blob: 1389c8d54ef666aab1bf805df2ad9d756a9c94ff (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
bcprov.patch:
patch against Bouncy Castle's bcprov:
The main differences involve removing algorithms not included in the
reference implementation (RI). The libcore
java.security.StandardNames test support class provides the most
up-do-date documentation of differences between the RI's list of
supported algorithms and Android's. Some notable omissions versus the
RI:
- LDAP
- MD2
- RC2
Other performance (both speed and memory) and correctness changes:
- singleton DERNull (BouncyCastle now does this but we make constructor private to be sure)
- similarly made DERBoolean constructor private and moved to DERBoolean.{getInstance,TRUE,FALSE}
- removed use of Boolean constructor
- DERObjectIdentifier interns its internal String indentifer value
- changed uses of 'new Integer' to 'Integer.valueOf'
- X509CertificateObject.getEncoded caches its result
- removed references to SecretKeyFactory.PBE/PKCS5 SecretKeyFactory.PBE/PKCS12
- OpenSSLDigest uses NativeCrypto JNI API
- KeyStoreSpis made more tolerant of non-existant and null aliases
- PKCS12 KeyStore.getCreationDate tries to mimic RI behavior on null and missing aliases
- Make PKCS12 KeyStore throw error when setting non-PrivateKey, instead of on get
- Make PKCS12 KeyStore tolerate setting with an empty certificate chain
- Fixed cut & paste instanceof error in EncryptedPrivateKeyInfo
- Make BouncyCastleProvider.PROVIDER_NAME final
- Added wrapper for SecretKeyFactory.PBKDF2WithHmacSHA1
- Fixed BaseKeyFactorySpi to convert all Exceptions to InvalidKeySpecException for KeyRepTest
Other security changes:
- Blacklist fraudulent Comodo certificates in PKIXCertPathValidatorSpi
- Blacklist compromised DigiNotar Root CA by public key to block cross-signed intermediates
Other changes:
- Log entry and exit to DHParametersHelper.generateSafePrimes which has long, unpredictable runtime
bcpkix.patch:
patch against Bouncy Castle's bcpkix:
The main differences involve:
- removing algorithms not in our bcprov (MD2, MD4, SHA224, RIPEMD, GOST)
- using the singleton DERNull.INSTANCE
|
