Migration spongycastle -> bouncycastle

[Neustradamus]

For more security, can you change old spongycastle (based on old bouncycastle) to bouncycastle?

• https://www.bouncycastle.org/
• https://www.bouncycastle.org/releasenotes.html
• http://www.bouncycastle.org/latest_releases.html
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncy%20castle
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncycastle
• https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.html

[J-Jamet]

Duplicate of #315 I have not yet studied the feasibility.

[Neustradamus]

@J-Jamet: Thanks for your reply! Since several years, a lot of projects have already change it.

[J-Jamet]

In this case, you can help me, I just prioritized developments, which is why the 2.5 version is not yet finished. ;) As we have the conversation on this issue, I close the old one. (but the next time, it is better to continue on an existing issue)

https://github.com/rtyley/spongycastle/issues/34

[J-Jamet]

What I am afraid with this migration is that the package of the same name (bouncycastle) is used on old devices (in the system) and that the classes use methods that do not work with the requested algorithms. Do you have link to a thread for Android projects that have already migrated with min SDK 14?

Otherwise we have to keep a different package name (spongycastle) with manual compilation for the latest version, which makes the process very cumbersome.

Can you tell me what are the major bugs and their impacts on the app that require the migration from version 1.58 to version 1.65?

[Neustradamus]

@J-Jamet: It is since Android Ice Cream Sandwich (Honeycomb was not open-source):

• https://source.android.com/setup/start/build-numbers Ice Cream Sandwich | 4.0.1 - 4.0.2 | API level 14, NDK 7

Since: com.android.org.bouncycastle

• http://androidxref.com/4.0.3_r1/search?q=com.android.org.bouncycastle&defs=&refs=&path=&hist=&project=abi&project=bionic&project=bootable&project=build&project=cts&project=dalvik&project=development&project=device&project=docs&project=external&project=frameworks&project=hardware&project=libcore&project=ndk&project=packages&project=prebuilt&project=sdk&project=system

Before: org.bouncycastle

• http://androidxref.com/2.3.7/search?q=org.bouncycastle&defs=&refs=&path=&hist=&project=bionic&project=bootable&project=build&project=cts&project=dalvik&project=development&project=device&project=external&project=frameworks&project=hardware&project=libcore&project=ndk&project=packages&project=prebuilt&project=sdk&project=system

A little search here:

• https://github.com/search?q=spongycastle+bouncycastle&type=Commits

[J-Jamet]

OK, I made a branch which replaces Spongy Castle by Bouncy Castle, it seems to work with the technique of: Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME); before Security.addProvider(new BouncyCastleProvider());

I'm going to do some tests and integrate it into the develop branch.

[Neustradamus]

@J-Jamet: Thanks for your changes! :)

[Neustradamus]

@J-Jamet: Can you update to 1.69? Note: There are CVEs corrections between the current and the latest.

[J-Jamet]

Why do you answer in the closed issue? My constraints are still the same so please indicate the impacted CVEs in KeePassDX. https://github.com/Kunzisoft/KeePassDX/issues/833