Tuweni project appears to be unmaintained, switch to other options?

[ghsa-retrieval]

Is your feature request related to a problem? Please describe. The Tuweni project appears to be abandoned, with the Apache Incubator repository being archived. A fork by the original author exists, but besides one version it has also not seen any updates. Without maintenance of the library this could lead to bugs and vulnerabilities not getting addressed.

Describe the solution you'd like Perhaps switching to BouncyCastle or other libraries might be an option.

Describe alternatives you've considered None

Additional context

[github-actions[bot]]

Thanks for submitting your first issue, we will have a look as quickly as possible.

[nbaars]

@ghsa-retrieval correct we need to move away from Tuweni. Do you have interest in picking this up?

[robertguetzkow]

@nbaars I would be interested in this. Replacing the library could be challenging though, as we need to ensure that it remains fully compatible with how libsodium works.

[nbaars]

@robertguetzkow would be great if you can pick this up! let me know if you need any help.

[robertguetzkow]

@nbaars I'll give it a try. What would be your preferred approach, should we use a specific provider (like Bouncy Castle) or just implement generically against JCA? The decision may have impact on the minimum required Java version to support all cryptographic algorithms.

[nbaars]

Using a specific provider is fine. Bouncycastle is already used in the project.

[robertguetzkow]

Will do. Currently quite busy at work though, so it might take a bit until I can implement it.

[robertguetzkow]

I'm starting to map out what changes are needed and in particular how libsodium and Bouncy Castle implement their Ed25519. I need to check whether or not we can ensure that the validation rejects the same inputs, e.g. libsodium performs small-order checks.