For more security spongycastle -> bouncycastle

[Neustradamus]

For more security, can you change old spongycastle (based on old bouncycastle) to bouncycastle?

• https://www.bouncycastle.org/
• https://www.bouncycastle.org/releasenotes.html
• http://www.bouncycastle.org/latest_releases.html
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncy%20castle
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncycastle
• https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.html

[ligi]

both are supported. See the module https://github.com/komputing/KEthereum/tree/master/crypto_impl_bouncycastle

[Neustradamus]

@ligi: Thanks for your comment! Currently Bouncy Castle last version is 1.65 and Spongy Castle last version is 1.58. Spongy Castle is a fork of Bouncy Castle. Please look previous links :)

Since several years, a lot of projects have already moved from Spongy Castle to Bouncy Castle because the project is dead.

You can see discussion "34" in https://github.com/rtyley/spongycastle/issues.

Please remove all Spongy Castle parts.

[ligi]

I am not sure this is possible. AFAIK for Android I need to use spongycastle as bouncycastle clashes with the platform implementation.

[Neustradamus]

@ligi: No, it is used by several projects.

[ligi]

@Neustradamus do you know since which minSDK? Pretty sure there are phones out there that need the use of spongycastle

[Neustradamus]

@ligi: Can you see on the old SC issue? And you can ask on it if you have not the answer ^^

[ligi]

There are older android versions where this is still an issue as far as I see. So I think I will not remove SC - perhaps make more clear in the README that it should not be used - only if you need to target old android versions. But I see no reason (yet) I need to remove it.

[Neustradamus]

@ligi: The change has been done for what Android SDK?

You will be in a list about not secured projects :/

[Neustradamus]

@ligi: It is since Android Ice Cream Sandwich (Honeycomb was not open-source):

• https://source.android.com/setup/start/build-numbers Ice Cream Sandwich | 4.0.1 - 4.0.2 | API level 14, NDK 7

com.android.org.bouncycastle http://androidxref.com/4.0.3_r1/search?q=com.android.org.bouncycastle&defs=&refs=&path=&hist=&project=abi&project=bionic&project=bootable&project=build&project=cts&project=dalvik&project=development&project=device&project=docs&project=external&project=frameworks&project=hardware&project=libcore&project=ndk&project=packages&project=prebuilt&project=sdk&project=system

Before: org.bouncycastle http://androidxref.com/2.3.7/search?q=org.bouncycastle&defs=&refs=&path=&hist=&project=bionic&project=bootable&project=build&project=cts&project=dalvik&project=development&project=device&project=external&project=frameworks&project=hardware&project=libcore&project=ndk&project=packages&project=prebuilt&project=sdk&project=system

[ligi]

You will be in a list about not secured projects :/

? you can use bouncycastle if you want - so this does not really make sense IMHO

[Neustradamus]

About CVE in Spongy Castle ;)

[ligi]

? can you give me a URL? You really make no sense IMHO

[Neustradamus]

@ligi: It is here: https://github.com/komputing/KEthereum/issues/86#issue-598739026

[ligi]

you can use bouncycastle. The spongycasle module is only an option if you need to target old android versions.

[Neustradamus]

@ligi: It is not solved! Please reopen it!

• https://github.com/komputing/KEthereum/search?q=spongycastle&unscoped_q=spongycastle

[ligi]

spongycastle is an option for targeting old android devices there is now a warning it should only be used for this use-case

[Neustradamus]

@ligi: For Android =< 3.0, always used for you?

[ligi]

no and why always?

[Neustradamus]

You have replied, you can remove Spongy Castle from the code :) Bouncy Castle works with all Android versions > 3.0.

[ligi]

no - this library might be used to target Android versions <= 3 - I do not see a reason to prevent this by removing the option