komputing / KEthereum

Kotlin library for Ethereum
MIT License
349 stars 73 forks source link

For more security spongycastle -> bouncycastle #86

Closed Neustradamus closed 4 years ago

Neustradamus commented 4 years ago

For more security, can you change old spongycastle (based on old bouncycastle) to bouncycastle?

ligi commented 4 years ago

both are supported. See the module https://github.com/komputing/KEthereum/tree/master/crypto_impl_bouncycastle

Neustradamus commented 4 years ago

@ligi: Thanks for your comment! Currently Bouncy Castle last version is 1.65 and Spongy Castle last version is 1.58. Spongy Castle is a fork of Bouncy Castle. Please look previous links :)

Since several years, a lot of projects have already moved from Spongy Castle to Bouncy Castle because the project is dead.

You can see discussion "34" in https://github.com/rtyley/spongycastle/issues.

Please remove all Spongy Castle parts.

ligi commented 4 years ago

I am not sure this is possible. AFAIK for Android I need to use spongycastle as bouncycastle clashes with the platform implementation.

Neustradamus commented 4 years ago

@ligi: No, it is used by several projects.

ligi commented 4 years ago

@Neustradamus do you know since which minSDK? Pretty sure there are phones out there that need the use of spongycastle

Neustradamus commented 4 years ago

@ligi: Can you see on the old SC issue? And you can ask on it if you have not the answer ^^

ligi commented 4 years ago

There are older android versions where this is still an issue as far as I see. So I think I will not remove SC - perhaps make more clear in the README that it should not be used - only if you need to target old android versions. But I see no reason (yet) I need to remove it.

Neustradamus commented 4 years ago

@ligi: The change has been done for what Android SDK?

You will be in a list about not secured projects :/

Neustradamus commented 4 years ago

@ligi: It is since Android Ice Cream Sandwich (Honeycomb was not open-source):

com.android.org.bouncycastle http://androidxref.com/4.0.3_r1/search?q=com.android.org.bouncycastle&defs=&refs=&path=&hist=&project=abi&project=bionic&project=bootable&project=build&project=cts&project=dalvik&project=development&project=device&project=docs&project=external&project=frameworks&project=hardware&project=libcore&project=ndk&project=packages&project=prebuilt&project=sdk&project=system

Before: org.bouncycastle http://androidxref.com/2.3.7/search?q=org.bouncycastle&defs=&refs=&path=&hist=&project=bionic&project=bootable&project=build&project=cts&project=dalvik&project=development&project=device&project=external&project=frameworks&project=hardware&project=libcore&project=ndk&project=packages&project=prebuilt&project=sdk&project=system

ligi commented 4 years ago

You will be in a list about not secured projects :/

? you can use bouncycastle if you want - so this does not really make sense IMHO

Neustradamus commented 4 years ago

About CVE in Spongy Castle ;)

ligi commented 4 years ago

? can you give me a URL? You really make no sense IMHO

Neustradamus commented 4 years ago

@ligi: It is here: https://github.com/komputing/KEthereum/issues/86#issue-598739026

ligi commented 4 years ago

you can use bouncycastle. The spongycasle module is only an option if you need to target old android versions.

Neustradamus commented 4 years ago

@ligi: It is not solved! Please reopen it!

ligi commented 4 years ago

spongycastle is an option for targeting old android devices there is now a warning it should only be used for this use-case

Neustradamus commented 4 years ago

@ligi: For Android =< 3.0, always used for you?

ligi commented 4 years ago

no and why always?

Neustradamus commented 4 years ago

You have replied, you can remove Spongy Castle from the code :) Bouncy Castle works with all Android versions > 3.0.

ligi commented 4 years ago

no - this library might be used to target Android versions <= 3 - I do not see a reason to prevent this by removing the option