. - Hunk 2: no importPoint() (and no createPoint() usage found) - Hunk 3: useless (no-op change) - Hunk 4: useless (no-op change) - Hunk 5: validation on generated point at end of function - Hunk 6: done - Hunk 7: done (auto-applied) - Hunk 8/9: ECCurve is abstract and has no constructor, don't call parent constructors in Fp constructors (which happens in code from hunk 7 adding AbstractFp) - Hunk 10: ECCurve.Fp does not have decompressPoint() in 1.44, so the whole AbstractFp class was in fact useless, drop it and make Fp extends ECCurve again. End of hunk not applied, the AbstractF2m class is not needed as its sole purpose is to factorize a call to buildField() that version 1.44 does not have. - Hunk 11/12/13: Not applied as we don't introduce AbstractF2m. - Hunk 14: yp is already initialized as null in 1.44. - Hunk 15: decompressPoint() is really implemented differently... and even has different parameters. Just add the final check for yp==null and don't change the logic in the function. - --- .../bouncycastle/asn1/ua/DSTU4145PointEncoder.java | 18 ++-- src/org/bouncycastle/math/ec/ECAlgorithms.java | 47 ++++++++++- src/org/bouncycastle/math/ec/ECCurve.java | 22 ++++- src/org/bouncycastle/math/ec/ECPoint.java | 97 ++++++++++++++++++---- src/org/bouncycastle/math/ec/FpNafMultiplier.java | 2 +- .../bouncycastle/math/ec/ReferenceMultiplier.java | 21 +---- src/org/bouncycastle/math/ec/WNafMultiplier.java | 2 +- .../bouncycastle/math/ec/WTauNafMultiplier.java | 2 +- .../org/bouncycastle/math/ec/test/ECPointTest.java | 31 +------ 9 files changed, 165 insertions(+), 77 deletions(-) diff --git a/src/org/bouncycastle/asn1/ua/DSTU4145PointEncoder.java b/src/org/bouncycastle/asn1/ua/DSTU4145PointEncoder.java index 0227d2a..103ed23 100644 --- a/src/org/bouncycastle/asn1/ua/DSTU4145PointEncoder.java +++ b/src/org/bouncycastle/asn1/ua/DSTU4145PointEncoder.java @@ -145,15 +145,19 @@ public abstract class DSTU4145PointEncoder ECFieldElement beta = xp.add(curve.getA()).add( curve.getB().multiply(xp.square().invert())); ECFieldElement z = solveQuadradicEquation(beta); - if (z == null) + if (z != null) { - throw new RuntimeException("Invalid point compression"); + if (!trace(z).equals(k)) + { + z = z.add(curve.fromBigInteger(ECConstants.ONE)); + } + yp = xp.multiply(z); } - if (!trace(z).equals(k)) - { - z = z.add(curve.fromBigInteger(ECConstants.ONE)); - } - yp = xp.multiply(z); + } + + if (yp == null) + { + throw new IllegalArgumentException("Invalid point compression"); } return new ECPoint.F2m(curve, xp, yp); diff --git a/src/org/bouncycastle/math/ec/ECAlgorithms.java b/src/org/bouncycastle/math/ec/ECAlgorithms.java index 78a7a8f..00cc2b5 100644 --- a/src/org/bouncycastle/math/ec/ECAlgorithms.java +++ b/src/org/bouncycastle/math/ec/ECAlgorithms.java @@ -23,7 +23,7 @@ public class ECAlgorithms } } - return implShamirsTrick(P, a, Q, b); + return ECAlgorithms.validatePoint(implShamirsTrick(P, a, Q, b)); } /* @@ -53,7 +53,7 @@ public class ECAlgorithms throw new IllegalArgumentException("P and Q must be on same curve"); } - return implShamirsTrick(P, k, Q, l); + return ECAlgorithms.validatePoint(implShamirsTrick(P, k, Q, l)); } private static ECPoint implShamirsTrick(ECPoint P, BigInteger k, @@ -89,4 +89,47 @@ public class ECAlgorithms return R; } + + /** + * Simple shift-and-add multiplication. Serves as reference implementation + * to verify (possibly faster) implementations, and for very small scalars. + * + * @param p + * The point to multiply. + * @param k + * The multiplier. + * @return The result of the point multiplication kP. + */ + public static ECPoint referenceMultiply(ECPoint p, BigInteger k) + { + BigInteger x = k.abs(); + ECPoint q = p.getCurve().getInfinity(); + int t = x.bitLength(); + if (t > 0) + { + if (x.testBit(0)) + { + q = p; + } + for (int i = 1; i < t; i++) + { + p = p.twice(); + if (x.testBit(i)) + { + q = q.add(p); + } + } + } + return k.signum() < 0 ? q.negate() : q; + } + + public static ECPoint validatePoint(ECPoint p) + { + if (!p.isValid()) + { + throw new IllegalArgumentException("Invalid point"); + } + + return p; + } } diff --git a/src/org/bouncycastle/math/ec/ECCurve.java b/src/org/bouncycastle/math/ec/ECCurve.java index 58281af..016642e 100644 --- a/src/org/bouncycastle/math/ec/ECCurve.java +++ b/src/org/bouncycastle/math/ec/ECCurve.java @@ -30,6 +30,16 @@ public abstract class ECCurve protected abstract ECPoint decompressPoint(int yTilde, BigInteger X1); + public ECPoint validatePoint(BigInteger x, BigInteger y, boolean withCompression) + { + ECPoint p = createPoint(x, y, withCompression); + if (!p.isValid()) + { + throw new IllegalArgumentException("Invalid point coordinates"); + } + return p; + } + /** * Decode a point on this curve from its ASN.1 encoding. The different * encodings are taken account of, including point compression for @@ -79,13 +89,18 @@ public abstract class ECCurve BigInteger X1 = fromArray(encoded, 1, expectedLength); BigInteger Y1 = fromArray(encoded, 1 + expectedLength, expectedLength); - p = createPoint(X1, Y1, false); + p = validatePoint(X1, Y1, false); break; } default: throw new IllegalArgumentException("Invalid point encoding 0x" + Integer.toString(encoded[0], 16)); } + if (encoded[0] != 0x00 && p.isInfinity()) + { + throw new IllegalArgumentException("Invalid infinity encoding"); + } + return p; } @@ -504,6 +519,11 @@ public abstract class ECCurve yp = xp.multiply(z); } + if (yp == null) + { + throw new IllegalArgumentException("Invalid point compression"); + } + return new ECPoint.F2m(this, xp, yp, true); } diff --git a/src/org/bouncycastle/math/ec/ECPoint.java b/src/org/bouncycastle/math/ec/ECPoint.java index cbc5aaf..0c8c1cc 100644 --- a/src/org/bouncycastle/math/ec/ECPoint.java +++ b/src/org/bouncycastle/math/ec/ECPoint.java @@ -27,7 +27,9 @@ public abstract class ECPoint this.x = x; this.y = y; } - + + protected abstract boolean satisfiesCurveEquation(); + public ECCurve getCurve() { return curve; @@ -53,6 +55,33 @@ public abstract class ECPoint return withCompression; } + public boolean isValid() + { + if (isInfinity()) + { + return true; + } + + // TODO Sanity-check the field elements + + ECCurve curve = getCurve(); + if (curve != null) + { + if (!satisfiesCurveEquation()) + { + return false; + } + + BigInteger h = curve.getH(); + if (h != null && ECAlgorithms.referenceMultiply(this, h).isInfinity()) + { + return false; + } + } + + return true; + } + public boolean equals( Object other) { @@ -157,10 +186,38 @@ public abstract class ECPoint return this.multiplier.multiply(this, k, preCompInfo); } + public static abstract class AbstractFp extends ECPoint + { + protected AbstractFp(ECCurve curve, ECFieldElement x, ECFieldElement y) + { + super(curve, x, y); + } + + protected boolean satisfiesCurveEquation() + { + ECFieldElement X = this.x, Y = this.y, A = curve.getA(), B = curve.getB(); + ECFieldElement lhs = Y.square(); + + ECFieldElement rhs = X.square().add(A).multiply(X).add(B); + return lhs.equals(rhs); + } + + public ECPoint subtract(ECPoint b) + { + if (b.isInfinity()) + { + return this; + } + + // Add -b + return add(b.negate()); + } + } + /** * Elliptic curve points over Fp */ - public static class Fp extends ECPoint + public static class Fp extends AbstractFp { /** @@ -176,7 +233,7 @@ public abstract class ECPoint } /** - * Create a point that encodes with or without point compresion. + * Create a point that encodes with or without point compression. * * @param curve the curve to use * @param x affine x co-ordinate @@ -302,18 +359,6 @@ public abstract class ECPoint return new ECPoint.Fp(curve, x3, y3, this.withCompression); } - // D.3.2 pg 102 (see Note:) - public ECPoint subtract(ECPoint b) - { - if (b.isInfinity()) - { - return this; - } - - // Add -b - return add(b.negate()); - } - public ECPoint negate() { return new ECPoint.Fp(curve, this.x, this.y.negate(), this.withCompression); @@ -331,10 +376,30 @@ public abstract class ECPoint } } + public static abstract class AbstractF2m extends ECPoint + { + protected AbstractF2m(ECCurve curve, ECFieldElement x, ECFieldElement y) + { + super(curve, x, y); + } + + protected boolean satisfiesCurveEquation() + { + ECCurve curve = getCurve(); + ECFieldElement X = this.x, A = curve.getA(), B = curve.getB(); + + ECFieldElement Y = this.y; + ECFieldElement lhs = Y.add(X).multiply(Y); + + ECFieldElement rhs = X.add(A).multiply(X.square()).add(B); + return lhs.equals(rhs); + } + } + /** * Elliptic curve points over F2m */ - public static class F2m extends ECPoint + public static class F2m extends AbstractF2m { /** * @param curve base curve diff --git a/src/org/bouncycastle/math/ec/FpNafMultiplier.java b/src/org/bouncycastle/math/ec/FpNafMultiplier.java index 35e601d..a882f34 100644 --- a/src/org/bouncycastle/math/ec/FpNafMultiplier.java +++ b/src/org/bouncycastle/math/ec/FpNafMultiplier.java @@ -34,6 +34,6 @@ class FpNafMultiplier implements ECMultiplier } } - return R; + return ECAlgorithms.validatePoint(R); } } diff --git a/src/org/bouncycastle/math/ec/ReferenceMultiplier.java b/src/org/bouncycastle/math/ec/ReferenceMultiplier.java index c1dd548..38879d7 100644 --- a/src/org/bouncycastle/math/ec/ReferenceMultiplier.java +++ b/src/org/bouncycastle/math/ec/ReferenceMultiplier.java @@ -4,27 +4,8 @@ import java.math.BigInteger; class ReferenceMultiplier implements ECMultiplier { - /** - * Simple shift-and-add multiplication. Serves as reference implementation - * to verify (possibly faster) implementations in - * {@link org.bouncycastle.math.ec.ECPoint ECPoint}. - * - * @param p The point to multiply. - * @param k The factor by which to multiply. - * @return The result of the point multiplication k * p. - */ public ECPoint multiply(ECPoint p, BigInteger k, PreCompInfo preCompInfo) { - ECPoint q = p.getCurve().getInfinity(); - int t = k.bitLength(); - for (int i = 0; i < t; i++) - { - if (k.testBit(i)) - { - q = q.add(p); - } - p = p.twice(); - } - return q; + return ECAlgorithms.validatePoint(ECAlgorithms.referenceMultiply(p, k)); } } diff --git a/src/org/bouncycastle/math/ec/WNafMultiplier.java b/src/org/bouncycastle/math/ec/WNafMultiplier.java index 10c8ed2..c182fee 100644 --- a/src/org/bouncycastle/math/ec/WNafMultiplier.java +++ b/src/org/bouncycastle/math/ec/WNafMultiplier.java @@ -234,7 +234,7 @@ class WNafMultiplier implements ECMultiplier wnafPreCompInfo.setPreComp(preComp); wnafPreCompInfo.setTwiceP(twiceP); p.setPreCompInfo(wnafPreCompInfo); - return q; + return ECAlgorithms.validatePoint(q); } } diff --git a/src/org/bouncycastle/math/ec/WTauNafMultiplier.java b/src/org/bouncycastle/math/ec/WTauNafMultiplier.java index 2353979..d1578e7 100644 --- a/src/org/bouncycastle/math/ec/WTauNafMultiplier.java +++ b/src/org/bouncycastle/math/ec/WTauNafMultiplier.java @@ -34,7 +34,7 @@ class WTauNafMultiplier implements ECMultiplier ZTauElement rho = Tnaf.partModReduction(k, m, a, s, mu, (byte)10); - return multiplyWTnaf(p, rho, preCompInfo, a, mu); + return ECAlgorithms.validatePoint(multiplyWTnaf(p, rho, preCompInfo, a, mu)); } /** diff --git a/test/src/org/bouncycastle/math/ec/test/ECPointTest.java b/test/src/org/bouncycastle/math/ec/test/ECPointTest.java index e488c63..7eb1460 100644 --- a/test/src/org/bouncycastle/math/ec/test/ECPointTest.java +++ b/test/src/org/bouncycastle/math/ec/test/ECPointTest.java @@ -13,6 +13,7 @@ import org.bouncycastle.asn1.x9.X9ECParameters; import org.bouncycastle.math.ec.ECCurve; import org.bouncycastle.math.ec.ECFieldElement; import org.bouncycastle.math.ec.ECPoint; +import org.bouncycastle.math.ec.ECAlgorithms; /** * Test class for {@link org.bouncycastle.math.ec.ECPoint ECPoint}. All @@ -263,32 +264,6 @@ public class ECPointTest extends TestCase } /** - * Simple shift-and-add multiplication. Serves as reference implementation - * to verify (possibly faster) implementations in - * {@link org.bouncycastle.math.ec.ECPoint ECPoint}. - * - * @param p - * The point to multiply. - * @param k - * The multiplier. - * @return The result of the point multiplication kP. - */ - private ECPoint multiply(ECPoint p, BigInteger k) - { - ECPoint q = p.getCurve().getInfinity(); - int t = k.bitLength(); - for (int i = 0; i < t; i++) - { - if (k.testBit(i)) - { - q = q.add(p); - } - p = p.twice(); - } - return q; - } - - /** * Checks, if the point multiplication algorithm of the given point yields * the same result as point multiplication done by the reference * implementation given in multiply(). This method chooses a @@ -303,7 +278,7 @@ public class ECPointTest extends TestCase private void implTestMultiply(ECPoint p, int numBits) { BigInteger k = new BigInteger(numBits, secRand); - ECPoint ref = multiply(p, k); + ECPoint ref = org.bouncycastle.math.ec.ECAlgorithms.referenceMultiply(p, k); ECPoint q = p.multiply(k); assertEquals("ECPoint.multiply is incorrect", ref, q); } @@ -327,7 +302,7 @@ public class ECPointTest extends TestCase do { - ECPoint ref = multiply(p, k); + ECPoint ref = org.bouncycastle.math.ec.ECAlgorithms.referenceMultiply(p, k); ECPoint q = p.multiply(k); assertEquals("ECPoint.multiply is incorrect", ref, q); k = k.add(BigInteger.ONE); debian/patches/series0000644000000000000000000000042513321131441012024 0ustar 01_build.patch 02_index.patch CVE-2015-7940-1.patch CVE-2015-7940-2.patch CVE-2015-7940-3.patch CVE-2015-6644.patch CVE-2016-1000338.patch CVE-2016-1000341.patch CVE-2016-1000343.patch CVE-2016-1000346.patch CVE-2016-1000339.patch CVE-2016-1000345.patch CVE-2016-1000342.patch debian/patches/CVE-2015-6644.patch0000644000000000000000000000426313320113334013237 0ustar From: Markus Koschany Date: Sun, 9 Apr 2017 16:05:34 +0200 Subject: CVE-2015-6644 Reviewed-by: Peter Dettman Bug-Upstream: https://github.com/bcgit/bc-java/issues/177 --- .../bouncycastle/crypto/modes/GCMBlockCipher.java | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/org/bouncycastle/crypto/modes/GCMBlockCipher.java b/src/org/bouncycastle/crypto/modes/GCMBlockCipher.java index 9e617ec..9a0ef6b 100644 --- a/src/org/bouncycastle/crypto/modes/GCMBlockCipher.java +++ b/src/org/bouncycastle/crypto/modes/GCMBlockCipher.java @@ -41,6 +41,7 @@ public class GCMBlockCipher private byte[] macBlock; private byte[] S, S_at, S_atPre; private byte[] counter; + private int blocksRemaining; private int bufOff; private long totalLength; private byte[] atBlock; @@ -168,6 +169,7 @@ public class GCMBlockCipher this.atLength = 0; this.atLengthPre = 0; this.counter = Arrays.clone(J0); + this.blocksRemaining = -2; this.bufOff = 0; this.totalLength = 0; @@ -428,6 +430,7 @@ public class GCMBlockCipher atLength = 0; atLengthPre = 0; counter = Arrays.clone(J0); + blocksRemaining = -2; bufOff = 0; totalLength = 0; @@ -494,16 +497,17 @@ public class GCMBlockCipher private byte[] getNextCounterBlock() { - for (int i = 15; i >= 12; --i) + if (blocksRemaining == 0) { - byte b = (byte)((counter[i] + 1) & 0xff); - counter[i] = b; - - if (b != 0) - { - break; - } + throw new IllegalStateException("Attempt to process too many blocks"); } + blocksRemaining--; + + int c = 1; + c += counter[15] & 0xFF; counter[15] = (byte)c; c >>>= 8; + c += counter[14] & 0xFF; counter[14] = (byte)c; c >>>= 8; + c += counter[13] & 0xFF; counter[13] = (byte)c; c >>>= 8; + c += counter[12] & 0xFF; counter[12] = (byte)c; byte[] tmp = new byte[BLOCK_SIZE]; // TODO Sure would be nice if ciphers could operate on int[] debian/patches/01_build.patch0000644000000000000000000000225212171004571013234 0ustar Description: Pass unicode flag to javac targets for proper compilation Author: Brian Thomason --- a/bc-build.xml +++ b/bc-build.xml @@ -101,6 +101,7 @@ + @@ -131,6 +132,7 @@ srcdir="${artifacts.dir}/@{target}/src" destdir="${build.dir}/@{target}/classes" debug="${release.debug}"> + @@ -242,6 +244,7 @@ srcdir="${lcrypto.target.src.dir}" destdir="${lcrypto.target.classes.dir}" debug="${release.debug}"> + debian/patches/CVE-2016-1000341.patch0000644000000000000000000000357713320113334013454 0ustar From: Markus Koschany Date: Fri, 8 Jun 2018 20:53:29 +0200 Subject: CVE-2016-1000341 Origin: https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa --- src/org/bouncycastle/crypto/signers/DSASigner.java | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/org/bouncycastle/crypto/signers/DSASigner.java b/src/org/bouncycastle/crypto/signers/DSASigner.java index a96cef0..cfe5aa6 100644 --- a/src/org/bouncycastle/crypto/signers/DSASigner.java +++ b/src/org/bouncycastle/crypto/signers/DSASigner.java @@ -58,6 +58,7 @@ public class DSASigner byte[] message) { DSAParameters params = key.getParameters(); + BigInteger q = params.getQ(); BigInteger m = calculateE(params.getQ(), message); BigInteger k; int qBitLength = params.getQ().bitLength(); @@ -68,7 +69,8 @@ public class DSASigner } while (k.compareTo(params.getQ()) >= 0); - BigInteger r = params.getG().modPow(k, params.getP()).mod(params.getQ()); + // the randomizer is to conceal timing information related to k and x. + BigInteger r = params.getG().modPow(k.add(getRandomizer(q, random)), params.getP()).mod(q); k = k.modInverse(params.getQ()).multiply( m.add(((DSAPrivateKeyParameters)key).getX().multiply(r))); @@ -135,4 +137,13 @@ public class DSASigner return new BigInteger(1, trunc); } } + + private BigInteger getRandomizer(BigInteger q, SecureRandom provided) + { + // Calculate a random multiple of q to add to k. Note that g^q = 1 (mod p), so adding multiple of q to k does not change r. + int randomBits = 7; + + return new BigInteger(randomBits, provided != null ? provided : new SecureRandom()).add(BigInteger.valueOf(128)).multiply(q); + } + } debian/patches/CVE-2016-1000338.patch0000644000000000000000000002263413320113334013455 0ustar From: Markus Koschany Date: Thu, 7 Jun 2018 15:06:06 +0200 Subject: CVE-2016-1000338 Origin: https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f --- .../jcajce/provider/asymmetric/dsa/DSASigner.java | 5 + src/org/bouncycastle/util/test/SimpleTest.java | 22 ++++- .../bouncycastle/jce/provider/test/DSATest.java | 110 ++++++++++++++++++++- 3 files changed, 135 insertions(+), 2 deletions(-) diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java index ef12b4f..ea46467 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java @@ -205,6 +205,11 @@ public class DSASigner throws IOException { ASN1Sequence s = (ASN1Sequence)ASN1Primitive.fromByteArray(encoding); + if (s.size() != 2) + { + throw new IOException("malformed signature"); + } + return new BigInteger[]{ ((ASN1Integer)s.getObjectAt(0)).getValue(), ((ASN1Integer)s.getObjectAt(1)).getValue() diff --git a/src/org/bouncycastle/util/test/SimpleTest.java b/src/org/bouncycastle/util/test/SimpleTest.java index ef8ee61..d44b7a7 100644 --- a/src/org/bouncycastle/util/test/SimpleTest.java +++ b/src/org/bouncycastle/util/test/SimpleTest.java @@ -34,7 +34,27 @@ public abstract class SimpleTest { throw new TestFailedException(SimpleTestResult.failed(this, message, expected, found)); } - + + protected void isTrue( + boolean value) + { + if (!value) + { + throw new TestFailedException(SimpleTestResult.failed(this, "no message")); + } + } + + protected void isTrue( + String message, + boolean value) + { + if (!value) + { + throw new TestFailedException(SimpleTestResult.failed(this, message)); + } + } + + protected boolean areEqual( byte[] a, byte[] b) diff --git a/test/src/org/bouncycastle/jce/provider/test/DSATest.java b/test/src/org/bouncycastle/jce/provider/test/DSATest.java index e047899..4d30f1c 100644 --- a/test/src/org/bouncycastle/jce/provider/test/DSATest.java +++ b/test/src/org/bouncycastle/jce/provider/test/DSATest.java @@ -21,6 +21,8 @@ import java.security.SignatureException; import java.security.interfaces.DSAPrivateKey; import java.security.interfaces.DSAPublicKey; import java.security.spec.DSAParameterSpec; +import java.security.spec.DSAPrivateKeySpec; +import java.security.spec.DSAPublicKeySpec; import java.security.spec.PKCS8EncodedKeySpec; import java.security.spec.X509EncodedKeySpec; @@ -44,6 +46,7 @@ import org.bouncycastle.jce.spec.ECPublicKeySpec; import org.bouncycastle.math.ec.ECCurve; import org.bouncycastle.util.Arrays; import org.bouncycastle.util.BigIntegers; +import org.bouncycastle.util.Strings; import org.bouncycastle.util.encoders.Hex; import org.bouncycastle.util.test.FixedSecureRandom; import org.bouncycastle.util.test.SimpleTest; @@ -55,7 +58,111 @@ public class DSATest byte[] k2 = Hex.decode("345e8d05c075c3a508df729a1685690e68fcfb8c8117847e89063bca1f85d968fd281540b6e13bd1af989a1fbf17e06462bf511f9d0b140fb48ac1b1baa5bded"); SecureRandom random = new FixedSecureRandom(new byte[][] { k1, k2 }); - + + // DSA modified signatures, courtesy of the Google security team + static final DSAPrivateKeySpec PRIVATE_KEY = new DSAPrivateKeySpec( + // x + new BigInteger( + "15382583218386677486843706921635237927801862255437148328980464126979"), + // p + new BigInteger( + "181118486631420055711787706248812146965913392568235070235446058914" + + "1170708161715231951918020125044061516370042605439640379530343556" + + "4101919053459832890139496933938670005799610981765220283775567361" + + "4836626483403394052203488713085936276470766894079318754834062443" + + "1033792580942743268186462355159813630244169054658542719322425431" + + "4088256212718983105131138772434658820375111735710449331518776858" + + "7867938758654181244292694091187568128410190746310049564097068770" + + "8161261634790060655580211122402292101772553741704724263582994973" + + "9109274666495826205002104010355456981211025738812433088757102520" + + "562459649777989718122219159982614304359"), + // q + new BigInteger( + "19689526866605154788513693571065914024068069442724893395618704484701"), + // g + new BigInteger( + "2859278237642201956931085611015389087970918161297522023542900348" + + "0877180630984239764282523693409675060100542360520959501692726128" + + "3149190229583566074777557293475747419473934711587072321756053067" + + "2532404847508798651915566434553729839971841903983916294692452760" + + "2490198571084091890169933809199002313226100830607842692992570749" + + "0504363602970812128803790973955960534785317485341020833424202774" + + "0275688698461842637641566056165699733710043802697192696426360843" + + "1736206792141319514001488556117408586108219135730880594044593648" + + "9237302749293603778933701187571075920849848690861126195402696457" + + "4111219599568903257472567764789616958430")); + + static final DSAPublicKeySpec PUBLIC_KEY = new DSAPublicKeySpec( + new BigInteger( + "3846308446317351758462473207111709291533523711306097971550086650" + + "2577333637930103311673872185522385807498738696446063139653693222" + + "3528823234976869516765207838304932337200968476150071617737755913" + + "3181601169463467065599372409821150709457431511200322947508290005" + + "1780020974429072640276810306302799924668893998032630777409440831" + + "4314588994475223696460940116068336991199969153649625334724122468" + + "7497038281983541563359385775312520539189474547346202842754393945" + + "8755803223951078082197762886933401284142487322057236814878262166" + + "5072306622943221607031324846468109901964841479558565694763440972" + + "5447389416166053148132419345627682740529"), + PRIVATE_KEY.getP(), + PRIVATE_KEY.getQ(), + PRIVATE_KEY.getG()); + + // The following test vectors check for signature malleability and bugs. That means the test + // vectors are derived from a valid signature by modifying the ASN encoding. A correct + // implementation of DSA should only accept correct DER encoding and properly handle the others. + // Allowing alternative BER encodings is in many cases benign. An example where this kind of + // signature malleability was a problem: https://en.bitcoin.it/wiki/Transaction_Malleability + static final String[] MODIFIED_SIGNATURES = { + "303e02811c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e" + + "f41dd424a4e1c8f16967cf3365813fe8786236", + "303f0282001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f" + + "9ef41dd424a4e1c8f16967cf3365813fe8786236", + "303e021d001e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e" + + "f41dd424a4e1c8f16967cf3365813fe8786236", + "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02811d00ade65988d237d30f9e" + + "f41dd424a4e1c8f16967cf3365813fe8786236", + "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd0282001d00ade65988d237d30f" + + "9ef41dd424a4e1c8f16967cf3365813fe8786236", + "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021e0000ade65988d237d30f9e" + + "f41dd424a4e1c8f16967cf3365813fe8786236", + "30813d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e" + + "f41dd424a4e1c8f16967cf3365813fe8786236", + "3082003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f" + + "9ef41dd424a4e1c8f16967cf3365813fe8786236", + "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9ef4" + + "1dd424a4e1c8f16967cf3365813fe87862360000", + "3040021c57b10411b54ab248af03d8f2456676ebc6d3db5f1081492ac87e9ca8021d00942b117051d7d9d107fc42cac9c5a36a1fd7f0f8916ccca86cec4ed3040100" + }; + + private void testModified() + throws Exception + { + KeyFactory kFact = KeyFactory.getInstance("DSA", "BC"); + PublicKey pubKey = kFact.generatePublic(PUBLIC_KEY); + Signature sig = Signature.getInstance("DSA", "BC"); + + for (int i = 0; i != MODIFIED_SIGNATURES.length; i++) + { + sig.initVerify(pubKey); + + sig.update(Strings.toByteArray("Hello")); + + boolean failed; + + try + { + failed = !sig.verify(Hex.decode(MODIFIED_SIGNATURES[i])); + } + catch (SignatureException e) + { + failed = true; + } + + isTrue("sig verified when shouldn't", failed); + } + } + private void testCompat() throws Exception { @@ -959,6 +1066,7 @@ public class DSATest testGeneration(); testParameters(); testDSA2Parameters(); + testModified(); } protected BigInteger[] derDecode( debian/patches/CVE-2016-1000343.patch0000644000000000000000000001466413320113334013455 0ustar From: Markus Koschany Date: Sun, 10 Jun 2018 18:36:31 +0200 Subject: CVE-2016-1000343 Origin: https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389 --- .../asymmetric/dsa/KeyPairGeneratorSpi.java | 70 +++++++++++++++++++++- src/org/bouncycastle/util/Properties.java | 36 +++++++++++ 2 files changed, 103 insertions(+), 3 deletions(-) create mode 100644 src/org/bouncycastle/util/Properties.java diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java index c6ddf9b..86e084e 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/KeyPairGeneratorSpi.java @@ -6,18 +6,26 @@ import java.security.KeyPair; import java.security.SecureRandom; import java.security.spec.AlgorithmParameterSpec; import java.security.spec.DSAParameterSpec; +import java.util.Hashtable; import org.bouncycastle.crypto.AsymmetricCipherKeyPair; +import org.bouncycastle.crypto.digests.SHA256Digest; import org.bouncycastle.crypto.generators.DSAKeyPairGenerator; import org.bouncycastle.crypto.generators.DSAParametersGenerator; import org.bouncycastle.crypto.params.DSAKeyGenerationParameters; +import org.bouncycastle.crypto.params.DSAParameterGenerationParameters; import org.bouncycastle.crypto.params.DSAParameters; import org.bouncycastle.crypto.params.DSAPrivateKeyParameters; import org.bouncycastle.crypto.params.DSAPublicKeyParameters; +import org.bouncycastle.util.Integers; +import org.bouncycastle.util.Properties; public class KeyPairGeneratorSpi extends java.security.KeyPairGenerator { + private static Hashtable params = new Hashtable(); + private static Object lock = new Object(); + DSAKeyGenerationParameters param; DSAKeyPairGenerator engine = new DSAKeyPairGenerator(); int strength = 1024; @@ -41,6 +49,7 @@ public class KeyPairGeneratorSpi this.strength = strength; this.random = random; + this.initialised = false; } public void initialize( @@ -64,10 +73,65 @@ public class KeyPairGeneratorSpi { if (!initialised) { - DSAParametersGenerator pGen = new DSAParametersGenerator(); + Integer paramStrength = Integers.valueOf(strength); + + if (params.containsKey(paramStrength)) + { + param = (DSAKeyGenerationParameters)params.get(paramStrength); + } + else + { + synchronized (lock) + { + // we do the check again in case we were blocked by a generator for + // our key size. + if (params.containsKey(paramStrength)) + { + param = (DSAKeyGenerationParameters)params.get(paramStrength); + } + else + { + DSAParametersGenerator pGen; + DSAParameterGenerationParameters dsaParams; + + // Typical combination of keysize and size of q. + // keysize = 1024, q's size = 160 + // keysize = 2048, q's size = 224 + // keysize = 2048, q's size = 256 + // keysize = 3072, q's size = 256 + // For simplicity if keysize is greater than 1024 then we choose q's size to be 256. + // For legacy keysize that is less than 1024-bit, we just use the 186-2 style parameters + if (strength == 1024) + { + pGen = new DSAParametersGenerator(); + if (Properties.isOverrideSet("org.bouncycastle.dsa.FIPS186-2for1024bits")) + { + pGen.init(strength, certainty, random); + } + else + { + dsaParams = new DSAParameterGenerationParameters(1024, 160, certainty, random); + pGen.init(dsaParams); + } + } + else if (strength > 1024) + { + dsaParams = new DSAParameterGenerationParameters(strength, 256, certainty, random); + pGen = new DSAParametersGenerator(new SHA256Digest()); + pGen.init(dsaParams); + } + else + { + pGen = new DSAParametersGenerator(); + pGen.init(strength, certainty, random); + } + param = new DSAKeyGenerationParameters(random, pGen.generateParameters()); + + params.put(paramStrength, param); + } + } + } - pGen.init(strength, certainty, random); - param = new DSAKeyGenerationParameters(random, pGen.generateParameters()); engine.init(param); initialised = true; } diff --git a/src/org/bouncycastle/util/Properties.java b/src/org/bouncycastle/util/Properties.java new file mode 100644 index 0000000..96cef35 --- /dev/null +++ b/src/org/bouncycastle/util/Properties.java @@ -0,0 +1,36 @@ +package org.bouncycastle.util; + +import java.security.AccessControlException; +import java.security.AccessController; +import java.security.PrivilegedAction; + +/** + * Utility method for accessing system properties. + */ +public class Properties +{ + public static boolean isOverrideSet(final String propertyName) + { + try + { + return "true".equals(AccessController.doPrivileged(new PrivilegedAction() + { + // JDK 1.4 compatibility + public Object run() + { + String value = System.getProperty(propertyName); + if (value == null) + { + return null; + } + + return Strings.toLowerCase(value); + } + })); + } + catch (AccessControlException e) + { + return false; + } + } +} debian/patches/CVE-2015-7940-2.patch0000644000000000000000000000572013320113334013375 0ustar From e25e94a046a6934819133886439984e2fecb2b04 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Fri, 25 Jul 2014 14:46:07 +0700 Subject: [PATCH] Add cofactor validation after point decompression Origin: upstream, https://github.com/bcgit/bc-java/commit/e25e94a Bug-Debian: https://bugs.debian.org/802671 Backporting notes of Raphaël Hertzog: * ECCurve.java: - Hunk 1: decompressPoint() does not exist on ECCurve.Fp, dropped. - Hunk 2: drop variable rename, keep only final p.satisfiesCofactor() check Replaced getCofactor() with getH() since the former does not exist yet. But getH() was only available on F2m, added a default implementation returning null to ECCurve (this is what happens with newer versions when you create an Fp curve without specifying the cofactor). * ECPoint.java: done, noted that satisfiesCofactor() adds a supplementary check compared to version 1.44 (h.equals(ECConstants.ONE)) --- src/org/bouncycastle/math/ec/ECCurve.java | 14 +++++++++++++- src/org/bouncycastle/math/ec/ECPoint.java | 9 +++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/src/org/bouncycastle/math/ec/ECCurve.java b/src/org/bouncycastle/math/ec/ECCurve.java index 016642e..4442413 100644 --- a/src/org/bouncycastle/math/ec/ECCurve.java +++ b/src/org/bouncycastle/math/ec/ECCurve.java @@ -111,6 +111,12 @@ public abstract class ECCurve return new BigInteger(1, mag); } + public BigInteger getH() + { + // ECCurve without cofactor by default, overriden by subclasses + return null; + } + /** * Elliptic curve over Fp */ @@ -524,7 +530,13 @@ public abstract class ECCurve throw new IllegalArgumentException("Invalid point compression"); } - return new ECPoint.F2m(this, xp, yp, true); + ECPoint p = new ECPoint.F2m(this, xp, yp); + if (!p.satisfiesCofactor()) + { + throw new IllegalArgumentException("Invalid point"); + } + + return p; } /** diff --git a/src/org/bouncycastle/math/ec/ECPoint.java b/src/org/bouncycastle/math/ec/ECPoint.java index 0c8c1cc..4dfa690 100644 --- a/src/org/bouncycastle/math/ec/ECPoint.java +++ b/src/org/bouncycastle/math/ec/ECPoint.java @@ -28,6 +28,12 @@ public abstract class ECPoint this.y = y; } + protected boolean satisfiesCofactor() + { + BigInteger h = curve.getH(); + return h == null || h.equals(ECConstants.ONE) || !ECAlgorithms.referenceMultiply(this, h).isInfinity(); + } + protected abstract boolean satisfiesCurveEquation(); public ECCurve getCurve() @@ -72,8 +78,7 @@ public abstract class ECPoint return false; } - BigInteger h = curve.getH(); - if (h != null && ECAlgorithms.referenceMultiply(this, h).isInfinity()) + if (!satisfiesCofactor()) { return false; } debian/patches/CVE-2016-1000339.patch0000644000000000000000000005623313320113334013460 0ustar From: Markus Koschany Date: Mon, 18 Jun 2018 23:21:30 +0200 Subject: CVE-2016-1000339 Origin: https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b Origin: https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0 --- src/org/bouncycastle/asn1/x9/DomainParameters.java | 223 +++++++++++++++++++++ src/org/bouncycastle/asn1/x9/ValidationParams.java | 102 ++++++++++ src/org/bouncycastle/crypto/engines/AESEngine.java | 28 ++- .../bouncycastle/crypto/engines/AESFastEngine.java | 6 +- .../provider/asymmetric/dh/BCDHPublicKey.java | 32 ++- .../provider/asymmetric/dh/KeyFactorySpi.java | 9 +- .../jcajce/provider/asymmetric/util/DHUtil.java | 5 + .../jcajce/provider/symmetric/AES.java | 18 +- 8 files changed, 400 insertions(+), 23 deletions(-) create mode 100644 src/org/bouncycastle/asn1/x9/DomainParameters.java create mode 100644 src/org/bouncycastle/asn1/x9/ValidationParams.java diff --git a/src/org/bouncycastle/asn1/x9/DomainParameters.java b/src/org/bouncycastle/asn1/x9/DomainParameters.java new file mode 100644 index 0000000..0555190 --- /dev/null +++ b/src/org/bouncycastle/asn1/x9/DomainParameters.java @@ -0,0 +1,223 @@ +package org.bouncycastle.asn1.x9; + +import java.math.BigInteger; +import java.util.Enumeration; + +import org.bouncycastle.asn1.ASN1Encodable; +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1Object; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1TaggedObject; +import org.bouncycastle.asn1.DERSequence; + +/** + * X9.44 Diffie-Hellman domain parameters. + * 
+ *    DomainParameters ::= SEQUENCE {
+ *       p                INTEGER,           -- odd prime, p=jq +1
+ *       g                INTEGER,           -- generator, g
+ *       q                INTEGER,           -- factor of p-1
+ *       j                INTEGER OPTIONAL,  -- subgroup factor, j >= 2
+ *       validationParams  ValidationParams OPTIONAL
+ *    }
+ *
+ */ +public class DomainParameters + extends ASN1Object +{ + private final ASN1Integer p, g, q, j; + private final ValidationParams validationParams; + + /** + * Return a DomainParameters object from the passed in tagged object. + * + * @param obj a tagged object. + * @param explicit true if the contents of the object is explictly tagged, false otherwise. + * @return a DomainParameters + */ + public static DomainParameters getInstance(ASN1TaggedObject obj, boolean explicit) + { + return getInstance(ASN1Sequence.getInstance(obj, explicit)); + } + + /** + * Return a DomainParameters object from the passed in object. + * + * @param obj an object for conversion or a byte[]. + * @return a DomainParameters + */ + public static DomainParameters getInstance(Object obj) + { + if (obj instanceof DomainParameters) + { + return (DomainParameters)obj; + } + else if (obj != null) + { + return new DomainParameters(ASN1Sequence.getInstance(obj)); + } + + return null; + } + + /** + * Base constructor - the full domain parameter set. + * + * @param p the prime p defining the Galois field. + * @param g the generator of the multiplicative subgroup of order g. + * @param q specifies the prime factor of p - 1 + * @param j optionally specifies the value that satisfies the equation p = jq+1 + * @param validationParams parameters for validating these domain parameters. + */ + public DomainParameters(BigInteger p, BigInteger g, BigInteger q, BigInteger j, + ValidationParams validationParams) + { + if (p == null) + { + throw new IllegalArgumentException("'p' cannot be null"); + } + if (g == null) + { + throw new IllegalArgumentException("'g' cannot be null"); + } + if (q == null) + { + throw new IllegalArgumentException("'q' cannot be null"); + } + + this.p = new ASN1Integer(p); + this.g = new ASN1Integer(g); + this.q = new ASN1Integer(q); + + if (j != null) + { + this.j = new ASN1Integer(j); + } + else + { + this.j = null; + } + this.validationParams = validationParams; + } + + private DomainParameters(ASN1Sequence seq) + { + if (seq.size() < 3 || seq.size() > 5) + { + throw new IllegalArgumentException("Bad sequence size: " + seq.size()); + } + + Enumeration e = seq.getObjects(); + this.p = ASN1Integer.getInstance(e.nextElement()); + this.g = ASN1Integer.getInstance(e.nextElement()); + this.q = ASN1Integer.getInstance(e.nextElement()); + + ASN1Encodable next = getNext(e); + + if (next != null && next instanceof ASN1Integer) + { + this.j = ASN1Integer.getInstance(next); + next = getNext(e); + } + else + { + this.j = null; + } + + if (next != null) + { + this.validationParams = ValidationParams.getInstance(next.toASN1Primitive()); + } + else + { + this.validationParams = null; + } + } + + private static ASN1Encodable getNext(Enumeration e) + { + return e.hasMoreElements() ? (ASN1Encodable)e.nextElement() : null; + } + + /** + * Return the prime p defining the Galois field. + * + * @return the prime p. + */ + public BigInteger getP() + { + return this.p.getPositiveValue(); + } + + /** + * Return the generator of the multiplicative subgroup of order g. + * + * @return the generator g. + */ + public BigInteger getG() + { + return this.g.getPositiveValue(); + } + + /** + * Return q, the prime factor of p - 1 + * + * @return q value + */ + public BigInteger getQ() + { + return this.q.getPositiveValue(); + } + + /** + * Return the value that satisfies the equation p = jq+1 (if present). + * + * @return j value or null. + */ + public BigInteger getJ() + { + if (this.j == null) + { + return null; + } + + return this.j.getPositiveValue(); + } + + /** + * Return the validation parameters for this set (if present). + * + * @return validation parameters, or null if absent. + */ + public ValidationParams getValidationParams() + { + return this.validationParams; + } + + /** + * Return an ASN.1 primitive representation of this object. + * + * @return a DERSequence containing the parameter values. + */ + public ASN1Primitive toASN1Primitive() + { + ASN1EncodableVector v = new ASN1EncodableVector(); + v.add(this.p); + v.add(this.g); + v.add(this.q); + + if (this.j != null) + { + v.add(this.j); + } + + if (this.validationParams != null) + { + v.add(this.validationParams); + } + + return new DERSequence(v); + } +} \ No newline at end of file diff --git a/src/org/bouncycastle/asn1/x9/ValidationParams.java b/src/org/bouncycastle/asn1/x9/ValidationParams.java new file mode 100644 index 0000000..855974d --- /dev/null +++ b/src/org/bouncycastle/asn1/x9/ValidationParams.java @@ -0,0 +1,102 @@ +package org.bouncycastle.asn1.x9; + +import java.math.BigInteger; + +import org.bouncycastle.asn1.ASN1EncodableVector; +import org.bouncycastle.asn1.ASN1Integer; +import org.bouncycastle.asn1.ASN1Object; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.ASN1Sequence; +import org.bouncycastle.asn1.ASN1TaggedObject; +import org.bouncycastle.asn1.DERBitString; +import org.bouncycastle.asn1.DERSequence; + +/** + * Diffie-Hellman domain validation parameters. + * 
+ * ValidationParams ::= SEQUENCE {
+ *    seed         BIT STRING,
+ *    pgenCounter  INTEGER
+ * }
+ *
+ */ +public class ValidationParams + extends ASN1Object +{ + private DERBitString seed; + private ASN1Integer pgenCounter; + + public static ValidationParams getInstance(ASN1TaggedObject obj, boolean explicit) + { + return getInstance(ASN1Sequence.getInstance(obj, explicit)); + } + + public static ValidationParams getInstance(Object obj) + { + if (obj instanceof ValidationParams) + { + return (ValidationParams)obj; + } + else if (obj != null) + { + return new ValidationParams(ASN1Sequence.getInstance(obj)); + } + + return null; + } + + public ValidationParams(byte[] seed, int pgenCounter) + { + if (seed == null) + { + throw new IllegalArgumentException("'seed' cannot be null"); + } + + this.seed = new DERBitString(seed); + this.pgenCounter = new ASN1Integer(pgenCounter); + } + + public ValidationParams(DERBitString seed, ASN1Integer pgenCounter) + { + if (seed == null) + { + throw new IllegalArgumentException("'seed' cannot be null"); + } + if (pgenCounter == null) + { + throw new IllegalArgumentException("'pgenCounter' cannot be null"); + } + + this.seed = seed; + this.pgenCounter = pgenCounter; + } + + private ValidationParams(ASN1Sequence seq) + { + if (seq.size() != 2) + { + throw new IllegalArgumentException("Bad sequence size: " + seq.size()); + } + + this.seed = DERBitString.getInstance(seq.getObjectAt(0)); + this.pgenCounter = ASN1Integer.getInstance(seq.getObjectAt(1)); + } + + public byte[] getSeed() + { + return this.seed.getBytes(); + } + + public BigInteger getPgenCounter() + { + return this.pgenCounter.getPositiveValue(); + } + + public ASN1Primitive toASN1Primitive() + { + ASN1EncodableVector v = new ASN1EncodableVector(); + v.add(this.seed); + v.add(this.pgenCounter); + return new DERSequence(v); + } +} diff --git a/src/org/bouncycastle/crypto/engines/AESEngine.java b/src/org/bouncycastle/crypto/engines/AESEngine.java index 756197c..4166ae0 100644 --- a/src/org/bouncycastle/crypto/engines/AESEngine.java +++ b/src/org/bouncycastle/crypto/engines/AESEngine.java @@ -5,6 +5,7 @@ import org.bouncycastle.crypto.CipherParameters; import org.bouncycastle.crypto.DataLengthException; import org.bouncycastle.crypto.OutputLengthException; import org.bouncycastle.crypto.params.KeyParameter; +import org.bouncycastle.util.Arrays; /** * an implementation of the AES (Rijndael), from FIPS-197. @@ -334,6 +335,8 @@ private static final int[] Tinv0 = private int C0, C1, C2, C3; private boolean forEncryption; + private byte[] s; + private static final int BLOCK_SIZE = 16; /** @@ -359,6 +362,14 @@ private static final int[] Tinv0 = { WorkingKey = generateWorkingKey(((KeyParameter)params).getKey(), forEncryption); this.forEncryption = forEncryption; + if (forEncryption) + { + s = Arrays.clone(S); + } + else + { + s = Arrays.clone(Si); + } return; } @@ -501,10 +512,10 @@ private static final int[] Tinv0 = // the final round's table is a simple function of S so we don't use a whole other four tables for it - C0 = (S[r0&255]&255) ^ ((S[(r1>>8)&255]&255)<<8) ^ ((S[(r2>>16)&255]&255)<<16) ^ (S[(r3>>24)&255]<<24) ^ KW[r][0]; - C1 = (S[r1&255]&255) ^ ((S[(r2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (S[(r0>>24)&255]<<24) ^ KW[r][1]; - C2 = (S[r2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(r0>>16)&255]&255)<<16) ^ (S[(r1>>24)&255]<<24) ^ KW[r][2]; - C3 = (S[r3&255]&255) ^ ((S[(r0>>8)&255]&255)<<8) ^ ((S[(r1>>16)&255]&255)<<16) ^ (S[(r2>>24)&255]<<24) ^ KW[r][3]; + C0 = (S[r0&255]&255) ^ ((S[(r1>>8)&255]&255)<<8) ^ ((s[(r2>>16)&255]&255)<<16) ^ (s[(r3>>24)&255]<<24) ^ KW[r][0]; + C1 = (s[r1&255]&255) ^ ((S[(r2>>8)&255]&255)<<8) ^ ((S[(r3>>16)&255]&255)<<16) ^ (s[(r0>>24)&255]<<24) ^ KW[r][1]; + C2 = (s[r2&255]&255) ^ ((S[(r3>>8)&255]&255)<<8) ^ ((S[(r0>>16)&255]&255)<<16) ^ (S[(r1>>24)&255]<<24) ^ KW[r][2]; + C3 = (s[r3&255]&255) ^ ((s[(r0>>8)&255]&255)<<8) ^ ((s[(r1>>16)&255]&255)<<16) ^ (S[(r2>>24)&255]<<24) ^ KW[r][3]; } @@ -538,9 +549,10 @@ private static final int[] Tinv0 = // the final round's table is a simple function of Si so we don't use a whole other four tables for it - C0 = (Si[r0&255]&255) ^ ((Si[(r3>>8)&255]&255)<<8) ^ ((Si[(r2>>16)&255]&255)<<16) ^ (Si[(r1>>24)&255]<<24) ^ KW[0][0]; - C1 = (Si[r1&255]&255) ^ ((Si[(r0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (Si[(r2>>24)&255]<<24) ^ KW[0][1]; - C2 = (Si[r2&255]&255) ^ ((Si[(r1>>8)&255]&255)<<8) ^ ((Si[(r0>>16)&255]&255)<<16) ^ (Si[(r3>>24)&255]<<24) ^ KW[0][2]; - C3 = (Si[r3&255]&255) ^ ((Si[(r2>>8)&255]&255)<<8) ^ ((Si[(r1>>16)&255]&255)<<16) ^ (Si[(r0>>24)&255]<<24) ^ KW[0][3]; + C0 = (Si[r0&255]&255) ^ ((s[(r3>>8)&255]&255)<<8) ^ ((s[(r2>>16)&255]&255)<<16) ^ (Si[(r1>>24)&255]<<24) ^ KW[0][0]; + C1 = (s[r1&255]&255) ^ ((s[(r0>>8)&255]&255)<<8) ^ ((Si[(r3>>16)&255]&255)<<16) ^ (s[(r2>>24)&255]<<24) ^ KW[0][1]; + C2 = (s[r2&255]&255) ^ ((Si[(r1>>8)&255]&255)<<8) ^ ((Si[(r0>>16)&255]&255)<<16) ^ (s[(r3>>24)&255]<<24) ^ KW[0][2]; + C3 = (Si[r3&255]&255) ^ ((s[(r2>>8)&255]&255)<<8) ^ ((s[(r1>>16)&255]&255)<<16) ^ (s[(r0>>24)&255]<<24) ^ KW[0][3]; + } } diff --git a/src/org/bouncycastle/crypto/engines/AESFastEngine.java b/src/org/bouncycastle/crypto/engines/AESFastEngine.java index ff4b2f8..b17c87b 100644 --- a/src/org/bouncycastle/crypto/engines/AESFastEngine.java +++ b/src/org/bouncycastle/crypto/engines/AESFastEngine.java @@ -25,9 +25,11 @@ import org.bouncycastle.crypto.params.KeyParameter; * the contents of the first * * The slowest version uses no static tables at all and computes the values in each round + *

*

- * This file contains the fast version with 8Kbytes of static tables for round precomputation - * + * This file contains the fast version with 8Kbytes of static tables for round precomputation. + *

+ * @deprecated unfortunately this class is has a few side channel issues. In an environment where encryption/decryption may be closely observed it should not be used. */ public class AESFastEngine implements BlockCipher diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/BCDHPublicKey.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/BCDHPublicKey.java index 0697f75..ae92980 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/BCDHPublicKey.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/BCDHPublicKey.java @@ -16,10 +16,14 @@ import org.bouncycastle.asn1.pkcs.DHParameter; import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers; import org.bouncycastle.asn1.x509.AlgorithmIdentifier; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; -import org.bouncycastle.asn1.x9.DHDomainParameters; import org.bouncycastle.asn1.x9.X9ObjectIdentifiers; +import org.bouncycastle.asn1.x9.DHDomainParameters; +import org.bouncycastle.asn1.x9.DomainParameters; +import org.bouncycastle.asn1.x9.ValidationParams; import org.bouncycastle.crypto.params.DHPublicKeyParameters; import org.bouncycastle.jcajce.provider.asymmetric.util.KeyUtil; +import org.bouncycastle.crypto.params.DHParameters; +import org.bouncycastle.crypto.params.DHValidationParameters; public class BCDHPublicKey implements DHPublicKey @@ -28,6 +32,7 @@ public class BCDHPublicKey private BigInteger y; + private transient DHPublicKeyParameters dhPublicKey; private transient DHParameterSpec dhSpec; private transient SubjectPublicKeyInfo info; @@ -36,6 +41,7 @@ public class BCDHPublicKey { this.y = spec.getY(); this.dhSpec = new DHParameterSpec(spec.getP(), spec.getG()); + this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(spec.getP(), spec.getG())); } BCDHPublicKey( @@ -43,6 +49,7 @@ public class BCDHPublicKey { this.y = key.getY(); this.dhSpec = key.getParams(); + this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(dhSpec.getP(), dhSpec.getG())); } BCDHPublicKey( @@ -50,6 +57,7 @@ public class BCDHPublicKey { this.y = params.getY(); this.dhSpec = new DHParameterSpec(params.getParameters().getP(), params.getParameters().getG(), params.getParameters().getL()); + this.dhPublicKey = params; } BCDHPublicKey( @@ -58,6 +66,7 @@ public class BCDHPublicKey { this.y = y; this.dhSpec = dhSpec; + this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(dhSpec.getP(), dhSpec.getG())); } public BCDHPublicKey( @@ -93,12 +102,24 @@ public class BCDHPublicKey { this.dhSpec = new DHParameterSpec(params.getP(), params.getG()); } + this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(dhSpec.getP(), dhSpec.getG())); } else if (id.equals(X9ObjectIdentifiers.dhpublicnumber)) { - DHDomainParameters params = DHDomainParameters.getInstance(seq); + DomainParameters params = DomainParameters.getInstance(seq); + + this.dhSpec = new DHParameterSpec(params.getP(), params.getG()); + ValidationParams validationParams = params.getValidationParams(); + if (validationParams != null) + { + this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(params.getP(), params.getG(), params.getQ(), params.getJ(), + new DHValidationParameters(validationParams.getSeed(), validationParams.getPgenCounter().intValue()))); + } + else + { + this.dhPublicKey = new DHPublicKeyParameters(y, new DHParameters(params.getP(), params.getG(), params.getQ(), params.getJ(), null)); + } - this.dhSpec = new DHParameterSpec(params.getP().getValue(), params.getG().getValue()); } else { @@ -136,6 +157,11 @@ public class BCDHPublicKey return y; } + public DHPublicKeyParameters engineGetKeyParameters() + { + return dhPublicKey; + } + private boolean isPKCSParam(ASN1Sequence seq) { if (seq.size() == 2) diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyFactorySpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyFactorySpi.java index 9565bd2..e422b65 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyFactorySpi.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyFactorySpi.java @@ -82,7 +82,14 @@ public class KeyFactorySpi { if (keySpec instanceof DHPublicKeySpec) { - return new BCDHPublicKey((DHPublicKeySpec)keySpec); + try + { + return new BCDHPublicKey((DHPublicKeySpec)keySpec); + } + catch (IllegalArgumentException e) + { + throw new InvalidKeySpecException(e.getMessage(), e); + } } return super.engineGeneratePublic(keySpec); diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/util/DHUtil.java b/src/org/bouncycastle/jcajce/provider/asymmetric/util/DHUtil.java index 52c84ec..07f8cfd 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/util/DHUtil.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/util/DHUtil.java @@ -11,6 +11,7 @@ import org.bouncycastle.crypto.params.AsymmetricKeyParameter; import org.bouncycastle.crypto.params.DHParameters; import org.bouncycastle.crypto.params.DHPrivateKeyParameters; import org.bouncycastle.crypto.params.DHPublicKeyParameters; +import org.bouncycastle.jcajce.provider.asymmetric.dh.BCDHPublicKey; /** * utility class for converting jce/jca DH objects @@ -22,6 +23,10 @@ public class DHUtil PublicKey key) throws InvalidKeyException { + if (key instanceof BCDHPublicKey) + { + return ((BCDHPublicKey)key).engineGetKeyParameters(); + } if (key instanceof DHPublicKey) { DHPublicKey k = (DHPublicKey)key; diff --git a/src/org/bouncycastle/jcajce/provider/symmetric/AES.java b/src/org/bouncycastle/jcajce/provider/symmetric/AES.java index 7a6f7b0..3bd5eff 100644 --- a/src/org/bouncycastle/jcajce/provider/symmetric/AES.java +++ b/src/org/bouncycastle/jcajce/provider/symmetric/AES.java @@ -12,7 +12,7 @@ import org.bouncycastle.asn1.nist.NISTObjectIdentifiers; import org.bouncycastle.crypto.BlockCipher; import org.bouncycastle.crypto.BufferedBlockCipher; import org.bouncycastle.crypto.CipherKeyGenerator; -import org.bouncycastle.crypto.engines.AESFastEngine; +import org.bouncycastle.crypto.engines.AESEngine; import org.bouncycastle.crypto.engines.AESWrapEngine; import org.bouncycastle.crypto.engines.RFC3211WrapEngine; import org.bouncycastle.crypto.macs.CMac; @@ -47,7 +47,7 @@ public final class AES { public BlockCipher get() { - return new AESFastEngine(); + return new AESEngine(); } }); } @@ -58,7 +58,7 @@ public final class AES { public CBC() { - super(new CBCBlockCipher(new AESFastEngine()), 128); + super(new CBCBlockCipher(new AESEngine()), 128); } } @@ -67,7 +67,7 @@ public final class AES { public CFB() { - super(new BufferedBlockCipher(new CFBBlockCipher(new AESFastEngine(), 128)), 128); + super(new BufferedBlockCipher(new CFBBlockCipher(new AESEngine(), 128)), 128); } } @@ -76,7 +76,7 @@ public final class AES { public OFB() { - super(new BufferedBlockCipher(new OFBBlockCipher(new AESFastEngine(), 128)), 128); + super(new BufferedBlockCipher(new OFBBlockCipher(new AESEngine(), 128)), 128); } } @@ -85,7 +85,7 @@ public final class AES { public AESCMAC() { - super(new CMac(new AESFastEngine())); + super(new CMac(new AESEngine())); } } @@ -94,7 +94,7 @@ public final class AES { public AESGMAC() { - super(new GMac(new GCMBlockCipher(new AESFastEngine()))); + super(new GMac(new GCMBlockCipher(new AESEngine()))); } } @@ -112,7 +112,7 @@ public final class AES { public RFC3211Wrap() { - super(new RFC3211WrapEngine(new AESFastEngine()), 16); + super(new RFC3211WrapEngine(new AESEngine()), 16); } } @@ -125,7 +125,7 @@ public final class AES { public PBEWithAESCBC() { - super(new CBCBlockCipher(new AESFastEngine())); + super(new CBCBlockCipher(new AESEngine())); } } debian/patches/CVE-2016-1000346.patch0000644000000000000000000001327513320113334013455 0ustar From: Markus Koschany Date: Mon, 11 Jun 2018 13:15:18 +0200 Subject: CVE-2016-1000346 Origin: https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495 --- .../bouncycastle/crypto/agreement/DHAgreement.java | 14 +++++++++++--- .../crypto/agreement/DHBasicAgreement.java | 10 +++++++++- src/org/bouncycastle/crypto/engines/IESEngine.java | 4 ++++ .../provider/asymmetric/dh/KeyAgreementSpi.java | 21 ++++++++++++++++----- 4 files changed, 40 insertions(+), 9 deletions(-) diff --git a/src/org/bouncycastle/crypto/agreement/DHAgreement.java b/src/org/bouncycastle/crypto/agreement/DHAgreement.java index 021a715..84c5839 100644 --- a/src/org/bouncycastle/crypto/agreement/DHAgreement.java +++ b/src/org/bouncycastle/crypto/agreement/DHAgreement.java @@ -6,11 +6,11 @@ import java.security.SecureRandom; import org.bouncycastle.crypto.AsymmetricCipherKeyPair; import org.bouncycastle.crypto.CipherParameters; import org.bouncycastle.crypto.generators.DHKeyPairGenerator; +import org.bouncycastle.crypto.params.AsymmetricKeyParameter; import org.bouncycastle.crypto.params.DHKeyGenerationParameters; import org.bouncycastle.crypto.params.DHParameters; -import org.bouncycastle.crypto.params.DHPublicKeyParameters; import org.bouncycastle.crypto.params.DHPrivateKeyParameters; -import org.bouncycastle.crypto.params.AsymmetricKeyParameter; +import org.bouncycastle.crypto.params.DHPublicKeyParameters; import org.bouncycastle.crypto.params.ParametersWithRandom; /** @@ -26,6 +26,8 @@ import org.bouncycastle.crypto.params.ParametersWithRandom; */ public class DHAgreement { + private static final BigInteger ONE = BigInteger.valueOf(1); + private DHPrivateKeyParameters key; private DHParameters dhParams; private BigInteger privateValue; @@ -89,6 +91,12 @@ public class DHAgreement BigInteger p = dhParams.getP(); - return message.modPow(key.getX(), p).multiply(pub.getY().modPow(privateValue, p)).mod(p); + BigInteger result = pub.getY().modPow(privateValue, p); + if (result.compareTo(ONE) == 0) + { + throw new IllegalStateException("Shared key can't be 1"); + } + + return message.modPow(key.getX(), p).multiply(result).mod(p); } } diff --git a/src/org/bouncycastle/crypto/agreement/DHBasicAgreement.java b/src/org/bouncycastle/crypto/agreement/DHBasicAgreement.java index d2e2a09..4dd80d0 100644 --- a/src/org/bouncycastle/crypto/agreement/DHBasicAgreement.java +++ b/src/org/bouncycastle/crypto/agreement/DHBasicAgreement.java @@ -20,6 +20,8 @@ import org.bouncycastle.crypto.params.ParametersWithRandom; public class DHBasicAgreement implements BasicAgreement { + private static final BigInteger ONE = BigInteger.valueOf(1); + private DHPrivateKeyParameters key; private DHParameters dhParams; @@ -66,6 +68,12 @@ public class DHBasicAgreement throw new IllegalArgumentException("Diffie-Hellman public key has wrong parameters."); } - return pub.getY().modPow(key.getX(), dhParams.getP()); + BigInteger result = pub.getY().modPow(key.getX(), dhParams.getP()); + if (result.compareTo(ONE) == 0) + { + throw new IllegalStateException("Shared key can't be 1"); + } + + return result; } } diff --git a/src/org/bouncycastle/crypto/engines/IESEngine.java b/src/org/bouncycastle/crypto/engines/IESEngine.java index ea8556d..5a9976c 100755 --- a/src/org/bouncycastle/crypto/engines/IESEngine.java +++ b/src/org/bouncycastle/crypto/engines/IESEngine.java @@ -363,6 +363,10 @@ public class IESEngine { throw new InvalidCipherTextException("unable to recover ephemeral public key: " + e.getMessage(), e); } + catch (IllegalArgumentException e) + { + throw new InvalidCipherTextException("unable to recover ephemeral public key: " + e.getMessage(), e); + } int encLength = (inLen - bIn.available()); this.V = Arrays.copyOfRange(in, inOff, inOff + encLength); diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java index c9462a6..62a8d68 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/KeyAgreementSpi.java @@ -27,6 +27,9 @@ import org.bouncycastle.util.Strings; public class KeyAgreementSpi extends javax.crypto.KeyAgreementSpi { + private static final BigInteger ONE = BigInteger.valueOf(1); + private static final BigInteger TWO = BigInteger.valueOf(2); + private BigInteger x; private BigInteger p; private BigInteger g; @@ -84,14 +87,22 @@ public class KeyAgreementSpi throw new InvalidKeyException("DHPublicKey not for this KeyAgreement!"); } - if (lastPhase) + BigInteger peerY = ((DHPublicKey)key).getY(); + if (peerY == null || peerY.compareTo(TWO) < 0 + || peerY.compareTo(p.subtract(ONE)) >= 0) { - result = ((DHPublicKey)key).getY().modPow(x, p); - return null; + throw new InvalidKeyException("Invalid DH PublicKey"); } - else + + result = peerY.modPow(x, p); + if (result.compareTo(ONE) == 0) { - result = ((DHPublicKey)key).getY().modPow(x, p); + throw new InvalidKeyException("Shared key can't be 1"); + } + + if (lastPhase) + { + return null; } return new BCDHPublicKey(result, pubKey.getParams()); debian/patches/CVE-2016-1000342.patch0000644000000000000000000001163013320113334013442 0ustar From: Markus Koschany Date: Fri, 6 Jul 2018 07:34:24 +0200 Subject: CVE-2016-1000342 Origin: https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647 --- src/org/bouncycastle/asn1/ASN1Enumerated.java | 13 +++++++++++++ src/org/bouncycastle/asn1/ASN1Integer.java | 13 +++++++++++++ .../jcajce/provider/asymmetric/dsa/DSASigner.java | 6 ++++++ .../jcajce/provider/asymmetric/ec/SignatureSpi.java | 12 +++++++++++- 4 files changed, 43 insertions(+), 1 deletion(-) diff --git a/src/org/bouncycastle/asn1/ASN1Enumerated.java b/src/org/bouncycastle/asn1/ASN1Enumerated.java index d93fd91..9151540 100644 --- a/src/org/bouncycastle/asn1/ASN1Enumerated.java +++ b/src/org/bouncycastle/asn1/ASN1Enumerated.java @@ -1,6 +1,8 @@ package org.bouncycastle.asn1; +import java.io.IOException; import java.math.BigInteger; +import org.bouncycastle.util.Arrays; public class ASN1Enumerated extends DEREnumerated @@ -8,6 +10,17 @@ public class ASN1Enumerated ASN1Enumerated(byte[] bytes) { super(bytes); + if (bytes.length > 1) + { + if (bytes[0] == 0 && (bytes[1] & 0x80) == 0) + { + throw new IllegalArgumentException("malformed enumerated"); + } + if (bytes[0] == (byte)0xff && (bytes[1] & 0x80) != 0) + { + throw new IllegalArgumentException("malformed enumerated"); + } + } } public ASN1Enumerated(BigInteger value) diff --git a/src/org/bouncycastle/asn1/ASN1Integer.java b/src/org/bouncycastle/asn1/ASN1Integer.java index d60c6a8..c0c1bda 100644 --- a/src/org/bouncycastle/asn1/ASN1Integer.java +++ b/src/org/bouncycastle/asn1/ASN1Integer.java @@ -1,6 +1,8 @@ package org.bouncycastle.asn1; +import java.io.IOException; import java.math.BigInteger; +import org.bouncycastle.util.Arrays; public class ASN1Integer extends DERInteger @@ -8,6 +10,17 @@ public class ASN1Integer ASN1Integer(byte[] bytes) { super(bytes); + if (bytes.length > 1) + { + if (bytes[0] == 0 && (bytes[1] & 0x80) == 0) + { + throw new IllegalArgumentException("malformed integer"); + } + if (bytes[0] == (byte)0xff && (bytes[1] & 0x80) != 0) + { + throw new IllegalArgumentException("malformed integer"); + } + } } public ASN1Integer(BigInteger value) diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java index ea46467..b985a8b 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java @@ -29,6 +29,7 @@ import org.bouncycastle.crypto.digests.SHA256Digest; import org.bouncycastle.crypto.digests.SHA384Digest; import org.bouncycastle.crypto.digests.SHA512Digest; import org.bouncycastle.crypto.params.ParametersWithRandom; +import org.bouncycastle.util.Arrays; public class DSASigner extends SignatureSpi @@ -210,6 +211,11 @@ public class DSASigner throw new IOException("malformed signature"); } + if (!Arrays.areEqual(encoding, s.getEncoded(ASN1Encoding.DER))) + { + throw new IOException("malformed signature"); + } + return new BigInteger[]{ ((ASN1Integer)s.getObjectAt(0)).getValue(), ((ASN1Integer)s.getObjectAt(1)).getValue() diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java index 29c50f4..480f3fa 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/ec/SignatureSpi.java @@ -28,6 +28,7 @@ import org.bouncycastle.crypto.signers.ECNRSigner; import org.bouncycastle.jcajce.provider.asymmetric.util.DSABase; import org.bouncycastle.jcajce.provider.asymmetric.util.DSAEncoder; import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil; +import org.bouncycastle.util.Arrays; public class SignatureSpi extends DSABase @@ -238,6 +239,15 @@ public class SignatureSpi throws IOException { ASN1Sequence s = (ASN1Sequence)ASN1Primitive.fromByteArray(encoding); + if (s.size() != 2) + { + throw new IOException("malformed signature"); + } + if (!Arrays.areEqual(encoding, s.getEncoded(ASN1Encoding.DER))) + { + throw new IOException("malformed signature"); + } + BigInteger[] sig = new BigInteger[2]; sig[0] = ASN1Integer.getInstance(s.getObjectAt(0)).getValue(); @@ -309,4 +319,4 @@ public class SignatureSpi return sig; } } -} \ No newline at end of file +} debian/patches/02_index.patch0000644000000000000000000000065312170774454013265 0ustar Description: Refer to documentation contained in doc package --- bouncycastle-1.46+dfsg.orig/index.html +++ bouncycastle-1.46+dfsg/index.html @@ -36,7 +36,7 @@ The current specifications for this pack here.

The current api documentation for this package is -here. +in the corresponding libbc*-java-doc Debian package.

Examples and Tests

debian/patches/CVE-2016-1000345.patch0000644000000000000000000001755613320113334013462 0ustar From: Markus Koschany Date: Sun, 10 Jun 2018 20:39:14 +0200 Subject: CVE-2016-1000345 Origin: https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35 --- src/org/bouncycastle/crypto/engines/IESEngine.java | 25 ++++++++++++++-------- .../jcajce/provider/asymmetric/dh/IESCipher.java | 7 +++--- .../jcajce/provider/asymmetric/ec/IESCipher.java | 11 +++++----- .../jcajce/provider/asymmetric/rsa/CipherSpi.java | 1 + .../jcajce/provider/util/BadBlockException.java | 21 ++++++++++++++++++ 5 files changed, 48 insertions(+), 17 deletions(-) create mode 100644 src/org/bouncycastle/jcajce/provider/util/BadBlockException.java diff --git a/src/org/bouncycastle/crypto/engines/IESEngine.java b/src/org/bouncycastle/crypto/engines/IESEngine.java index 5a9976c..323e605 100755 --- a/src/org/bouncycastle/crypto/engines/IESEngine.java +++ b/src/org/bouncycastle/crypto/engines/IESEngine.java @@ -66,8 +66,8 @@ public class IESEngine /** - * set up for use in conjunction with a block cipher to handle the - * message. + * Set up for use in conjunction with a block cipher to handle the + * message.It is strongly recommended that the cipher is not in ECB mode. * * @param agree the key agreement used as the basis for the encryption * @param kdf the key derivation function used for byte generation @@ -244,8 +244,8 @@ public class IESEngine int inLen) throws InvalidCipherTextException { - byte[] M = null, K = null, K1 = null, K2 = null; - int len; + byte[] M, K, K1, K2; + int len = 0; if (cipher == null) { @@ -267,14 +267,13 @@ public class IESEngine System.arraycopy(K, K1.length, K2, 0, K2.length); } + // process the message M = new byte[K1.length]; for (int i = 0; i != K1.length; i++) { M[i] = (byte)(in_enc[inOff + V.length + i] ^ K1[i]); } - - len = K1.length; } else { @@ -291,7 +290,6 @@ public class IESEngine M = new byte[cipher.getOutputSize(inLen - V.length - mac.getMacSize())]; len = cipher.processBytes(in_enc, inOff + V.length, inLen - V.length - mac.getMacSize(), M, 0); - len += cipher.doFinal(M, len); } @@ -328,8 +326,17 @@ public class IESEngine } - // Output the message. - return Arrays.copyOfRange(M, 0, len); + if (cipher == null) + { + return M; + } + else + { + len += cipher.doFinal(M, len); + + return Arrays.copyOfRange(M, 0, len); + } + } diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java index c29ff2d..3809aa6 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/dh/IESCipher.java @@ -43,6 +43,7 @@ import org.bouncycastle.crypto.params.IESWithCipherParameters; import org.bouncycastle.crypto.parsers.DHIESPublicKeyParser; import org.bouncycastle.jcajce.provider.asymmetric.util.DHUtil; import org.bouncycastle.jcajce.provider.asymmetric.util.IESUtil; +import org.bouncycastle.jcajce.provider.util.BadBlockException; import org.bouncycastle.jce.interfaces.IESKey; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.jce.spec.IESParameterSpec; @@ -386,7 +387,7 @@ public class IESCipher } catch (Exception e) { - throw new BadPaddingException(e.getMessage()); + throw new BadBlockException("unable to process block", e); } } @@ -425,7 +426,7 @@ public class IESCipher } catch (Exception e) { - throw new BadPaddingException(e.getMessage()); + throw new BadBlockException("unable to process block", e); } } else if (state == Cipher.DECRYPT_MODE || state == Cipher.UNWRAP_MODE) @@ -439,7 +440,7 @@ public class IESCipher } catch (InvalidCipherTextException e) { - throw new BadPaddingException(e.getMessage()); + throw new BadBlockException("unable to process block", e); } } else diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java b/src/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java index 4ad0512..18017c9 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/ec/IESCipher.java @@ -40,6 +40,7 @@ import org.bouncycastle.crypto.params.IESWithCipherParameters; import org.bouncycastle.crypto.parsers.ECIESPublicKeyParser; import org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil; import org.bouncycastle.jcajce.provider.asymmetric.util.IESUtil; +import org.bouncycastle.jcajce.provider.util.BadBlockException; import org.bouncycastle.jce.interfaces.ECKey; import org.bouncycastle.jce.interfaces.ECPrivateKey; import org.bouncycastle.jce.interfaces.ECPublicKey; @@ -49,6 +50,7 @@ import org.bouncycastle.jce.spec.IESParameterSpec; import org.bouncycastle.util.Strings; + public class IESCipher extends CipherSpi { @@ -393,7 +395,7 @@ public class IESCipher } catch (Exception e) { - throw new BadPaddingException(e.getMessage()); + throw new BadBlockException("unable to process block", e); } } @@ -418,11 +420,10 @@ public class IESCipher return engine.processBlock(in, 0, in.length); } - catch (Exception e) + catch (final Exception e) { - throw new BadPaddingException(e.getMessage()); + throw new BadBlockException("unable to process block", e); } - } else if (state == Cipher.DECRYPT_MODE || state == Cipher.UNWRAP_MODE) { @@ -435,7 +436,7 @@ public class IESCipher } catch (InvalidCipherTextException e) { - throw new BadPaddingException(e.getMessage()); + throw new BadBlockException("unable to process block", e); } } else diff --git a/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java b/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java index dc8dcb2..57be4f4 100644 --- a/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java +++ b/src/org/bouncycastle/jcajce/provider/asymmetric/rsa/CipherSpi.java @@ -32,6 +32,7 @@ import org.bouncycastle.crypto.encodings.PKCS1Encoding; import org.bouncycastle.crypto.engines.RSABlindedEngine; import org.bouncycastle.crypto.params.ParametersWithRandom; import org.bouncycastle.jcajce.provider.asymmetric.util.BaseCipherSpi; +import org.bouncycastle.jcajce.provider.util.BadBlockException; import org.bouncycastle.jcajce.provider.util.DigestFactory; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.util.Strings; diff --git a/src/org/bouncycastle/jcajce/provider/util/BadBlockException.java b/src/org/bouncycastle/jcajce/provider/util/BadBlockException.java new file mode 100644 index 0000000..e2a8d63 --- /dev/null +++ b/src/org/bouncycastle/jcajce/provider/util/BadBlockException.java @@ -0,0 +1,21 @@ +package org.bouncycastle.jcajce.provider.util; + +import javax.crypto.BadPaddingException; + +public class BadBlockException + extends BadPaddingException +{ + private final Throwable cause; + + public BadBlockException(String msg, Throwable cause) + { + super(msg); + + this.cause = cause; + } + + public Throwable getCause() + { + return cause; + } +} debian/libbcprov-java.postinst0000644000000000000000000000023212170774454013704 0ustar #! /bin/sh set -e case "$1" in configure) if which rebuild-security-providers >/dev/null; then rebuild-security-providers fi esac #DEBHELPER# debian/maven.rules0000644000000000000000000000046712170774454011372 0ustar # Strip out -jdk15on as Ubuntu/Debian does not build multiple versions org.bouncycastle s/bcmail-jdk15on/bcmail/ * s/.*/debian/ * * org.bouncycastle s/bcprov-jdk15on/bcprov/ * s/.*/debian/ * * org.bouncycastle s/bcpkix-jdk15on/bcpkix/ * s/.*/debian/ * * org.bouncycastle s/bcpg-jdk15on/bcpg/ * s/.*/debian/ * * debian/libbcpg-java.poms0000644000000000000000000000002512170774454012417 0ustar debian/poms/bcpg.pom debian/orig-tar.sh0000755000000000000000000000076012170774454011267 0ustar #!/bin/sh -e # called by uscan with '--upstream-version' DEBIAN_VERSION=$(echo $2 | sed -e 's/^\(.\)/\1./') DIR=bouncycastle-$DEBIAN_VERSION.orig TAR=../bouncycastle_$DEBIAN_VERSION+dfsg.orig.tar.gz # clean up the upstream tarball tar zxf $3 rm -f $3 mv crypto-$2 $DIR GZIP=--best tar czf $TAR -X debian/orig-tar.exclude $DIR rm -rf $DIR # move to directory 'tarballs' if [ -r .svn/deb-layout ]; then . .svn/deb-layout mv $3 $origDir echo "moved $3 to $origDir" fi exit 0 debian/libbcpg-java.README.Debian0000644000000000000000000000047612170774454013571 0ustar libbcpg-java for Debian ========================= In order to use this library, add the following to your classpath: /usr/share/java/bcpg.jar Alternatively, the jar can be installed as an optional package by linking it from $JAVA_HOME/lib/ext. -- Charles Fry , Tue May 2 10:29:10 2006 debian/libbcpkix-java.classpath0000644000000000000000000000004512170775341013766 0ustar usr/share/java/bcpkix.jar bcprov.jar debian/libbcpkix-java-doc.doc-base0000644000000000000000000000054212170777330014226 0ustar Document: libbcpkix-java Title: Javadoc for the Bouncy Castle PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL API Author: The Legion Of The Bouncy Castle Abstract: This is the API Javadoc provided for the libbcpkix-java library. Section: Programming Format: HTML Index: /usr/share/doc/libbcpkix-java-doc/api/index.html Files: /usr/share/doc/libbcpkix-java-doc/api/* debian/compat0000644000000000000000000000000212170774454010377 0ustar 7 debian/libbcprov-java-doc.doc-base0000644000000000000000000000054312170777330014242 0ustar Document: libbcprov-java Title: Javadoc for the Bouncy Castle JCE provider and lightweight crypto API Author: The Legion Of The Bouncy Castle Abstract: This is the API Javadoc provided for the libbcprov-java library. Section: Programming Format: HTML Index: /usr/share/doc/libbcprov-java-doc/api/index.html Files: /usr/share/doc/libbcprov-java-doc/api/* debian/copyright0000644000000000000000000000371012170775117011132 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: Bouncy Castle Java cryptography APIs Source: http://www.bouncycastle.org Files: * Copyright: 2000-2013, The Legion Of The Bouncy Castle License: Expat Files: bzip2/* Copyright: 2009-2010, The Apache Software Foundation License: Apache-2.0 On Debian systems the full text of the Apache License can be found in `/usr/share/common-licenses/Apache-2.0'. Files: debian/* Copyright: 2005-2006, Charles Fry 2006-2007, Matthias Klose 2007-2009, Michael Koch 2010, Thierry Carrez 2011, James Page 2011-2012, Brian Thomason 2012, Damien Raude-Morvan 2013, Emmanuel Bourg License: Expat License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: . The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. . THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. debian/source/0000755000000000000000000000000012170774454010501 5ustar debian/source/format0000644000000000000000000000001412170774454011707 0ustar 3.0 (quilt) debian/libbcprov-java.postrm0000644000000000000000000000023512170774454013350 0ustar #! /bin/sh set -e case "$1" in remove|purge) if which rebuild-security-providers >/dev/null; then rebuild-security-providers fi esac #DEBHELPER# debian/libbcpg-java-doc.doc-base0000644000000000000000000000047712170777330013670 0ustar Document: libbcpg-java Title: Javadoc for the Bouncy Castle OpenPGP API Author: The Legion Of The Bouncy Castle Abstract: This is the API Javadoc provided for the libbcpg-java library. Section: Programming Format: HTML Index: /usr/share/doc/libbcpg-java-doc/api/index.html Files: /usr/share/doc/libbcpg-java-doc/api/* debian/libbcprov-java.poms0000644000000000000000000000002712170774454013001 0ustar debian/poms/bcprov.pom debian/libbcprov-java.README.Debian0000644000000000000000000000272512170774454014150 0ustar libbcprov-java for Debian ========================= In order to use this library, add the following to your classpath: /usr/share/java/bcprov.jar Alternatively, the jar can be installed as an optional package by linking it from $JAVA_HOME/lib/ext. Installing Bouncy Castle as a Security Provider ----------------------------------------------- From the BouncyCastleProvider javadocs: To add the provider at runtime use: import java.security.Security; import org.bouncycastle.jce.provider.BouncyCastleProvider; Security.addProvider(new BouncyCastleProvider()); The provider can also be configured as part of your environment via static registration by adding an entry to the java.security properties file (found in $JAVA_HOME/jre/lib/security/java.security, where $JAVA_HOME is the location of your JDK/JRE distribution). You'll find detailed instructions in the file but basically it comes down to adding a line: security.provider.=org.bouncycastle.jce.provider.BouncyCastleProvider Where is the preference you want the provider at (1 being the most preferred). Bouncy Castle as a Trusted Security Provider -------------------------------------------- The Debian release of Bouncy Castle can not currently be used as a trusted security provider, as the jar has not been signed by a trusted CA. This is a non-issue for free JVMs, as they don't currently have a notion of trusted CAs. -- Charles Fry , Tue Apr 25 19:07:32 2006 debian/libbcmail-java.classpath0000644000000000000000000000007412170775341013737 0ustar usr/share/java/bcmail.jar bcprov.jar bcpkix.jar gnumail.jar debian/changelog0000644000000000000000000002535013321131673011045 0ustar bouncycastle (1.49+dfsg-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: Multiple security issues - debian/patches/CVE-*.patch: sync patches with Debian's 1.49+dfsg-3+deb8u3 package. Thanks to Markus Koschany for the work this update is based on! - CVE-2015-7940 - CVE-2015-6644 - CVE-2016-1000338 - CVE-2016-1000341 - CVE-2016-1000343 - CVE-2016-1000346 - CVE-2016-1000339 - CVE-2016-1000345 - CVE-2016-1000342 -- Marc Deslauriers Tue, 10 Jul 2018 09:23:01 -0400 bouncycastle (1.49+dfsg-2) unstable; urgency=low * Upload to unstable * debian/control: Specified the packages broken by this version. This completes the transition to Bouncy Castle >= 1.47 (Closes: #687694) -- Emmanuel Bourg Mon, 09 Sep 2013 10:41:55 +0200 bouncycastle (1.49+dfsg-1) experimental; urgency=low * New upstream release * Updated the Maven poms * Use canonical URLs in the Vcs-* fields * Added the missing dependencies between the packages: - libbcpkix-java depends on libbcprov-java - libbcpg-java depends on libbcprov-java - libbcmail-java depends on libbcprov-java and libbcpkix-java * Added the Classpath attribute in the manifests * Added the upstream changelog * Removed the -gcj packages * debian/orig-tar.sh: Exclude Eclipse project file * debian/orig-tar.sh: Exclude the prebuilt CLDC classes * debian/rules: - Use the CDBS Ant class - Updated the download URL for the poms - Use uppercase names for the constants - Removed the duplicate constants * debian/copyright: Updated to follow the Copyright Format 1.0 * The documentation is now registered with doc-base * Moved the documentation in the libbcprov-java-doc package * Improved the description of the documentation packages * Removed the debian/*.dirs files -- Emmanuel Bourg Mon, 15 Jul 2013 19:26:52 +0200 bouncycastle (1.48+dfsg-2) unstable; urgency=low * Removed the dependency on the Activation Framework (libgnujaf-java) * Enabled the hardening for the -gcj packages * Upload to unstable -- Emmanuel Bourg Fri, 17 May 2013 00:10:32 +0200 bouncycastle (1.48+dfsg-1) experimental; urgency=low * Team upload. * New upstream release (Closes: #701698) - Fixes the Lucky 13 attack on CBC-mode encryption in TLS CVE-2013-0169, CVE-2013-1624 (Closes: #699885) * Added the bcpkix packages (Closes: #675819) * Removed the bctsp packages (the TSP API is now included in bcpkix) * Updated Standards-Version to 3.9.4: no changes needed. * Removed the DMUA flag * Refreshed the patches * Removed "Suggests: java-virtual-machine" on the libbcpg-java-gcj package -- Emmanuel Bourg Fri, 29 Mar 2013 12:52:23 +0100 bouncycastle (1.46+dfsg-7) unstable; urgency=low * Team upload. * Updated Standards-Version to 3.9.3: no changes needed. * As per Java Policy, remove "Depends: default-jre | java2-runtime" and "Suggests: java-virtual-machine" from library packages: only programs need explicit depends on runtime. * Force a Build-Depends on default-jdk (>= 1:1.6) to indicate that this package needs some classes (like java.security.spec.ECFieldF2m) which are not available in GCJ classpath (Closes: #678904). * Remove Build-Depends on quilt and debian/README.source file since we already use quilt (3.0) source format. -- Damien Raude-Morvan Sat, 18 Aug 2012 12:04:18 +0200 bouncycastle (1.46+dfsg-6) unstable; urgency=low * Now building for Java 1.5 rather than 1.6 (Closes: #678904) -- Brian Thomason Wed, 01 Aug 2012 16:32:19 +0000 bouncycastle (1.46+dfsg-5) unstable; urgency=low * Compile using jdk16.xml rather than jdk14.xml as the latter exludes classes * Pass unicode flag to javac targets as comments in the files prevent them from being compiled as ASCII -- Brian Thomason Tue, 22 May 2012 15:23:21 +0000 bouncycastle (1.46+dfsg-4) unstable; urgency=low * Disabled optimizations on sparc (Closes: #652117) -- Brian Thomason Tue, 03 Apr 2012 22:00:48 +0000 bouncycastle (1.46+dfsg-3) unstable; urgency=low * Disabled tests as they will fail as a known issue of the security certs having expired. Upstream has been informed and should fix for the next upstream release. This should fix the building of bouncycastle on certain platforms that were previously failing. -- Brian Thomason Mon, 12 Mar 2012 16:14:47 -0400 bouncycastle (1.46+dfsg-2) unstable; urgency=low [ by sponsor Steffen Moeller ] * Transition from experimental to unstable. * Removal of Michael from uploaders (Closes: #653997). * Added DMUA for Brian -- Brian Thomason Sat, 04 Feb 2012 19:19:27 +0100 bouncycastle (1.46+dfsg-1) experimental; urgency=low [ by sponsor Steffen Moeller ] * Merging Ubuntu changes with what is in pkg-java * Removing Michael Koch from uploaders, adding Brian -- Brian Thomason Tue, 10 Jan 2012 13:15:54 +0100 bouncycastle (1.46+dfsg-0ubuntu1) precise; urgency=low * New upstream release * Updated Standards-Version to 3.9.2 * Changed source format to 3.0 (quilt) * Changed Section to Java -- Brian Thomason Tue, 06 Dec 2011 20:53:23 +0000 bouncycastle (1.44+dfsg-2ubuntu2) oneiric; urgency=low * Deployment of Maven artifacts: - debian/rules: retrieve source POM's and install - debian/control: Build-depend on maven-repo-helper - debian/poms/*: versioned POM's from repo1.maven.org - debian/lib[bcprov|bcmail|bcpg|bctsp].poms; POM lists for deployment to maven-repo - debian/maven.rules: Transform rules for POM deployment -- James Page Wed, 29 Jun 2011 16:36:43 +0100 bouncycastle (1.44+dfsg-3) unstable; urgency=low * Team upload. [Niels Thykier] * Changed the section of the gcj packages to java. * Replaced B-D on default-jdk-builddep with gcj-native-helper and default-jdk. [tony mancill] * Apply patch to deploy maven artifacts. (Closes: #632183) Thanks to James Page. * All Recommends on *-gcj packages downgraded to Suggests. (Closes: #585062) * Bumped Standards-Versions 3.9.2 - no changes required. -- tony mancill Sun, 10 Jul 2011 16:27:31 -0700 bouncycastle (1.44+dfsg-2ubuntu1) maverick; urgency=low * Merge from debian. Remaining changes: - debian/rules: Enable test suite - debian/control: Build-depend on ant-optional (needed for test suite) - debian/control: Only suggest libbcprov-java-gcj on selected architectures, build libbcprov-java architecture "any" to have it work -- Thierry Carrez Thu, 03 Jun 2010 15:51:05 +0200 bouncycastle (1.44+dfsg-2) unstable; urgency=low [ Thierry Carrez ] * debian/control: depend on java2-runtime-headless instead of java2-runtime [ Torsten Werner ] * Remove Charles from Uploaders list. (Closes: #569476) -- Torsten Werner Thu, 11 Feb 2010 22:13:38 +0100 bouncycastle (1.44+dfsg-1) unstable; urgency=low * Upload as new upstream release. * Add debian/orig-tar.sh script and use it in watch file. This now removes the RFCs comming with the upstream tarball. (Closes: #554456) -- Michael Koch Thu, 05 Nov 2009 08:16:03 +0100 bouncycastle (1.44-1) unstable; urgency=low * New upstream release. -- Michael Koch Sun, 25 Oct 2009 21:04:40 +0100 bouncycastle (1.43-1) unstable; urgency=low [ Dominik Smatana ] * Fixed broken debian/watch [ Michael Koch ] * New upstream version. * Build-Depends on debhelper >= 7. * Let all packages Depends on ${misc:Depends}. * Move all -java packages to section 'java'. * Replaces java-gcj-compat with default-jre-headless. * Added debian/README.source. * Updated Standards-Version to 3.8.3. -- Michael Koch Tue, 22 Sep 2009 08:23:30 +0200 bouncycastle (1.39-2) unstable; urgency=low * Build-Depends on default-jdk-builddep. Closes: #477847 -- Michael Koch Wed, 30 Apr 2008 04:35:02 -0100 bouncycastle (1.39-1) unstable; urgency=low * New upstream release. * Fixed watch file to match upstream version correctly. * Removed '-1' part in Build-Depends. -- Michael Koch Sat, 12 Apr 2008 13:49:12 +0200 bouncycastle (1.38-1) unstable; urgency=low * New upstream release. * Updated Standards-Version to 3.7.3. * Added Homepage, Vcs-Svn and Vcs-Browser fields. -- Michael Koch Sat, 29 Dec 2007 17:03:04 +0100 bouncycastle (1.37-2) unstable; urgency=low * Fix dependency of targets to make it possible to build arch:dep packages only. Closes: #440669. -- Michael Koch Mon, 15 Oct 2007 20:26:02 +0200 bouncycastle (1.37-1) unstable; urgency=low * New upstream release. Closes: #430560, #430562. * Replaced ${Source-Version} bei ${source:Version} * Added myself to Uploaders. -- Michael Koch Sun, 15 Jul 2007 19:22:07 +0200 bouncycastle (1.33-4) unstable; urgency=low * Rebuild the database of security providers in the postrm, not in the prerm. -- Matthias Klose Sat, 10 Feb 2007 12:02:19 +0100 bouncycastle (1.33-3) unstable; urgency=low * Merge from Ubuntu: - Build -gcj packages. - Install the docs in an api subdir (not apidoc). -- Matthias Klose Wed, 3 Jan 2007 14:29:42 +0100 bouncycastle (1.33-2.1) unstable; urgency=medium * NMU * Register org.bouncycastle.jce.provider.BouncyCastleProvider as security provider for classpath based runtimes. * Install bcprov.jar in /usr/share/java/gcj-endorsed as well. * Closes: #394680. -- Matthias Klose Sun, 22 Oct 2006 14:57:44 +0000 bouncycastle (1.33-2) unstable; urgency=low * Move clean target dependencies to Build-Depends * Make pkg-java-maintainers the primary maintainer * Update to standards version 3.7.2 -- Charles Fry Wed, 5 Jul 2006 12:32:16 -0400 bouncycastle (1.33-1) unstable; urgency=low * New upstream release * Generate bcmail, bctsp, and bcpg in addition to bcprov -- Charles Fry Mon, 8 May 2006 11:46:32 -0400 bouncycastle (1.32-1) unstable; urgency=low * New upstream release * Add build dependencies on ant, use java-gcj-compat-dev (thanks to Matthias Klose ) -- Charles Fry Thu, 20 Apr 2006 22:15:18 -0400 bouncycastle (1.30-1) unstable; urgency=low * Initial release (Closes: #234048) -- Charles Fry Mon, 19 Sep 2005 08:02:36 -0400