forked from bcgit/bc-java
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathreleasenotes.html
2590 lines (2505 loc) · 189 KB
/
releasenotes.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<html>
<head>
<title>Bouncy Castle Crypto Package - Release Notes</title>
</head>
<body bgcolor="#ffffff" text="#000000#">
<center>
<h1>Bouncy Castle Crypto Package - Release Notes</h1>
</center>
<h2>1.0 Introduction</h2>
<p>
The Bouncy Castle Crypto package is a Java implementation of
cryptographic algorithms. The package is organised so that it
contains a light-weight API suitable for use in any environment
(including the J2ME) with the additional infrastructure
to conform the algorithms to the JCE framework.
</p>
<h2>2.0 Release History</h2>
<a id="r1rv73"><h3>2.1.1 Version</h3></a>
Release: 1.73<br/>
Date: TBD
<h3>2.1.2 Defects Fixed</h3>
<ul>
<li>BCJSSE: Instantiating a JSSE provider in some contexts could cause an AccessControl exception. This has been fixed.</li>
<li>The EC key pair generator can generate out of range private keys when used with SM2. A specific SM2KeyPairGenerator has been added to the low-level API and is used by KeyPairGenerator.getInstance("SM2", "BC"). The SM2 signer has been updated to check for out of range keys as well..</li>
</ul>
<h3>2.1.3 Additional Featues and Functionality</h3>
<ul>
<li>The Rainbow NIST Post Quantum Round-3 Candidate has been added to the low-level API and the BCPQC provider (level 3 and level 5 parameter sets only).</li>
<li>The GeMSS NIST Post Quantum Round-3 Candidate has been added to the low-level API.</li>
</ul>
<a id="r1rv72.1"><h3>2.2.1 Version</h3></a>
Release: 1.72.1<br/>
Date: 2022, October 25th
<h3>2.1.2 Defects Fixed</h3>
<ul>
<li>PGP patch release - fix for regression in OpenPGP PGPEncryptedData.java which could result in checksum failures on correct files.</li>
</ul>
<a id="r1rv72"><h3>2.3.1 Version</h3></a>
Release: 1.72<br/>
Date: 2022, September 25th
<h3>2.3.2 Defects Fixed</h3>
<ul>
<li>There were parameter errors in XMSS^MT OIDs for XMSSMT_SHA2_40/4_256 and XMSSMT_SHA2_60/3_256. These have been fixed.</li>
<li>There was an error in Merkle tree construction for the Evidence Records (ERS) implementation which could result in invalid roots been timestamped. ERS now produces an ArchiveTimeStamp for each data object/group with an associated reduced hash tree. The reduced hash tree is now calculated as a simple path to the root of the tree for each record.</li>
<li>OpenPGP will now ignore signatures marked as non-exportable on encoding.</li>
<li>A tagging calculation error in GCMSIV which could result in incorrect tags has been fixed.</li>
<li>Issues around Java 17 which could result in failing tests have been addressed.</li>
</ul>
<h3>2.3.3 Additional Features and Functionality</h3>
<ul>
<li>BCJSSE: TLS 1.3 is now enabled by default where no explicit protocols are supplied (e.g. "TLS" or "Default" SSLContext algorithms, or SSLContext.getDefault() method).</li>
<li>BCJSSE: Rewrite SSLEngine implementation to improve compatibility with SunJSSE.</li>
<li>BCJSSE: Support export of keying material via extension API.</li>
<li>(D)TLS: Add support for 'tls-exporter' channel binding per RFC 9266.</li>
<li>(D)TLS (low-level API): By default, only (D)TLS 1.2 and TLS 1.3 are offered now. Earlier versions are still supported if explicitly enabled. Users may need to check they are offering suitable cipher suites for TLS 1.3.</li>
<li>(D)TLS (low-level API): Add support for raw public keys per RFC 7250.</li>
<li>CryptoServicesRegistrar now has a setServicesConstraints() method on it which can be used to selectively turn off algorithms.</li>
<li>The NIST PQC Alternate Candidate, Picnic, has been added to the low level API and the BCPQC provider.</li>
<li>SPHINCS+ has been upgraded to the latest submission, SPHINCS+ 3.1 and support for Haraka has been added.</li>
<li>Evidence records now support timestamp renewal and hash renewal.</li>
<li>The SIKE Alternative Candidate NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.</li>
<li>The NTRU Round 3 Finalist Candidate NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.</li>
<li>The Falcon Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.</li>
<li>The CRYSTALS-Kyber Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.</li>
<li>Argon2 Support has been added to the OpenPGP API.</li>
<li>XDH IES has now been added to the BC provider.</li>
<li>The OpenPGP API now supports AEAD encryption and decryption.</li>
<li>The NTRU Prime Alternative Candidate NIST Post Quantum Algorithms have been added to the low-level API and the BCPQC provider.</li>
<li>The CRYSTALS-Dilithium Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider.</li>
<li>The BIKE NIST Post Quantum Alternative/Round-4 Candidate has been added to the low-level API and the BCPQC provider.</li>
<li>The HQC NIST Post Quantum Alternative/Round-4 Candidate has been added to the low-level API and the BCPQC provider.</li>
<li>Grain128AEAD has been added to the lightweight API.</li>
<li>A fast version of CRC24 has been added for use with the PGP API.</li>
<li>Some additional methods and fields have been exposed in the PGPOnePassSignature class to (hopefully) make it easier to deal with nested signatures.</li>
<li>CMP support classes have been updated to reflect the latest editions to the the draft RFC "Lightweight Certificate Management Protocol (CMP) Profile".</li>
<li>Support has been added to the PKCS#12 implementation for the Oracle trusted certificate attribute.</li>
<li>Performance of our BZIP2 classes has been improved.</li>
</ul>
<h3>2.3.4 Notes</h3>
<p>
Keep in mind the PQC algorithms are still under development and we are still at least a year and a half away from published standards. This means the algorithms may still change so by all means experiment, but do not use the PQC algoritms for anything long term.
</p>
<p>
The legacy "Rainbow" and "McEliece" implementations have been removed from the BCPQC provider. The underlying classes are still present if required. Other legacy algorithm implementations can be found under the org.bouncycastle.pqc.legacy package.
</p>
<h3>2.3.5 Security Notes</h3>
<p>
The PQC SIKE algorithm is provided for research purposes only. It should now be regarded as broken. The SIKE implementation will be withdrawn in BC 1.73.
</p>
<a id="r1rv71"><h3>2.4.1 Version</h3></a>
Release: 1.71<br/>
Date: 2022, March 31st.
<h3>2.4.2 Defects Fixed</h3>
<ul>
<li>In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters.</li>
<li>An accidental partial dependency on Java 1.7 has been removed from the TLS API.</li>
<li>JcaPKIXIdentityBuilder would fail to process File objects correctly. This is now fixed.</li>
<li>Some byte[] parameters to the CMP API were not being defensively cloned to prevent accidental changes. Extra defensive cloning has been added.</li>
<li>CMS primitives would sometimes convert ASN.1 definite-length encodings into indefinite-length encodings. The primitives will now try and preserve the original encoding where possible.</li>
<li>CMSSignedData.getAttributeCertificates() now properly restricts the tag values checked to just 1 (the obsolete v1 tag) and 2 (for the more current v2 certificates).</li>
<li>BCJSSE now tries to validate a custom KeyManager selection in order to catch errors around a key manager ignoring key type early.</li>
<li>Compressed streams in PGP ending with zero length partial packets could cause failure on parsing the OpenPGP API. This has been fixed.</li>
<li>The fallback mode for JceAsymmetricKeyWrapper/Unwrapper would lose track of any algorithm parameters generated in the initial attempt. The algorithm parameters are now propagated.</li>
<li>An accidental regression introduced by a fix for another issue in PKIXCertPathReviewer around use of the AuthorityKeyIdentifier extension and it failing to match a certificate uniquely when the serial number field is missing has been fixed.</li>
<li>An error was found in the creation of TLS 1.3 Export Keying Material which could cause compatibility issues. This has been fixed.</li>
</ul>
<h3>2.4.3 Additional Features and Functionality</h3>
<ul>
<li>Support has been added for OpenPGP regular expression signature packets.</li>
<li>Support has been added for OpenPGP PolicyURI signature packets.</li>
<li>A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.</li>
<li>A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey.</li>
<li>The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider.</li>
<li>The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider.</li>
<li>The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider.</li>
<li>The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider.</li>
<li>KMAC128, KMAC256 has been added to the BC provider (empty customization string).</li>
<li>TupleHash128, TupleHash256 has been added to the BC provider (empty customization string).</li>
<li>ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string, block size 1024 bits).</li>
<li>Two new properties: "org.bouncycastle.rsa.max_size" (default 15360) and "org.bouncycastle.ec.fp_max_size" (default 1042) have been added to cap the maximum size of RSA and EC keys.</li>
<li>RSA modulus are now checked to be provably composite using the enhanced MR probable prime test.</li>
<li>Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level of the prime test can be determined by "org.bouncycastle.ec.fp_certainty" (default 100).</li>
<li>The BC entropy thread now has a specific name: "BC-ENTROPY-GATHERER".</li>
<li>Utility methods have been added for joining/merging PGP public keys and signatures.</li>
<li>Blake3-256 has been added to the BC provider.</li>
<li>DTLS: optimisation to delayed handshake hash.</li>
<li>Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message generation and verification now supported.</li>
<li>CMSSignedDataGenerator now supports the direct generation of definite-length data.</li>
<li>The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string.</li>
<li>Support for additional input has been added for deterministic (EC)DSA.</li>
<li>The OpenPGP API provides better support for subkey generation.</li>
<li>BCJSSE: Added boolean system properties "org.bouncycastle.jsse.client.dh.disableDefaultSuites" and "org.bouncycastle.jsse.server.dh.disableDefaultSuites".
Default "false". Set to "true" to disable inclusion of DH cipher suites in the default cipher suites for client/server respectively.</li>
<li>ASN.1 object support has been added for the Lightweight Certificate Management Protocol (CMP), currently in draft.</li>
<li>A HybridValueParamterSpec class has been added for use with KeyAgreement to support SP 800-56C hybrid (so classical/post-quantum) key agreement.</li>
</ul>
<h3>2.4.4 Notes</h3>
<ul>
<li>The deprecated QTESLA implementation has been removed from the BCPQC provider.</li>
<li>The <a href="https://groups.google.com/u/1/a/list.nist.gov/g/pqc-forum/c/F9ZUtWCij54">submission update to SPHINCS+</a> has been added. This changes the generation of signatures - particularly deterministic ones.</li>
</ul>
<a id="r1rv70"><h3>2.5.1 Version</h3></a>
Release: 1.70<br/>
Date: 2021, November 29th.
<h3>2.5.2 Defects Fixed</h3>
<ul>
<li>Blake 3 output limit is enforced.</li>
<li>The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation.</li>
<li>Fixed bzip2 compression for empty contents (GH #993).</li>
<li>ASN.1: More robust handling of high tag numbers and definite-length forms.</li>
<li>BCJSSE: Fix a concurrent modification issue in session contexts (GH#968).</li>
<li>BCJSSE: Don't log sensitive system property values (GH#976).</li>
<li>BCJSSE: Fixed a priority issue amongst imperfect-match credentials in KeyManager classes.</li>
<li>The IES AlgorithmParameters object has been re-written to properly support all the variations of IESParameterSpec.</li>
<li>getOutputSize() for ECIES has been corrected to avoid occassional underestimates.</li>
<li>The lack of close() in the ASN.1 Dump command line utility was triggering false positives in some code analysis tools. A close() call has been added.</li>
<li>PGPPublicKey.getBitStrength() now properly recognises EdDSA keys.</li>
</ul>
<h3>2.5.3 Additional Features and Functionality</h3>
<ul>
<li>Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on ArmoredInputStream.</li>
<li>PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a PGPDigestCalculator is passed in.</li>
<li>PGP ASCII armored data now skips "\t", "\v", and "\f".</li>
<li>PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes filtered out, rather than the duplicate causing an exception.</li>
<li>PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream.</li>
<li>The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension where it is possible to do so.</li>
<li>Removed support for maxXofLen in Kangaroo digest.</li>
<li>Ignore marker packets in PGP Public and Secret key ring collection.</li>
<li>An implementation of LEA has been added to the low-level API.</li>
<li>Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing encrypted data.</li>
<li>A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for text and UTF-8 mode.</li>
<li>A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class.</li>
<li>ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been deprecated and
re-implemented in terms of TaggedObject.</li>
<li>ASN.1: Improved support for nested tagging.</li>
<li>ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID.</li>
<li>ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values.</li>
<li>TLS: Added support for external PSK handshakes.</li>
<li>TLS: Check policy restrictions on key size when determining cipher suite support.</li>
<li>A performance issue in KeccakDigest due to left over debug code has been identified and dealt with.</li>
<li>BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause an exception).</li>
<li>A method for recovering user keying material has been added to KeyAgreeRecipientInformation.</li>
<li>Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA.</li>
<li>The low level BcDefaultDigestProvider now supports the SHAKE family of algorithms and the SM3 alogirthm.</li>
<li>PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys.</li>
<li>The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API.</li>
<li>ArmoredInputStream now explicitly checks for a '\n' if in crLF mode.</li>
<li>Direct support for NotationDataOccurances, Exportable, Revocable, IntendedRecipientFingerPrints, and AEAD algorithm preferences has been added to PGPSignatureSubpacketVector.</li>
<li>Further support has been added for keys described using S-Expressions in GPG 2.2.X.</li>
<li>Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added.</li>
<li>Additional checks have been added for PGP marker packets in the parsing of PGP objects.</li>
<li>A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers to CMS SignedData structures when required.</li>
<li>Support has been added to CMS for the LMS/HSS signature algorithm.</li>
<li>The system property "org.bouncycastle.jsse.client.assumeOriginalHostName" (default false) has been added for dealing with SNI problems related to the host name not being propagate by the JVM.</li>
<li>The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm parameters (e.g. AESKWP).</li>
<li>Support is now added for certificates using ETSI TS 103 097, "Intelligent Transport Systems (ITS)" in the bcpkix package.</li>
</ul>
<h3>2.5.4 Notes.</h3>
<ul>
<li>While this release should maintain source code compatibility, developers making use of some parts of the ASN.1 library will find that some classes need recompiling. Apologies for the inconvenience.</li>
</ul>
<a id="r1rv69"><h3>2.6.1 Version</h3></a>
Release: 1.69<br/>
Date: 2021, June 7th.
<h3>2.6.2 Defects Fixed</h3>
<ul>
<li>Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This has been fixed.</li>
<li>Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed.</li>
<li>ESTService could fail for some valid Content-Type headers. This has been fixed.</li>
<li>Originator key algorithm parameters were being passed as NULL in key agreement recipients. The parameters now reflect the value of the parameters in the key's SubjectPublicKeyInfo.</li>
<li>ContentType on encapsulated data was not been passed through correctly for authenticated and enveloped data. This has been fixed.</li>
<li>NTRUEncryptionParameters and NTRUEncryptionKeyGenerationParameters were not correctly cloning the contained message digest. This has been fixed.</li>
<li>CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least one object found.</li>
<li>Internal class PKIXCRLUtil could throw a NullPointerException for CRLs with an absent nextUpdate field. This has been fixed.</li>
<li>PGP ArmoredInputStream now fails earlier on malformed headers.</li>
<li>The McElieceKobaraImaiCipher was randomly throwing "Bad Padding: invalid ciphertext" exception while decrypting due to leading zeroes been missed during processing of the cipher text. This has been fixed.</li>
<li>Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory.</li>
<li>Blowfish keys are now range checked on cipher construction.</li>
<li>In some cases PGPSecretKeyRing was failing to search its extraPubKeys list when searching for public keys.</li>
<li>The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280.</li>
<li>AlgorithmIdentifiers involving message digests now attempt to follow the latest conventions for the parameters field (basically DER NULL appears less).</li>
<li>Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers.</li>
<li>TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3.</li>
</ul>
<h3>2.6.3 Additional Features and Functionality</h3>
<ul>
<li>GCM-SIV has been added to the lightweight API and the provider.</li>
<li>Blake3 has been added to the lightweight API.</li>
<li>The OpenSSL PEMParser can now be extended to add specialised parsers.</li>
<li>Base32 encoding has now been added, the default alphabet is from RFC 4648.</li>
<li>The KangarooTwelve message digest has been added to the lightweight API.</li>
<li>An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API and the JCE provider.</li>
<li>An implementation of ParallelHash has been added to the lightweight API.</li>
<li>An implementation of TupleHash has been added to the lightweight API.</li>
<li>RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest.</li>
<li>ECDSA now supports the use of SHAKE128 and SHAKE256.</li>
<li>PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried.</li>
<li>Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret key rings they contain.</li>
<li>KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator information.</li>
<li>PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print details.</li>
<li>The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can be re-enabled by adding:
<pre>
org.bouncycastle.bks.enable_v1=true
</pre>
to the java.security file. We would be interested in hearing from anyone that needs to do this.</li>
<li>PLAIN-ECDSA now supports the SHA3 digests.</li>
<li>Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes are in
the org.bouncycastle.tsp.ers package.</li>
<li>ECIES has now also support SHA256, SHA384, and SHA512.</li>
<li>digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible.</li>
<li>A new property "org.bouncycastle.jsse.config" has been added which can be used to configure the BCJSSE provider when it is created using the no-args constructor.</li>
<li>In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest.</li>
<li>PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature.</li>
<li>Support for ASN.1 PRIVATE tags has been added.</li>
<li>Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher.</li>
<li>Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API</li>
<li>BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10).</li>
<li>BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768).</li>
<li>BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false').</li>
<li>BCJSSE: Added support for jdk.tls.client.cipherSuites system property.</li>
<li>BCJSSE: Added support for jdk.tls.server.cipherSuites system property.</li>
<li>BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252.</li>
<li>BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including brainpool).</li>
<li>TLS: Add TLS 1.3 support for brainpool curves per RFC 8734.</li>
</ul>
<h3>2.6.4 Notes</h3>
<ul>
<li>There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find() method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation.</li>
<li>A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar).</li>
<li>Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the size of the provider jar and should also make it easier for developers to patch the classes involved as they no longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar.</li>
</ul>
<a id="r1rv68"><h3>2.7.1 Version</h3></a>
Release: 1.68<br/>
Date: 2020, December 21st.
<h3>2.7.2 Defects Fixed</h3>
<ul>
<li>Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed.</li>
<li>PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed.</li>
<li>The ASN.1 class, ArchiveTimeStamp was insisting on a value for the optional reducedHashTree field. This has been fixed.</li>
<li>BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed.</li>
</ul>
<h3>2.7.3 Additional Features and Functionality</h3>
<ul>
<li>BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a default value of 'true'.</li>
<li>BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For this release it is only enabled by default for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or SSLEngine, or via SSLParameters.</li>
<li>BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For this release it is disabled by default, and can be enabled by setting the boolean system property org.bouncycastle.jsse.server.enableSessionResumption to 'true'.</li>
<li>The provider RSA-PSS signature names that follow the JCA naming convention.</li>
<li>FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates.</li>
<li>PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list.</li>
</ul>
<a id="r1rv67"><h3>2.8.1 Version</h3></a>
Release: 1.67<br/>
Date: 2020, November 1st.
<h3>2.8.2 Defects Fixed</h3>
<ul>
<li>BCJSSE: SunJSSE compatibility fix - override of getChannel() removed and 'urgent data' behaviour should now conform to what the SunJSSE expects.
<li>Nested BER data could sometimes cause issues in octet strings. This has been fixed.</li>
<li>Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate implmentation. This has been fixed.</li>
<li>In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on engineGetParameters().</li>
<li>The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec based on an RSAPrivateKey.</li>
<li>CMSTypedStream$FullReaderStream now handles zero length reads correctly.</li>
<li>Unecessary padding was added on KMAC when the key length was block aligned. This has been fixed.</li>
<li>Zero length data would cause an unexpected exception from RFC5649WrapEngine. This has been fixed.</li>
<li>OpenBSDBcrypt was failing to handle some valid prefixes. This has been fixed.</li>
</ul>
<h3>2.8.3 Additional Features and Functionality</h3>
<ul>
<li>Performance of Argon2 has been improved.</li>
<li>Performance of Noekeon has been improved.</li>
<li>A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key obfuscation (default is on, method primarily to get around early version GPG issues with AES-128 keys).</li>
<li>Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers. This improves side-channel protection, and also gives a significant performance boost.</li>
<li>Performance of custom binary ECC curves and Edwards Curves has been improved.</li>
<li>BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain).</li>
<li>Initial support has been added for "Composite Keys and Signatures For Use In Internet PKI" using the test OID. Please note there will be further refinements to this as the draft is standardised.</li>
<li>The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces directly.</li>
<li>Work has begun on classes to support the ETSI TS 103 097, Intelligent Transport Systems (ITS) in the bcpkix package.</li>
<li>Further optimization work has been done on GCM.</li>
<li>A NewHope based processor, similar to the one for Key Agreement has been added for trying to "quantum hard" KEM algorithms.</li>
<li>PGP clear signed signatures now support SHA-224.</li>
<li>Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled.</li>
<li>Mode name checks in Cipher strings should now make sure an improper mode name always results in a NoSuchAlgorithmException.</li>
<li>In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding.</li>
</ul>
<h3>2.8.4 Security Advisory</h3>
<ul>
<li>As described in CVE-2020-28052, the OpenBSDBCrypt.checkPassword() method had a flaw in it due to a change for BC 1.65. BC 1.66 is also affected. The issue is fixed in BC 1.67. If you are using OpenBSDBCrypt.checkPassword() and you are using BC 1.65 or BC 1.66 we strongly advise moving to BC 1.67 or later.</li>
</ul>
<a id="r1rv66"><h3>2.9.1 Version</h3></a>
Release: 1.66<br/>
Date: 2020, July 4th.
<h3>2.9.2 Defects Fixed</h3>
<ul>
<li>EdDSA verifiers now reset correctly after rejecting overly long signatures.</li>
<li>BCJSSE: SSLSession.getPeerCertificateChain could throw NullPointerException. This has been fixed.</li>
<li>qTESLA-I verifier would reject some valid signatures. This has been fixed.</li>
<li>qTESLA verifiers now reject overly long signatures.</li>
<li>PGP regression caused failure to preserve existing version header when headers were reset. This has now been fixed.</li>
<li>PKIXNameConstraintValidator had a bad cast preventing use of multiple OtherName constraints. This has been fixed.</li>
<li>Serialisation of the non-CRT RSA Private Key could cause a NullPointerException. This has been fixed.</li>
<li>An extra 4 bytes was included in the start of HSS public key encodings. This has been fixed.</li>
<li>CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256. This has been fixed.</li>
<li>Use of GCMParameterSpec could cause an AccessControlException under some circumstances. This has been fixed.</li>
<li>DTLS: Fixed high-latency HelloVerifyRequest handshakes.</li>
<li>An encoding bug for rightEncoded() in KMAC has been fixed.</li>
<li>For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced encoded data that was block aligned. This has been fixed.</li>
<li>There were a few circumstances where Argon2BytesGenerator might hit an unexpected null. These have been removed.</li>
</ul>
<h3>2.9.3 Additional Features and Functionality</h3>
<ul>
<li>The qTESLA signature algorithm has been updated to v2.8 (20191108).</li>
<li>BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension.</li>
<li>Support has been added for PKIXRevocationChecker for users of Java 8 and later.</li>
<li>Support has been added for "ocsp.enable", "ocsp.responderURL" for users of Java 8 and later.</li>
<li>Support has been added for "org.bouncycastle.x509.enableCRLDP" to the PKIX validator.</li>
<li>BCJSSE: Now supports system property 'jsse.enableFFDHE'</li>
<li>BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'.</li>
<li>Multi-release support has been added for Java 11 XECKeys.</li>
<li>Multi-release support has been added for Java 15 EdECKeys.</li>
<li>The MiscPEMGenerator will now output general PrivateKeyInfo structures.</li>
<li>A new property "org.bouncycastle.pkcs8.v1_info_only" has been added to make the provider only produce version 1 PKCS8 PrivateKeyInfo structures.</li>
<li>The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific certificate is given to the selector.</li>
<li>BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list.</li>
<li>BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards).</li>
<li>Performance of the Base64 encoder has been improved.</li>
<li>The PGPPublicKey class will now include direct key sigantures when checking for key expiry times.</li>
</ul>
<h3>2.9.4 Notes</h3>
<p>
The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public key at the end, and signatures are no longer interoperable with previous versions.
</p>
<a id="r1rv65"><h3>2.10.1 Version</h3></a>
Release: 1.65<br/>
Date: 2020, March 31st.
<h3>2.10.2 Defects Fixed</h3>
<ul>
<li>DLExternal would encode using DER encoding for tagged SETs. This has been fixed.</li>
<li>ChaCha20Poly1305 could fail for large (>~2GB) files. This has been fixed.</li>
<li>ChaCha20Poly1305 could fail for small updates when used via the provider. This has been fixed.</li>
<li>Properties.getPropertyValue could ignore system property when other local overrides set. This has been fixed.</li>
<li>The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application shutting down due to it. This has been fixed.</li>
<li>A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS. This has been fixed.</li>
<li>BCJSSE: TrustManager now tolerates having no trusted certificates.</li>
<li>BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension properly.</li>
<li>BCJSSE: KeyManager for KeyStoreBuilderParameters no longer leaks memory.</li>
</ul>
<h3>2.10.3 Additional Features and Functionality</h3>
<ul>
<li>LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider.</li>
<li>SipHash128 support has been added to the low level library and the JCE provider.</li>
<li>BCJSSE: BC API now supports explicitly specifying the session to resume.</li>
<li>BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode).</li>
<li>BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret .</li>
<li>BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains.</li>
<li>BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any).</li>
<li>BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch).</li>
<li>BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support).</li>
<li>TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in default provider.</li>
</ul>
<a id="r1rv64"><h3>2.11.1 Version</h3></a>
Release: 1.64<br/>
Date: 2019, October 7th.
<h3>2.11.2 Defects Fixed</h3>
<ul>
<li>OpenSSH: Fixed padding in generated Ed25519 private keys.</li>
<li>Validation of headers in PemReader now looks for tailing dashes in header.</li>
<li>PKIXNameConstraintValidator was throwing a NullPointerException on OtherName. This has been fixed.</li>
<li>Some compatibility issues around the signature encryption algorithm field in CMS SignedData and the GOST algorithms have been addressed.</li>
<li>GOST3410-2012-512 now uses the GOST3411-2012-256 as its KDF digest.</li>
</ul>
<h3>2.11.3 Additional Features and Functionality</h3>
<ul>
<li>PKCS12: key stores containing only certificates can now be created without the need to provide passwords.</li>
<li>BCJSSE: Initial support for AlgorithmConstraints; protocol versions and cipher suites.</li>
<li>BCJSSE: Initial support for 'jdk.tls.disabledAlgorithms'; protocol versions and cipher suites.</li>
<li>BCJSSE: Add SecurityManager check to access session context.</li>
<li>BCJSSE: Improved SunJSSE compatibility of the NULL_SESSION.</li>
<li>BCJSSE: SSLContext algorithms updated for SunJSSE compatibility (default enabled protocols).</li>
<li>The digest functions Haraka-256 and Haraka-512 have been added to the provider and the light-weight API</li>
<li>XMSS/XMSS^MT key management now allows for allocating subsets of the private key space using the extraKeyShard() method. Use of StateAwareSignature is now deprecated.</li>
<li>Support for Java 11's NamedParameterSpec class has been added (using reflection) to the EC and EdEC KeyPairGenerator implementations.</li>
</ul>
<h3>2.11.4 Removed Features and Functionality</h3>
<ul>
<li>Deprecated ECPoint 'withCompression' tracking has been removed.</li>
</ul>
<h3>2.11.5 Security Advisory</h3>
<ul>
<li>A change to the ASN.1 parser in 1.63 introduced a regression that can cause an OutOfMemoryError to occur on parsing ASN.1 data. We recommend upgrading to 1.64, particularly where an application might be parsing untrusted ASN.1 data from third parties.</li>
</ul>
<a id="r1rv63"><h3>2.12.1 Version</h3></a>
Release: 1.63<br/>
Date: 2019, September 10th.
<h3>2.12.2 Defects Fixed</h3>
<ul>
<li>The ASN.1 parser would throw a large object exception for some objects which could be safely parsed. This has been fixed.</li>
<li>GOST3412-2015 CTR mode was unusable at the JCE level. This has been fixed.</li>
<li>The DSTU MACs were failing to reset fully on doFinal(). This has been fixed.</li>
<li>The DSTU MACs would throw an exception if the key was a multiple of the size as the MAC's underlying buffer size. This has been fixed.</li>
<li>EdEC and QTESLA were not previously usable with the post Java 9 module structure. This is now fixed.
<li>ECNR was not correctly bounds checking the input and could produce invalid signatures. This is now fixed.</li>
<li>ASN.1: Enforce no leading zeroes in OID branches (longer than 1 character).</li>
<li>TLS: Fix X448 support in JcaTlsCrypto.</li>
<li>Fixed field reduction for secp128r1 custom curve.</li>
<li>Fixed unsigned multiplications in X448 field squaring.</li>
<li>Some issues over subset Name Constraint validation in the CertPath analyser have now been fixed.</li>
<li>TimeStampResponse.getEncoded() could throw an exception if the TimeStampToken was null. This has been fixed.</li>
<li>Unnecessary memory usage in the ARGON2 implementation has been removed.</li>
<li>Param-Z in the GOST-28147 algorithm was not resolving correctly. This has been fixed.</li>
<li>It is now possible to specify different S-Box parameters for the GOST 28147-89 MAC.</li>
</ul>
<h3>2.12.3 Additional Features and Functionality</h3>
<ul>
<li>QTESLA is now updated with the round 2 changes. Note: the security catergories, and in some cases key generation and signatures, have changed. For people interested in comparison, the round 1 version is now moved to org.bouncycastle.pqc.crypto.qteslarnd1 - this package will be deleted in 1.64. Please keep in mind that QTESLA may continue to evolve.</li>
<li>Support has been added for generating Ed25519/Ed448 signed certificates.</li>
<li>A method for recovering the message/digest value from an ECNR signature has been added.</li>
<li>Support for the ZUC-128 and ZUC-256 ciphers and MACs has been added to the provider and the lightweight API.</li>
<li>Support has been added for ChaCha20-Poly1305 AEAD mode from RFC 7539.</li>
<li>Improved performance for multiple ECDSA verifications using same public key.</li>
<li>Support for PBKDF2withHmacSM3 has been added to the BC provider.</li>
<li>The S/MIME API has been fixed to avoid unnecessary delays due to DNS resolution of a hosts name in internal MimeMessage preparation.</li>
<li>The valid path for EST services has been updated to cope with the characters used in the Aruba clearpass EST implementation.</li>
</ul>
<a id="r1rv62"><h3>2.13.1 Version</h3></a>
Release: 1.62<br/>
Date: 2019, June 3rd.
<h3>2.13.2 Defects Fixed</h3>
<ul>
<li>DTLS: Fixed infinite loop on IO exceptions.</li>
<li>DTLS: Retransmission timers now properly apply to flights monolithically.</li>
<li>BCJSSE: setEnabledCipherSuites ignores unsupported cipher suites.</li>
<li>BCJSSE: SSLSocket implementations store passed-in 'host' before connecting.</li>
<li>BCJSSE: Handle SSLEngine closure prior to handshake.</li>
<li>BCJSSE: Provider now configurable using security config under Java 11 and later.</li>
<li>EdDSA verifiers now reject overly long signatures.</li>
<li>XMSS/XMSS^MT OIDs now using the values defined in RFC 8391.</li>
<li>XMSS/XMSS^MT keys now encoded with OID at start.</li>
<li>An error causing valid paths to be rejected due to DN based name constraints has been fixed in the CertPath API.</li>
<li>Name constraint resolution now includes special handling of serial numbers.</li>
<li>Cipher implementations now handle ByteBuffer usage where the ByteBuffer has no backing array.</li>
<li>CertificateFactory now enforces presence of PEM headers when required.</li>
<li>A performance issue with RSA key pair generation that was introduced in 1.61 has been mostly eliminated.</li>
</ul>
<h3>2.13.3 Additional Features and Functionality</h3>
<ul>
<li>Builders for X509 certificates and CRLs now support replace and remove extension methods.</li>
<li>DTLS: Added server-side support for HelloVerifyRequest.</li>
<li>DTLS: Added support for an overall handshake timeout.</li>
<li>DTLS: Added support for the heartbeat extension (RFC 6520).</li>
<li>DTLS: Improve record seq. behaviour in HelloVerifyRequest scenarios.</li>
<li>TLS: BasicTlsPSKIdentity now reusable (returns cloned array from getPSK).</li>
<li>BCJSSE: Improved ALPN support, including selectors from Java 9.</li>
<li>Lightweight RSADigestSigner now support use of NullDigest.</li>
<li>SM2Engine now supports C1C3C2 mode.</li>
<li>SHA256withSM2 now added to provider.</li>
<li>BCJSSE: Added support for ALPN selectors (including in BC extension API for earlier JDKs).</li>
<li>BCJSSE: Support 'SSL' algorithm for SSLContext (alias for 'TLS').</li>
<li>The BLAKE2xs XOF has been added to the lightweight API.</li>
<li>Utility classes added to support journaling of SecureRandom and algorithms to allow persistance and later resumption.</li>
<li>PGP SexprParser now handles some unprotected key types.</li>
<li>NONEwithRSA support added to lightweight RSADigestSigner.</li>
<li>Support for the Ethereum flavor of IES has been added to the lightweight API.</li>
</ul>
<a id="r1rv61"><h3>2.14.1 Version</h3></a>
Release: 1.61<br/>
Date: 2019, February 4th.
<h3>2.14.2 Defects Fixed</h3>
<ul>
<li>Use of EC named curves could be lost if keys were constructed via a key factory and algorithm parameters. This has been fixed.</li>
<li>RFC3211WrapEngine would not properly handle messages longer than 127 bytes. This has been fixed.</li>
<li>The JCE implementations for RFC3211 would not return null AlgorithmParameters. This has been fixed.</li>
<li>TLS: Don't check CCS status for hello_request.</li>
<li>TLS: Tolerate unrecognized hash algorithms.</li>
<li>TLS: Tolerate unrecognized SNI types.</li>
<li>An incompatibility issue in ECIES-KEM encryption in cofactor mode has been fixed.</li>
<li>An issue with XMSS/XMSSMT private key loading which could result in invalid signatures has been fixed.</li>
<li>StateAwareSignature.isSigningCapable() now returns false when the key has reached it's maximum number of signatures.</li>
<li>The McEliece KeyPairGenerator was failing to initialize the underlying class if a SecureRandom was explicitly passed.</li>
<li>The McEliece cipher would sometimes report the wrong value on a call to Cipher.getOutputSize(int). This has been fixed.</li>
<li>CSHAKEDigest.leftEncode() was using the wrong endianness for multi byte values. This has been fixed.</li>
<li>Some ciphers, such as CAST6, were missing AlgorithmParameters implementations. This has been fixed.</li>
<li>An issue with the default "m" parameter for 1024 bit Diffie-Hellman keys which could result in an exception on key pair generation has been fixed.</li>
<li>The SPHINCS256 implementation is now more tolerant of parameters wrapped with a SecureRandom and will not throw an exception if it receives one.</li>
<li>A regression in PGPUtil.writeFileToLiteralData() which could cause corrupted literal data has been fixed.</li>
<li>Several parsing issues related to the processing of CMP PKIPublicationInfo have been fixed.</li>
<li>The ECGOST curves for id-tc26-gost-3410-12-256-paramSetA and id-tc26-gost-3410-12-512-paramSetC had incorrect co-factors. These have been fixed.</li>
</ul>
<h3>2.14.3 Additional Features and Functionality</h3>
<ul>
<li>The qTESLA signature algorithm has been added to PQC light-weight API and the PQC provider.</li>
<li>The password hashing function, Argon2 has been added to the lightweight API.</li>
<li>BCJSSE: Added support for endpoint ID validation (HTTPS, LDAP, LDAPS).</li>
<li>BCJSSE: Added support for 'useCipherSuitesOrder' parameter.</li>
<li>BCJSSE: Added support for ALPN.</li>
<li>BCJSSE: Various changes for improved compatibility with SunJSSE.</li>
<li>BCJSSE: Provide default extended key/trust managers.</li>
<li>TLS: Added support for TLS 1.2 features from RFC 8446.</li>
<li>TLS: Removed support for EC point compression.</li>
<li>TLS: Removed support for record compression.</li>
<li>TLS: Updated to RFC 7627 from draft-ietf-tls-session-hash-04.</li>
<li>TLS: Improved certificate sig. alg. checks.</li>
<li>TLS: Finalised support for RFC 8442 cipher suites.</li>
<li>Support has been added to the main Provider for the Ed25519 and Ed448 signature algorithms.</li>
<li>Support has been added to the main Provider for the X25519 and X448 key agreement algorithms.</li>
<li>Utility classes have been added for handling OpenSSH keys.</li>
<li>Support for processing messages built using GPG and Curve25519 has been added to the OpenPGP API.</li>
<li>The provider now recognises the standard SM3 OID.</li>
<li>A new API for directly parsing and creating S/MIME documents has been added to the PKIX API.</li>
<li>SM2 in public key cipher mode has been added to the provider API.</li>
<li>The BCFKSLoadStoreParameter has been extended to allow the use of certificates and digital signatures for verifying the integrity of BCFKS key stores.</li>
</ul>
<h3>2.14.4 Removed Features and Functionality</h3>
<ul>
<li>Deprecated methods for EC point construction independent of curves have been removed.</li>
</ul>
<a id="r1rv60"><h3>2.15.1 Version</h3></a>
Release: 1.60<br/>
Date: 2018, June 30
<h3>2.15.2 Defects Fixed</h3>
<ul>
<li>Base64/UrlBase64 would throw an exception on a zero length string. This has been fixed.</li>
<li>Base64/UrlBase64 would throw an exception if there was whitespace in the last 4 characters. This has been fixed.</li>
<li>The SM2 Signature JCE class now properly resets of Signature.sign() is called.</li>
<li>XMSS applies further validation to deserialisation of the BDS tree so that failure occurs as soon as tampering is detected (see CVE below).</li>
<li>An off by one error in the JsseDefaultHostnameAuthorizer isValidNameMatch method has been fixed.</li>
<li>BCJSSE: Return empty byte array instead of null, for the null session ID.</li>
<li>If a checksum calculator was passed to a PGPSecretKey constructor, but the encryptor was set to null, the wrong checksum would be calculated for the S2K usage. This has been fixed.</li>
<li>The CRMF EncryptedValue, when containing a private key, held an encoding of an EncryptedPrivateKeyInfo, rather than just the encrypted bytes. This has been fixed.</li>
<li>EC point precomputations could fail due to race conditions in concurrent settings. Point precomputation was reworked to fix this.</li>
<li>PGP key rings containing EdDSA signatures would cause an exception on parsing. This has been fixed.</li>
<li>BCJSSE: a mixed case error for brainpool curves in the supported groups set has been fixed.</li>
<li>getVersion() on the CRMF CertTemplate class could cause a null pointer exception if the optional version field was left out. This has been fixed.</li>
<li>Use of a short buffer with RSA via the JCE could result in an escaping ArrayIndexOutOfBoundsException. This has been fixed so that a ShortBufferException is now thrown.</li>
<li>SM2Engine.decrypt() ignored the offset parameter and assumed zero. This has been fixed.</li>
<li>A PEM encoded TRUSTED CERTIFICATE missing a trust block would result in a NullPointerException. This has been fixed.</li>
<li>If the Sun provider was removed entirely the BC SecureRandom was unable to seed and caused an InstantiationException. A back up seeding strategy has been added to prevent this.</li>
<li>In some situations the use of sm2p256v1 would result in "unknown curve name". This has been fixed.</li>
<li>CMP PollReqContent now supports multiple certificate request IDs.</li>
</ul>
<h3>2.15.3 Additional Features and Functionality</h3>
<ul>
<li>TLS: Extended CBC padding is now optional (and disabled by default).</li>
<li>TLS: Now supports channel binding 'tls-server-end-point'.</li>
<li>TLS: InterruptedIOException (e.g. socket timeout) during app-data reads no longer fails connection; handshake is optionally resumable after IIOE using 'TlsProtocol.setResumableHandshake()'.</li>
<li>TLS: Added utility methods and constants for ALPN (RFC 7301).</li>
<li>BCJSSE: Now supports system property 'jdk.tls.client.protocols'</li>
<li>BCJSSE: Now supports SSLParameters.setSNIMatchers.</li>
<li>BCJSSE: SNI can now be used in earlier JDKs via BC extensions.</li>
<li>BCJSSE: Session context now holds sessions via soft references.</li>
<li>An implementation of CryptoServicesRegistrar has been added to allow configuring of DSA/DH parameters and global setting of the SecureRandom used in the APIs.</li>
<li>Support has been added for the Unified Model of key agreement for both regular Diffie-Hellman and ECCDH.</li>
<li>Standard key-wrapping ciphers can now be used for wrapping other data where the cipher supports it.</li>
<li>BCFKS can now support the use of generalised wrapping algorithms.</li>
<li>A parser has now been added for the GNU keybox file format.</li>
<li>The GPG SExpr parser now covers a wider range of key types and validates associated checksums as well.</li>
<li>PGP EC operations now support more than just NIST curves.</li>
<li>Restrictions on the output sizes of the Blake2b/s digests in the lightweight API have been removed.</li>
<li>The Whirlpool digest OID has been added to its corresponding mappings for the JCA.</li>
<li>Support has been added for SHA-3 based signatures to the CMS API.</li>
<li>Support has been added to the CMS API for the generation of ECGOST key transport messages.</li>
<li>The ECElGamalEncryptor now supports the use of ECGOST curves.</li>
<li>The number of signature subpackets in OpenPGP signatures that are converted into explicit types automatically has been increased.</li>
<li>RFC 8032: Added low-level implementations of Ed25519 and Ed448.</li>
<li>The provider jars now include a services entry for the 2 providers they hold.</li>
<li>Support has been added for the German BSI KAEG Elliptic Curve key agreement algorithm with X9.63 as the KDF to the JCE.</li>
<li>Support has been added for the German BSI KAEG Elliptic Curve session key KDF to the lightweight API.</li>
</ul>
<h3>2.15.4 Security Related Changes and CVE's Addressed by this Release</h3>
<ul>
<li>CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API.</li>
<li>CVE-2018-1000613: lack of class checking in deserialization of XMSS/XMSS^MT private keys with BDS state information.</li>
</ul>
<a id="r1rv59"><h3>2.16.1 Version</h3></a>
Release: 1.59 <br/>
Date: 2017, December 28
<h3>2.16.2 Defects Fixed</h3>
<ul>
<li>Issues with using PQC based keys with the provided BC KeyStores have now been fixed.</li>
<li>ECGOST-2012 public keys were being encoded with the wrong OID for the digest parameter in the algorithm parameter set. This has been fixed.</li>
<li>SM3 has now been added as an acceptable algorithm for TSP timestamps.</li>
<li>SM2 signatures were using the wrong default identity value. This has now been fixed.</li>
<li>An edge condition in Blake2b for hashes on data with a length in the range of 2**64 - 127 to 2**64 has been identifed and fixed.</li>
<li>The ISO Trailer for SHA512/256 used in X9.31 and ISO9796-2 signatures was incorrect. This has been fixed.</li>
<li>The BCJSSE SSLEngine implementation now correctly wraps/unwraps application data only in whole records.</li>
<li>The curve parameters for tc26_gost_3410_12_256_paramSetA were incorrect. These have been fixed.</li>
<li>Further work has been done to try and prevent escaping exceptions on opening random files as BCFKS files or PKCS#12 files.</li>
<li>An off-by-one error for the max N check for SCRYPT has been fixed. SCRYPT should now be compliant with RFC 7914.</li>
<li>ASN1GeneralizedTime will now accept a broader range of input strings.</li>
</ul>
<h3>2.16.3 Additional Features and Functionality</h3>
<ul>
<li>GOST3410-94 private keys encoded using ASN.1 INTEGER are now accepted in private key info objects.</li>
<li>SCRYPT is now supported as a SecretKeyFactory in the provider and in the PKCS8 APIs</li>
<li>The BCJSSE provider now supports session resumption in clients.</li>
<li>The BCJSSE provider now supports Server Name Indication.</li>
<li>The BCJSSE provider now supports the jdk.tls.namedGroups system property.</li>
<li>The BCJSSE provider now supports the org.bouncycastle.jsse.ec.disableChar2 system property, which optionally disables the use of characteristic-2 elliptic curves.</li>
<li>EC key generation and signing now use cache-timing resistant table lookups.</li>
<li>Performance of the DSTU algorithms has been greatly improved.</li>
<li>Support has been added for generating certificates and signatures in the PKIX API using SHA-3 based digests.</li>
<li>Further work has been done on improving SHA-3 performance.</li>
<li>The organizationIdentifier (2.5.4.97) attribute has been added to BCStyle.</li>
<li>GOST3412-2015 has been added to the JCE provider and the lightweight API.</li>
<li>The Blake2s message digest has been added to the provider and the lightweight API.</li>
<li>Unified Cofactor Diffie-Hellman (ECCDHU) is now supported for EC in the JCE and the lightweight API.</li>
<li>A DEROtherInfo generator for key agreement using NewHope as the source of the shared private info has been added that can be used in conjunction with regular key agreement algorithms.</li>
<li>RFC 7748: Added low-level implementations of X25519 and X448.</li>
</ul>
<h3>2.16.4 Security Related Changes and CVE's Addressed by this Release</h3>
<ul>
<li>CVE-2017-13098 ("ROBOT"), a Bleichenbacher oracle in TLS when RSA key exchange is negotiated. This potentially affected BCJSSE servers and any other TLS servers configured to use JCE for the underlying crypto - note the two TLS implementations using the BC lightweight APIs are not affected by this.</li>
</ul>
<a id="r1rv58"><h3>2.17.1 Version</h3></a>
Release: 1.58 <br/>
Date: 2017, August 18
<h3>2.17.2 Defects Fixed</h3>
<ul>
<li>NewHope and SPHINCS keys are now correctly created off certificates by the BC provider.</li>
<li>Use of the seeded constructor with SecureRandom() and the BC provider in first position could cause a stack overflow error. This has been fixed.</li>
<li>The boolean flag on ECDSAPublicKey in CVCertficate was hard coded. This has been fixed.</li>
<li>An edge condition in IV processing for GOFB mode has been found and fixed.</li>
<li>ANSSI named EC curves were not being recognised in PKCS#10 and certificate parsing. This has been fixed.</li>
<li>BaseStreamCipher.engineSetMode() could sometimes throw an IllegalArgumentException rather than a NoSuchAlgorithmException. This has been fixed.</li>
<li>Some class resolving used by the provider would fail if the BC jar was loaded on the boot class path. This has been fixed.</li>
<li>An off-by-one range check in SM2Signer has been fixed.</li>
<li>Retrieving an SM2 key from a certificate could result in a NullPointerException due to a problem with the curve lookup. This has been fixed.</li>
<li>A race condition that could occur inside the HybridSecureRandom on reseed and result in an exception has been fixed.</li>
<li>DTLS now supports records containing multiple handshake messages.</li>
</ul>
<h3>2.17.3 Additional Features and Functionality</h3>
<ul>
<li>An implementation of GOST3410-2012 has been added to light weight API and the JCA provider.</li>
<li>Support for ECDH GOST3410-2012 and GOST3410-2001 have been added. The CMS API can also handle reading ECDH GOST3410 key transport messages.</li>
<li>Additional mappings have been added for a range of CVC-ECDSA algorithms.</li>
<li>XMMS and XMSSMT are now available via the BCPQC provider. Support has been added for using these keys in certificates as well.</li>
<li>Support has been added for DSTU-7564 message digest and the DSTU-7624 ciphers, together with their associated modes.</li>
<li>A new system property org.bouncycastle.asn1.allow_unsafe_integer has been added to allow parsing of malformed ASN.1 integers in a similar fashion to what BC 1.56 did. The default behavior remains as reject malformed integers.</li>
<li>SignedMailValidator would only pick up the first email address in a DN, even when there was more than one. This has been fixed.</li>
<li>PEMParser will now support a broader range of PBKDFs in encrypted private key files.</li>
<li>Work has been done on speeding up the SHA-3 family. The functions are now 3 to 4 times faster.</li>
<li>Some EC aliases in the provider had no corresponding implementations. These have been cleaned up.</li>
<li>TimeStampResponses now support definite-length encoding to allow the preservation of order in certificates sets for legacy responses.</li>
<li>The TSP API now supports SM2withSM3.</li>
<li>The BCJSSE provider now has a FIPS mode.</li>
<li>The BCJSSE provider now supports layered sockets.</li>
<li>The new TLS API now has protocol/API support for the status_request extension (OCSP stapling).</li>
<li>The new TLS API now supports RFC 7633 - X.509v3 TLS Feature Extension (e.g. "must staple"), enabled in default clients.</li>
<li>TLS exceptions have been made more directly informative.</li>
</ul>
<h3>2.17.4 Removed Features and Functionality</h3>
<ul>
<li>Per RFC 7465, removed support for RC4 in the new TLS API.</li>
<li>Per RFC 7568, removed support for SSLv3 in the new TLS API.</li>
</ul>
<a id="r1rv57"><h3>2.18.1 Version</h3></a>
Release: 1.57 <br/>
Date: 2017, May 11
<h3>2.18.2 Defects Fixed</h3>
<ul>
<li>A class cast exception for master certification removal in PGPPublicKey.removeCertification() by certification has been fixed.</li>
<li>GOST GOFB 28147-89 mode had an edge condition concerning the incorrect calculation of N4 (see section 6.1 of RFC 5830) affecting about 1% of IVs. This has been fixed.</li>
<li>The X.509 PolicyConstraints class was using implicit rather than explicit tagging for the SkipCerts field. This has been fixed.</li>
<li>Key expiration in the OpenPGP is now calculated for ambiguous self signatures using the most recently created self-signature, in line with GPG and the recommendation in RFC 4880.</li>
<li>Multiple validity periods in PGP keys were resolved in an adhoc fashion, in line with GPG's approach the PGP has been changed to return the most recent validity period signed.</li>
<li>An occasional class cast exception that could occur with nested multi-parts in the S/MIME API has been fixed.</li>
<li>A couple of bogus aliases associated AlgorithmParameters that did not resolve in the provider have been removed.</li>
<li>The CMS API will now correctly verify PSS signatures with odd length salts.</li>
<li>Choosing an invalid mode on a stream cipher in the JCE could result in an IllegalArgumentException. This has now been corrected to throw a NoSuchAlgorithmException.</li>
<li>Optional parameters for ECDSA public keys in CVCertificates were hard coded to non-optional. This has been fixed.</li>
<li>Passing a PKCS12 key to a Mac in the BC JCE always resulted in SHA-1 being used to process the password regardless of the underlying MAC algorithm. This has been fixed. An unrecognised HMAC will also now result in an exception.</li>
<li>The Base64 encoder now explicitly validates 2 character padding as being "==".</li>
<li>EC FixedPointCombMultiplier avoids 'infinity' point in lookup tables, reducing timing side-channels.</li>
<li>Reuse of a Blake2b digest with a call to reset() rather than doFinal() could result in incorrect padding being introduced and the wrong digest result produced. This has been fixed.</li>
</ul>
<h3>2.18.3 Additional Features and Functionality</h3>
<ul>
<li>ARIA (RFC 5794) is now supported by the provider and the lightweight API.</li>
<li>ARIA Key Wrapping (RFC 5649 style) is now supported by the provider and the lightweight API.</li>
<li>SM2 signatures, key exchange, and public key encryption has been added to the lightweight API.</li>
<li>XMSS has been added to the lightweight PQ API. Note: this should be treated as beta code.</li>
<li>API support for client side EST (RFC 7030), as well as some CMC (RFC 5273) has been added to the PKIX API. A full set of ASN.1 classes for both protocols has been added as well.</li>
<li>A test client for EST which will interop with the 7030 test server at http://testrfc7030.com/ has been added to the general test module in the current source tree.</li>
<li>The BCJSSE provider now supports SSLContext.getDefault(), with very similar behaviour to the SunJSSE provider, including checks of the relevant javax.net.ssl.* system properties and auto-loading of jssecacerts or cacerts as the default trust store.</li>
</ul>
<h3>2.18.4 Security Related Changes</h3>
<ul>
<li>The default parameter sizes for DH and DSA are now 2048. If you have been relying on key pair generation without passing in parameters generated keys will now be larger.</li>
<li>Further work has been done on preventing accidental re-use of a GCM cipher without first changing its key or iv.</li>
</ul>
<a id="r1rv56"><h3>2.19.1 Version</h3></a>
Release: 1.56 <br/>
Date: 2016, December 23
<h3>2.19.2 Defects Fixed</h3>
<ul>
<li>See section <a href="#CVE156">2.15.4</a> for Security Defects.</li>
<li>Using unknown status with the ASN.1 CertStatus primitive could result in an IllegalArgumentException on construction. This has been fixed.</li>
<li>A potentional NullPointerException in a precomputation in WNafUtil has been removed.</li>
<li>PGPUtil.getDecoderStream() would throw something other than an IOException for empty and very small data. This has been fixed.</li>
</ul>
<h3>2.19.3 Additional Features and Functionality</h3>
<ul>
<li>Support for the explicit setting of AlgorithmParameters has been added to the JceCMSContentEncryptorBuilder and the JceCMSMacCaculatorBuilder classes to allow configuration of the session cipher/MAC used.</li>
<li>EC, ECGOST3410, and DSTU4145 Public keys are now validated on construction in the JCA/JCE and the light weight API.</li>
<li>DSA Public keys are now validated on construction in the JCA/JCE and the light weight API.</li>
<li>Diffie-Hellman public keys are now validated where parameters allow it.</li>
<li>Some validations are now applied to RSA moduli and public exponents.</li>
<li>The ASN.1 Object Identifier cache now uses a Concurrent HashMap for additional speed.</li>
<li>AES-CCM MAC support has been added to the provider.</li>
<li>Support for ChaCha7539 (ChaCha20 as defined in RFC 7539) and Poly1305 have been added to the provider.</li>
<li>Support has been added for defining your own curves and making them available to the key generators and factories.</li>
<li>Methods have been added for specifying that a PGPPublicKey/PGPPublicKeyRing is being encoded for export and trust packets are not required.</li>
<li>Plain-ECDSA and SHA-3 support has been added to DefaultDigestAlgorithmIdentifierFinder.</li>
<li>SHA-3 support has been added to BcDefaultDigestProvider.</li>
<li>A higher level TLS API and JSSE provider have been added to the project.</li>
</ul>
<a id="CVE156"><h3>2.19.4 Security Related Changes and CVE's Addressed by this Release</h3></a>
<ul>
<li>It is now possible to configure the provider to only import keys for specific named curves.</li>
<li>Work has been done to improve the "constant time" behaviour of the RSA padding mechanisms.</li>
<li>The GCM ciphers in the JCE and lightweight API will now fail if an attempt is made to use them for encryption after a doFinal or without changing the IV.</li>
<li>The constructor for IESParameterSpec that allows the use of cipher without a nonce has been deleted. See also details for CVE-2016-1000344, CVE-2016-1000352.</li>
<li>Strict encoding enforcement has been introduced for ASN1Integer.</li>
<li>CVE-2016-1000338: DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of "invisible" data into a signed structure.</li>
<li>CVE-2016-1000339: AESFastEngine has a side channel leak if table accesses can be observed. The use of lookup large static lookup tables in AESFastEngine means that where data accesses by the CPU can be observed, it is possible to gain information about the key used to initialize the cipher. We now recommend not using AESFastEngine where this might be a concern. The BC provider is now using AESEngine by default.</li>
<li>CVE-2016-1000340: Static ECDH vulnerable to carry propagation bug.
Carry propagation bugs in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.</li>
<li>CVE-2016-1000341: DSA signature generation vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55 or earlier, may allow an attacker to gain information about the signatures k value and ultimately the private value as well.</li>
<li>CVE-2016-1000342: ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of "invisible" data into a signed structure.</li>
<li>CVE-2016-1000343: DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.</li>
<li>CVE-2016-1000344: DHIES allows the use of unsafe ECB mode. This algorithm is now removed from the provider.</li>
<li>CVE-2016-1000345: DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.</li>
<li>CVE-2016-1000346: Other party DH public key not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of this release the key parameters are checked on agreement calculation.</li>
<li>CVE-2016-1000352: ECIES allows the use of unsafe ECB mode. This algorithm is now removed from the provider.</li>
</ul>
<h3>2.19.5 Security Advisory</h3>
<ul>
<li>We consider the carry propagation bugs fixed in this release to have been exploitable in previous releases (1.51-1.55), for static ECDH, to reveal the long-term key, per <a href="https://eprint.iacr.org/2011/633">"Practical realisation and elimination of an ECC-related software bug attack", Brumley et.al.</a>. The most common case of this would be the non-ephemeral ECDH ciphersuites in TLS. These are not enabled by default in our TLS implementations, but they can be enabled explicitly by users. We recommend that users DO NOT enable static ECDH ciphersuites for TLS.</li>
</ul>
<a id="r1rv55"><h3>2.20.1 Version</h3></a>
Release: 1.55 <br/>
Date: 2016, August 18
<h3>2.20.2 Defects Fixed</h3>
<ul>
<li>Issues with cloning of blake digests with salts and personalisation strings have been fixed.</li>
<li>The JceAsymmetricValueDecryptor in the CRMF package now attempts to recognise a wider range of parameters for the key wrapping algorithm, rather than relying on a default.</li>
<li>GCM now fails if an attempt is made to go past 2^32-1 blocks.</li>
<li>(r, k) ordering for Poly1305 has been modified to be brought into line with RFC 7539.</li>
<li>An occasional error in Poly1305 due to sign-extension has been fixed.</li>
<li>TimeStampRequest was always failing to validate if extensions were present. This has been fixed.</li>
<li>ECIES/IES algorithm parameters encoding failed on default parameters. This has been fixed.</li>
<li>PGPObjectFactory.iterator() could fail when called on data with multiple stream packets. This has been fixed.</li>
<li>The McEliece implementation in the BCPQC provider has been revised and now has working key factories associated with it.</li>
<li>The X.509 UserNotice class can now cope with empty sequences.</li>
<li>Creation of multiple providers concurrently could cause issues with a non-synchronized Map in the provider. Code is now synchronized.</li>
<li>If the lightweight OAEP encoder is fed oversized input it will now throw something more informative than an ArrayOutOfBoundsException or simply truncate.</li>
<li>Attempting to use the PasswordRecipientInfoGenerator without explicitly setting the salt would cause a NullPointerException. This has been fixed.</li>
<li>The BasicConstraintsValidation in the CertPath API would throw a NullPointerException on an unconstrained path length. This has been fixed.</li>
<li>A shift error for > 24 bit numbers in TlsUtils has been fixed.</li>
<li>OAEP encryption for a zero length message would create invalid cipher text. This has been fixed.</li>
<li>Trying to use of non-default parameters for OAEP in CRMF would resort to the default parameter set. This has been fixed.</li>
<li>If the BC provider was not registered, creating a CertificateFactory would cause a new provider object to be created. This has been fixed.</li>
</ul>
<h3>2.20.3 Additional Features and Functionality</h3>
<ul>
<li>The DANE API has been updated to reflect the latest standard changes.</li>
<li>The signature algorithm SPHINCS-256 has been added to the post-quantum provider (BCPQC). Support is in place for SHA-512 and SHA3-512 (using trees based around SHA512_256 and SHA3_256 respectively).</li>
<li>The key exchange algorithm NewHope has been added to the post-quantum provider (BCPQC). Support is in place for the regular configuration using SHA3-256 as the flattening algorithm for the agreed value.</li>
<li>The CMS password recipient generator now allows the PRF to be changed to something other than SHA-1</li>
<li>Direct support for the SignatureTarget packet has been added to the OpenPGP API.</li>
<li>TLS: support for ClientHello Padding Extension (RFC 7685).</li>
<li>TLS: support for ECDH_anon key exchange.</li>
<li>Support has been added for HMAC SHA-3. Aliases have been added for NIST OIDs for SHA-3 HMAC as well.</li>
<li>Support has been added for SHA-3 in DSA, ECDSA, DDSA, and ECDDSA. Aliases have been added for NIST OIDs for DSA and ECDSA as well.</li>
<li>Support has been added for SHA-3 with RSA PKCS 1.5, PSS, and OAEP.</li>
<li>Support has been added for GOST R 34.11-2012 to the provider and the lightweight API.</li>
<li>PGP armored output can now be generated without a version string.</li>
<li>The TimeStampTokenGenerator will now generate timestamps down to a millisecond resolution.</li>
<li>Additional search methods have been added to PGP public and secret key rings.</li>
</ul>
<a id="r1rv54"><h3>2.21.1 Version</h3></a>
Release: 1.54 <br/>
Date: 2015, December 29
<h3>2.21.2 Defects Fixed</h3>
<ul>
<li>Blake2b-160, Blake2b-256, Blake2b-384, and Blake2b-512 are now actually in the provider and an issue with cloning Blake2b digests has been fixed.</li>
<li>PKCS#5 Scheme 2 using DESede CBC is now supported by the PKCS#12 implementation.</li>
<li>The IES engine would sometimes throw a "too short" exception on small messages which were the right length. This has been fixed.</li>
<li>Cipher.getOutputSize() for IES ciphers would throw a ClassCastException. This has been fixed.</li>
<li>It turns out, after advice one way and another that the NESSIE test vectors for Serpent are now what should be followed and that the vectors in the AES submission are regarded as an algorithm called Tnepres. The Serpent version now follows the NESSIE vectors, and the Tnepres cipher has been added to the provider and the lightweight API for compatibility.</li>
<li>Problems with DTLS record-layer version handling were resolved, making version negotiation work properly.
</ul>
<h3>2.21.3 Additional Features and Functionality</h3>
<ul>
<li>Camellia and SEED key wrapping are now supported for CMS key agreement</li>
<li>The BC TLS/DTLS code now includes a non-blocking API.</li>
<li>CTR/SIC mode now support an internal counter. The internal counter can be turned on by passing an IV smaller than the block size of the cipher's algorithm.</li>
<li>The lightweight CMS API operators now support CAST5 and RC2 CBC encryption.</li>
<li>The CMS API now supports Diffie-Hellman as specified in RFC 3370.</li>
<li>Support has been added to the CMS API for PKCS#7 ANY type encapsulated content where the encapsulated content is not an OCTET STRING.</li>
<li>PSSSigner in the lightweight API now supports fixed salts.</li>
</ul>
<h3>2.21.4 Security Advisory</h3>
<ul>
<li>(D)TLS 1.2: Motivated by <a href="https://www.google.com/search?q=CVE-2015-7575">CVE-2015-7575</a>, we have added validation that the signature algorithm received in DigitallySigned structures is actually one of those offered (in signature_algorithms extension or CertificateRequest). With our default TLS configuration, we do not believe there is an exploitable vulnerability in any earlier releases. Users that are customizing the signature_algorithms extension, or running a server supporting client authentication, are advised to double-check that they are not offering any signature algorithms involving MD5.</li>
</ul>
<h3>2.21.5 Notes</h3>
<p>
If you have been using Serpent, you will need to either change to Tnepres, or take into account the fact that Serpent is now byte-swapped compared to what it was before.
</p>
<a id="r1rv53"><h3>2.22.1 Version</h3></a>
Release: 1.53 <br/>
Date: 2015, October 10
<h3>2.22.2 Defects Fixed</h3>
<ul>
<li>The BC JCE cipher implementations could sometimes fail when used in conjunction with the JSSE and NIO. This has been fixed.</li>
<li>PGPPublicKey.getBitStrength() always returned 0 for EC keys. This has been fixed.</li>
<li>A PKCS12 key store containing a looping certificate chain could cause an OutOfMemoryException. This has been fixed.</li>
<li>A change in JDK 1.8 meant that X509Certificate.verify(PublicKey, Provider) would cause a stack overflow. This has been fixed.</li>
<li>Nested multiparts with irregular post-amble could cause verification issues for the SMIMESigned classes. This has been fixed.</li>
<li>CMSSignedData now supports verification of signed attributes where the calculated digest uses a different algorithm from the digest used in the signature.</li>
<li>TRUSTED CERTIFICATE parsing in PEM files was ignoring the attribute block. A new class X509TrustedCertificateBlock is now returned containing both the certificate and the trust information.</li>
<li>Adding a password to a PGP key which did not previously have one would result in an improperly formatted key. This has been fixed.</li>
<li>ECIES/IES was only using a 4 byte label length for the MAC tag when it should have been an 8 byte one. This has now been fixed and OldECIES/OldIES has been added for backwards compatibility.</li>
<li>The JceCRMFEncryptorBuilder was not recognising key size specific object identifiers properly. This has been fixed.</li>
<li>The OpenPGP ClearSignedFileProcessor would not handle verification of single line files properly. This has been fixed.</li>
<li>The BC X509Certificate class was no longer in agreement with the standard class for hashCode(). The BC X509Certificate class will now track the changes made in the standard Java distribution.</li>
<li>PGP signature hashed sub-packets with long length encodings would fail to validate on signature checking. This has been fixed.</li>
<li>The S/MIME API would occasionally leak InputStreams which could cause issues with custom DataSource implementations. This has been fixed.</li>
<li>The PKCS#12 KeyStore implementation would sometimes leave orphaned chain certificates in the key store after private key deletion. This has been fixed.</li>
<li>A bug in the DirectKeySignature OpenPGP example which could lead to extra data appearing in the signature has been fixed.</li>
<li>Explicit configuration of a BcAsymmetricKeyWrapper with a SecureRandom was not properly propagated internally. This has been fixed.</li>
<li>A CRL with a null certificate issuer would sometimes result in a NullPointerException during CertPathProcessing. This has been fixed.</li>
<li>The CertPath processor would occasionally fail to match a DistributionPoint name correctly. This has been fixed.</li>
<li>In order to avoid confusion about thread safety, BCrypt now uses a new instance for hash calculation every time it is invoked.</li>
<li>Some decidedly odd argument casting in the PKIXCertPathValidator has been fixed to throw an InvalidAlgorithmParameterException.</li>
<li>Presenting an empty array of certificates to the PKIXCertPathValidator would cause an IndexOutOfRangeException instead of a CertPathValidatorException. This has been fixed.</li>
</ul>
<h3>2.22.3 Additional Features and Functionality</h3>
<ul>
<li>It is now possible to specify that an unwrapped key must be usable by a software provider in the asymmetric unwrappers for CMS.</li>
<li>A Blake2b implementation has been added to the provider and lightweight API.</li>
<li>SHA3 has now been added to the provider and the lightweight API. SHAKE128 and SHAKE256 have also been added to the lightweight API. The original implementation of the draft standard has been renamed to Keccak.</li>
<li>The CMS API now supports RFC 6211 for both SignedData and AuthenticatedData.</li>
<li>The ASN.1 parser for ECGOST private keys will now parse keys encoded with a private value represented as an ASN.1 INTEGER.</li>
<li>EAX mode and CMAC is now supported for ciphers such as SHACAL-2 and Threefish.</li>
<li>The SM4 block cipher has been added to the provider and the lightweight API.</li>
<li>X9.31, ISO9796/2, and PSS signature support has been added for SHA512/224, SHA512/256.</li>
<li>SubjectPublicKeyInfoFactory now supports DSA parameters.</li>
<li>A range of new algorithms are now support for EC key agreement.</li>
<li>EC ContentSigners and EC ContentVerifiers have been added to the lightweight operator package in the PKIX APIs.</li>
<li>The PKCS#12 key store will now garbage collect orphaned certificates on saving.</li>
<li>Caching for ASN.1 ObjectIdentifiers has been rewritten to make use of an intern method. The "usual suspects" are now interned automatically, and the cache is used by the parser. Other OIDs can be added to the cache by calling ASN1ObjectIdentifier.intern().</li>
</ul>
<h3>2.22.4 Notes</h3>
<p>
It turns out there was a similar, but different, issue in Crypto++ to the BC issue with ECIES. Crypto++ 6.0 now offers a corrected version of ECIES which is compatible with that which is now in BC.
</p>
<a id="r1rv52"><h3>2.23.1 Version</h3></a>
Release: 1.52<br/>
Date: 2015, March 2
<h3>2.23.2 Defects Fixed</h3>
<ul>
<li>GenericSigner in the lightweight API would fail if the digest started with a zero byte, occasionally causing a TLS negotiation to fail. This has been fixed.</li>
<li>Some BC internal classes expected the BC provider to be accessible within the provider. This has been fixed.</li>
<li>Email based policy constraints in CertPath validation did not include '@'domain.name as a possible match. This has been fixed.</li>
<li>The Shacal2Engine would throw an ArrayIndexOutOfBoundsException if presented with input longer than a block size. This has been fixed.</li>
<li>Using PKCS5/PKCS7 with pad values greater than 127 would result in an exception on decryption. This has been fixed.</li>
<li>EC private key values could encode to an OCTET STRING which was shorter than that described in RFC 5915/SEC 1. This has been fixed.</li>
<li>Providing multiple trust anchors to the CertPath validator could cause a StackOverflowError on an invalid CertPath. This has been fixed.</li>
<li>TLS: bad-padding handling when encrypt-then-MAC enabled is now fixed.</li>
<li>ECDH KeyAgreement.init() was not properly honoring the JCE API in respect to non-null parameters. This has been fixed.</li>
<li>PKCS symmetric padding now takes into account pad lengths of more than 127 bytes.</li>
<li>Corrupted input to RFC5649WrapEngine could cause an out of memory error. This has been fixed.</li>
<li>OSGI import issues for bcmail have been fixed.</li>
<li>A badly formed issuer in a X.509 certificate could cause a null pointer exception in X509CertificateHolder.toString(). This has been fixed.</li>
<li>CMSSignedData.verifySignatures() could fail on a correct counter signature due to a mismatch of the SID. This has been fixed.</li>
</ul>
<h3>2.23.3 Additional Features and Functionality</h3>
<ul>
<li>The CMP support class CMPCertificate restricted the types of certificates that could be added. A more flexible method has been introduced to allow for other certificate types.</li>
<li>Support classes have be added for DNS-based Authentication of Named Entities (DANE) to the PKIX distribution.</li>
<li>Work has been done to reduce computation requirements for long skips associated with implementations of the SkippingCipher interface.</li>
<li>AES GCM mode is now supported by CMS EnvelopedData.</li>
<li>Iteration count is now settable in BcPKCS12MacCalculatorBuilder.</li>
<li>Support for BCrypt and it's OpenBSD variant has been added to the lightweight API.</li>
<li>It's now possible to specify the direction of the underlying cipher used for key wrapping with NIST/RFC3394 wrappers.</li>
<li>TLS: server-side support for DHE key exchange.</li>
<li>TLS: server-side support for PSK and SRP ciphersuites.</li>
<li>TLS: (EC)DSA now supports signatures with non-SHA1 digests.</li>
<li>TLS: support for ECDHE_ECDSA/AES/CCM ciphersuites from RFC 7251.</li>
<li>Cipher.getIV() now returns nonces for AEAD modes.</li>
<li>OIDs for dhPublicNumber and dhKeyAgreement are now supported by the provider.</li>
<li>OIDs for several signature types using the RIPEMD family of digests have been added to the provider.</li>
<li>JcaJceUtils.getDigestAlgName() has been added to assist in converting OIDs representing message digests into JCA algorithm names.</li>
<li>BasicOCSPResp.getSignatureAlgorithmID() has been added to allow algorithm indentifier details to be returned from a basic OCSP response.</li>
<li>Additional OIDs have been added for OCSP.</li>
<li>X509CRLObject.getSignAlgName() now attempts to return an actual name, rather than an OID for, for the signature algorithm.</li>
<li>SignedMailValidator now pays attention to the date in the PKIXParameters object if it is set.</li>
<li>A missing signing time in a signature no longer causes SignedMailValidator to fail a signature, but provide a warning instead.</li>
<li>An AlgorithmNameFinder implementation has been added to the PKIX API to provide "human friendly" translations of algorithm OIDs.</li>
<li>Support has been added for X9.31-1998 DRBG and X9.31-1998 RSA signatures to the lightweight API and the provider.</li>
<li>CertPath validator will now make use of the issuer key identifier and the issuer name if a key identifier is available for the issuer.</li>
<li>Support for some JDK1.5+ language features has finally made its way into the repository.</li>
</ul>
<h3>2.23.4 Security Advisory</h3>
<ul>
<li>The CTR DRBGs would not populate some bytes in the requested block of random bytes if the size of the block requested was not an exact multiple of the block size of the underlying cipher being used in the DRBG. If you are using the CTR DRBGs with "odd" keysizes, we strongly advise upgrading to this release, or contacting us for a work around.</li>
</ul>
<a id="r1rv51"><h3>2.24.1 Version</h3></a>
Release: 1.51<br />
Date: 2014, July 28
<h3>2.24.2 Defects Fixed</h3>
<ul>
<li>The AEAD GCM AlgorithmParameters object was unable to return a GCMParameterSpec object. This has been fixed.</li>
<li>Cipher.getIV() was returning null for AEAD mode ciphers. This has been fixed.</li>
<li>CipherInputStream would fail for some AEAD mode ciphers if the message was over 4k in length. This has been fixed.</li>
<li>The JCE provider will now produce simple RSAPrivateKey objects where CRT coefficients are not provided.</li>
<li>PGP key signature certifications did not support DIRECT KEY signatures. This has been fixed.</li>
<li>User Attribute subpackets in PGP with long length encodings could result in certification verification failing. This has been fixed.</li>
<li>Calls to CommandMap.setDefaultCommandMap() in the SMIME API are now wrapped in doPrivileged() blocks to allow them to work with a security manager.</li>
<li>The encoding of the certificate_authorities field of a TLS CertificateRequest has been fixed.</li>
<li>EC point formats are now strictly enforced in the TLS API.</li>
<li>The provider implementation was failing to throw an exception if algorithm parameters were passed in when none were required for EC key agreement. This has been fixed.</li>
<li>PKCS#12 files containing keys/certificates with empty attribute sets attached to them no longer cause an ArrayIndexOutOfBoundsException to be thrown.</li>
<li>Issues with certificate verification and server side DTLS/TLS 1.2 have now been fixed.</li>
</ul>
<h3>2.24.3 Additional Features and Functionality</h3>
<ul>
<li>The range of key algorithm names that will be interpreted by KeyAgreement.generateSecret() has been expanded for ECDH derived algorithms in the provider. A KeyAgreement of ECDHwithSHA1KDF can now be explicitly created.</li>
<li>ECIES now supports the use of IVs with the underlying block cipher and CBC mode in both the lightweight and the JCE APIs.</li>
<li>Support has been add for RFC5649 key wrapping using AES.</li>