Merge branch 'main' into 1794-auth-enveloped-recipients-kek-keyagree

Author: gefeili

.gitlab-ci.yml

@@ -2,6 +2,7 @@ stages:
   - check
   - build
   - test
+  - publish
   - sync
 
 check-code:
@@ -31,13 +32,13 @@ ant-build:
     - "ci_docker_run \"vm_base_intel:latest\" \"bc-java\" \"/workspace/bc-java/ci/build_1_8.sh\""
 
 
-test-code-8:
+test-code:
   stage: test
   needs: [ "check-code" ]
   script:
     - "ecr_login"
     - "ecr_pull vm_base_intel latest"
-    - "ci_docker_run \"vm_base_intel:latest\" \"bc-java\" \"/workspace/bc-java/ci/test_8.sh\""
+    - "ci_docker_run \"vm_base_intel:latest\" \"bc-java\" \"/workspace/bc-java/ci/test.sh\""
   artifacts:
     when: always
     reports:
@@ -51,68 +52,14 @@ test-code-8:
         - "tls/build/test-results/**/*.xml"
         - "mls/build/test-results/**/*.xml"
 
-test-code-11:
-  stage: test
-  needs: [ "check-code" ]
-  script:
-    - "ecr_login"
-    - "ecr_pull vm_base_intel latest"
-    - "ci_docker_run \"vm_base_intel:latest\" \"bc-java\" \"/workspace/bc-java/ci/test_11.sh\""
-  artifacts:
-    when: always
-    reports:
-      junit:
-        - "core/build/test-results/**/*.xml"
-        - "prov/build/test-results/**/*.xml"
-        - "pg/build/test-results/**/*.xml"
-        - "pkix/build/test-results/**/*.xml"
-        - "mail/build/test-results/**/*.xml"
-        - "util/build/test-results/**/*.xml"
-        - "tls/build/test-results/**/*.xml"
-        - "mls/build/test-results/**/*.xml"
-
-
-test-code-17:
-  stage: test
-  needs: [ "check-code" ]
-  script:
-    - "ecr_login"
-    - "ecr_pull vm_base_intel latest"
-    - "ci_docker_run \"vm_base_intel:latest\" \"bc-java\" \"/workspace/bc-java/ci/test_17.sh\""
-  artifacts:
-    when: always
-    reports:
-      junit:
-        - "core/build/test-results/**/*.xml"
-        - "prov/build/test-results/**/*.xml"
-        - "pg/build/test-results/**/*.xml"
-        - "pkix/build/test-results/**/*.xml"
-        - "mail/build/test-results/**/*.xml"
-        - "util/build/test-results/**/*.xml"
-        - "tls/build/test-results/**/*.xml"
-        - "mls/build/test-results/**/*.xml"
 
-
-test-code-21:
-  stage: test
-  needs: [ "check-code" ]
+publish:
+  stage: publish
   script:
+    - "apply_overlay bc-java-pub ./"
     - "ecr_login"
     - "ecr_pull vm_base_intel latest"
-    - "ci_docker_run \"vm_base_intel:latest\" \"bc-java\" \"/workspace/bc-java/ci/test_21.sh\""
-  artifacts:
-    when: always
-    reports:
-      junit:
-        - "core/build/test-results/**/*.xml"
-        - "prov/build/test-results/**/*.xml"
-        - "pg/build/test-results/**/*.xml"
-        - "pkix/build/test-results/**/*.xml"
-        - "mail/build/test-results/**/*.xml"
-        - "util/build/test-results/**/*.xml"
-        - "tls/build/test-results/**/*.xml"
-        - "mls/build/test-results/**/*.xml"
-
+    - "ci_docker_run \"vm_base_intel:latest\" \"bc-java\" \"/workspace/bc-java/ci/pub.sh\""
 
 spongycastle:
   stage: "sync"

CONTRIBUTORS.html

@@ -447,7 +447,7 @@
 <li>Adam Vartanian &lt;https://github.com/flooey&gt; use of ShortBuffer exception and buffer size pre-check in Cipher.doFinal().</li>
 <li>Bernd &lt;https://github.com/ecki&gt; Fix to make PGPUtil.pipeFileContents use buffer and not leak file handle.</li>
 <li>Shartung &lt;https://github.com/shartung&gt; Additional EC Key Agreement algorithms in support of German BSI TR-03111.</li>
-<li>Paul Schaub &lt;https://github.com/vanitasvitae&gt; bringing PGPSecretKey.getUserIds() into line with PGPPublicKey.getUserIds(). Exception message fix in BcPublicKeyDataDecryptorFactory. Additional tests on PGP key ring generation. Improved functionality of PGPSignatureSubpacketGenerator, PGPPublicKeyRing. Tweaks to PGPDataEncryptorBuilder interface, fix for JcaPGP/BcPGP Ed25519 private key conversion. Added configurable CRC detection to ArmoredInputStream, additional control character skipping in ArmoredInputStream. Rewind code for PGPPBEEncryptedData, addition of PGPSignature.getDigestPrefix(). Wrong list traversal fix in PGPSecretKeyRing. Further improvement to use of generics in PGP API. General interop improvements. PGP Public / Secure keyring ignore marker packets when reading. Initial work on PGP session key handling, filtering literal data for canoncialization. Addition of direct key identified key-ring construction. PGPSecretKeyRing.insertOrReplacePublicKey addition. Addition of utility methods for joining/merging signatures and public keys. Addition of PGP regexp packet, PolicyURI packet handling, UTF8 comment testing. Efficiency improvements to TruncatedStream. Initial Argon2 support for OpenPGP. General cleanups. Fast CRC24 implementation, SHA3 addtions to BcImplProvider, improvements to One Pass Signature support, signatue validation, read() consistency in BCPGInputStream. Contributions to AEAD support (v6 & v5) in PGP API. Addition of PGP WildCard ID, moving the PGP example code into the 21st century. Security patches for encrypted data generation, initial thread safe certification verification. Support for V6 EC keys, PGP packet criticality, and Preferred AEAD CipherSuites sigsubpacket support.</li>
+<li>Paul Schaub &lt;https://github.com/vanitasvitae&gt; bringing PGPSecretKey.getUserIds() into line with PGPPublicKey.getUserIds(). Exception message fix in BcPublicKeyDataDecryptorFactory. Additional tests on PGP key ring generation. Improved functionality of PGPSignatureSubpacketGenerator, PGPPublicKeyRing. Tweaks to PGPDataEncryptorBuilder interface, fix for JcaPGP/BcPGP Ed25519 private key conversion. Added configurable CRC detection to ArmoredInputStream, additional control character skipping in ArmoredInputStream. Rewind code for PGPPBEEncryptedData, addition of PGPSignature.getDigestPrefix(). Wrong list traversal fix in PGPSecretKeyRing. Further improvement to use of generics in PGP API. General interop improvements. PGP Public / Secure keyring ignore marker packets when reading. Initial work on PGP session key handling, filtering literal data for canoncialization. Addition of direct key identified key-ring construction. PGPSecretKeyRing.insertOrReplacePublicKey addition. Addition of utility methods for joining/merging signatures and public keys. Addition of PGP regexp packet, PolicyURI packet handling, UTF8 comment testing. Efficiency improvements to TruncatedStream. Initial Argon2 support for OpenPGP. General cleanups. Fast CRC24 implementation, SHA3 addtions to BcImplProvider, improvements to One Pass Signature support, signatue validation, read() consistency in BCPGInputStream. Contributions to AEAD support (v6 & v5) in PGP API. Addition of PGP WildCard ID, moving the PGP example code into the 21st century. Security patches for encrypted data generation, initial thread safe certification verification. Support for V6 EC keys, V6 signatures, PGP packet criticality, and Preferred AEAD CipherSuites sigsubpacket support.</li>
 <li>Nick of Nexxar &lt;https://github.com/nros&gt; update to OpenPGP package to handle a broader range of EC curves.</li>
 <li>catbref &lt;https://github.com/catbref&gt; sample implementation of RFC 7748/Ed25519 (incorporated work from github users Valodim and str4d as well).</li>
 <li>gerlion &lt;https://github.com/gerlion&gt; detection of concurrency issue with pre-1.60 EC math library.</li>
@@ -549,8 +549,10 @@
 <li>Jan Oupick&yacute; &lt;https://github.com/Honzaik&gt; - update to draft 13 of composite PQC signatures.</li>
 <li>Karsten Otto &lt;https://github.com/ottoka&gt; - finished the support for jdk.tls.server.defaultDHEParameters.</li>
 <li>Markus Sommer &lt;https://github.com/marsom&gt; - BCStyle lookup table fix for jurisdiction values.</li>
+<li>Jared Crawford &lt;https://github.com/jmcrawford45&gt; - Abstracting cire KEM functionality out of DHKEM to allow for use of alternative KEMs with HPKE.</li>
 <li>TaZbon &lt;https://github.com/TaZbon&gt; - Optional lax parsing patch for PEM parser.</li>
 <li>han-ji &lt;https://github.com/han-jl&gt; - Fix to sign extension issue in CTR random seek code.</li>
+<li>https://github.com/crlorentzen &lt;https://github.com/crlorentzen&gt; - Addition of system property for configuring GCM ciphers in 1.2 FIPS mode in the JSSE.</li>
 </ul>
 </body>
 </html>

README.md

@@ -10,17 +10,39 @@ Except where otherwise stated, this software is distributed under a license base
 
 **Note**: this source tree is not the FIPS version of the APIs - if you are interested in our FIPS version please contact us directly at  [[email protected]](mailto:[email protected]).
 
+## Maven Public Key
+
+The file [bc_maven_public_key.asc](bc_maven_public_key.asc) contains the public key used to sign our artifacts on Maven Central. You will need to use 
+
+```
+gpg -o bc_maven_public_key.gpg --dearmor bc_maven_public_key.asc
+```
+
+to dearmor the key before use. Once that is done, a file can be verified by using:
+
+```
+gpg --no-default-keyring --keyring ./bc_maven_public_key.gpg --verify  file_name.jar.asc file_name.jar
+```
+
+Note: the ./ is required in front of the key file name to tell gpg to look locally.
+
+## Building overview
+
+This project can now be built and tested with JDK21. 
+
+If the build script detects BC_JDK8, BC_JDK11, BC_JDK17 it will add to the usual test task a dependency on test tasks 
+that specifically use the JVMs addressed by those environmental variables. The script relies on JAVA_HOME for picking up Java 21 if it is use.
+
+We support testing on specific JVMs as it is the only way to be certain the library is compatible.
 
 ## Environmental Variables
 
-Before invoking gradlew you need to ensure the following environmental variables are defined and point
-to valid JAVA_HOMEs for each JVM version:
+The following environmental variables can optionally point to the JAVA_HOME for each JVM version.
 
 ```
 export BC_JDK8=/path/to/java8
 export BC_JDK11=/path/to/java11
 export BC_JDK17=/path/to/java17
-export BC_JDK21=/path/to/java21
 ```
 
 ## Building
@@ -30,7 +52,8 @@ The project now uses ```gradlew``` which can be invoked for example:
 ```
 # from the root of the project
 
-# Ensure JAVA_HOME points to JDK 17 or higher JAVA_HOME
+# Ensure JAVA_HOME points to JDK 21 or higher JAVA_HOME or that
+# gradlew can find a java 21 installation to use.
 
 
 ./gradlew clean build
@@ -41,19 +64,17 @@ The gradle script will endeavour to verify their existence but not the correctne
 
 
 ## Multi-release jars and testing
-Some subprojects produce multi-release jars and these jars are tested in different jvm versions.
-Default testing on these projects is done on java 1.8 and there are specific test tasks for other versions.
-
-1. test11 test on java 11 JVM
-2. test17 test on java 17 JVM
-3. test21 test on java 21 JVM
-
-To run all of them:
+Some subprojects produce multi-release jars and these jars are can be tested on different jvm versions specifically.
 
+If the env vars are defined:
 ```
-./gradlew clean build test11 test17 test21
+export BC_JDK8=/path/to/java8
+export BC_JDK11=/path/to/java11
+export BC_JDK17=/path/to/java17
 ```
 
+If only a Java 21 JDK is present then the normal test task and test21 are run only.
+
 
 ## Code Organisation
 

ant/bc+-build.xml

@@ -1012,7 +1012,7 @@
         <property name="test.target.src.dir" value="${test.target.dir}/src" />
 
         <mkdir dir="${basedir}/${build.dir}/${target.prefix}" />
-        <junit fork="yes" dir="${basedir}/${build.dir}/${target.prefix}" failureProperty="test.failed" printsummary="${junit.printsummary}">
+        <junit fork="yes" dir="${basedir}/${build.dir}/${target.prefix}" failureProperty="test.failed" printsummary="${junit.printsummary}" maxmemory="${junit.maxmemory}">
             <classpath>
                 <path refid="project.classpath" /> 
                 <fileset dir="${artifacts.jars.dir}">

ant/build.regexp

@@ -1,3 +1,3 @@
 
-regexp: <List<PGPSignature>>|<Map<CertID, OCSPResponse>>|<URI[^>]*>>|<[A-Z?][^>@]*[a-zA-Z0-9\\]]>|<[A-Z]>|<[a-z][^>@]*[a-z\\]]>|@SuppressWarnings(.*)|@Override|@Deprecated|@FunctionalInterface
+regexp: <List<PGPSignature>>|<Map<CertID, OCSPResponse>>|<URI[^>]*\\>>|<[A-Z?][^>@]*[a-zA-Z0-9\\]]>|<[A-Z]>|<[a-z][^>@]*[a-z\\]]>|@SuppressWarnings(.*)|@Override|@Deprecated|@FunctionalInterface
 

ant/jdk13.xml

@@ -13,6 +13,7 @@
     <property name="artifacts.dir" value="${build.dir}/artifacts/${jdk.name}" />
     <property name="target.prefix" value="jdk13" />
     <property name="javadoc.args" value="-protected" />
+    <property name="junit.maxmemory" value="1536m" />
 
     <target name="init">
         <mkdir dir="${src.dir}" />
@@ -55,6 +56,7 @@
                 <exclude name="**/asymmetric/dstu/*.java" />
                 <exclude name="**/Logging*.java" />
                 <exclude name="**/provider/config/PKCS12StoreParameter.java" />
+                <exclude name="**/COMPOSITE.java"/>
                 <exclude name="**/gemss/*.java"/>
                 <exclude name="**/rainbow/*.java"/>
                 <exclude name="**/Rainbow*.java"/>
@@ -89,6 +91,7 @@
                 <exclude name="**/gemss/*.java" />
                 <exclude name="**/CertPathReviewer*.java" />
                 <exclude name="**/PKIXCertPathReviewer.java" />
+                <exclude name="**/COMPOSITE.java"/>
                 <exclude name="**/PKIXAttrCert*.java" />
                 <exclude name="**/PKIXNameConstraints*.java" />
                 <exclude name="**/PKCS12StoreParameter.java" />
@@ -248,6 +251,7 @@
                 <exclude name="**/jce/provider/test/CertLocaleTest.java" />
             </fileset>
             <fileset dir="pkix/src/test/java">
+                <exclude name="**/CheckNameConstraintsTest.java"/>
                 <exclude name="**/pkix/test/RevocationTest.java"/>
                 <exclude name="**/SunProviderTest.java" />
                 <exclude name="**/NullProviderTest.java" />
@@ -328,19 +332,29 @@
 
         <replaceregexp match="${regexp}" replace=" " flags="g" byline="true">
             <fileset dir="${src.dir}">
-              <include name="**/*.java"/>
+                <include name="**/*.java"/>
+                <exclude name="**/SICBlockCipher.java"/>
             </fileset>
         </replaceregexp>
         <replaceregexp match="(List|Map|Set) >" replace="\1" flags="g" byline="true">
             <fileset dir="${src.dir}">
                 <include name="**/*.java"/>
                 <exclude name="**/MultipartParserTest.java"/>
+                <exclude name="**/SICBlockCipher.java"/>
+            </fileset>
+        </replaceregexp>
+        <replaceregexp match="StringBuilder" replace="StringBuffer" flags="g" byline="true">
+            <fileset dir="${src.dir}">
+                <include name="**/*.java"/>
+                <exclude name="**/MultipartParserTest.java"/>
+                <exclude name="**/SICBlockCipher.java"/>
             </fileset>
         </replaceregexp>
         <replaceregexp match="LinkedHashSet" replace="HashSet" flags="g" byline="true">
             <fileset dir="${src.dir}">
                 <include name="**/*.java"/>
                 <exclude name="**/MultipartParserTest.java"/>
+                <exclude name="**/SICBlockCipher.java"/>
             </fileset>
         </replaceregexp>
         <replaceregexp match="\.\.\." replace="[]" flags="g" byline="true">

ant/jdk14.xml

@@ -12,6 +12,7 @@
     <property name="artifacts.dir" value="${build.dir}/artifacts/${jdk.name}"/>
     <property name="target.prefix" value="jdk14"/>
     <property name="javadoc.args" value="-breakiterator"/>
+    <property name="junit.maxmemory" value="1536m" />
 
     <target name="init">
         <mkdir dir="${src.dir}"/>
@@ -77,6 +78,7 @@
                 <exclude name="**/JDKPKCS12StoreParameter.java"/>
                 <exclude name="**/SIKE*.java"/>
                 <exclude name="**/CompositeSign*.java"/>
+                <exclude name="**/COMPOSITE*.java"/>
                 <exclude name="**/rainbow/*.java"/>
                 <exclude name="**/Rainbow*.java"/>
                 <exclude name="**/XMS*.java"/>
@@ -131,6 +133,9 @@
                 <exclude name="**/keybox/**/*.java"/>
                 <exclude name="**/gpg/test/*.java"/>
                 <exclude name="**/BcImplProviderTest.java"/>
+                <exclude name="**/OperatorJcajceTest.java"/>
+                <exclude name="**/AEADWithArgon2Test.java"/>
+                <exclude name="**/AEADProtectedPGPSecretKeyTest.java"/>
             </fileset>
             <fileset dir="pkix/src/test/java">
                 <exclude name="**/est/**/*.java"/>
@@ -142,6 +147,7 @@
                 <exclude name="**/bouncycastle/cms/test/*AuthEnvelopedData*Test.java"/>
                 <exclude name="**/PKIXRevocationTest.java"/>
 		<exclude name="**/its/**/*.java"/>
+                <exclude name="**/CheckNameConstraintsTest.java"/>
             </fileset>
             <fileset dir="mail/src/test/java">
 		<exclude name="**/MailGeneralTest.java"/>
@@ -224,6 +230,13 @@
         </copy>
 
         <replaceregexp match="${regexp}" replace=" " flags="g" byline="true">
+            <fileset dir="${src.dir}">
+                <include name="**/*.java"/>
+                <exclude name="**/SICBlockCipher.java"/>
+                <exclude name="**/MultipartParserTest.java"/>
+            </fileset>
+        </replaceregexp>
+        <replaceregexp match="StringBuilder" replace="StringBuffer" flags="g" byline="true">
             <fileset dir="${src.dir}">
                 <include name="**/*.java"/>
                 <exclude name="**/MultipartParserTest.java"/>
@@ -232,6 +245,7 @@
         <replaceregexp match="(List|Map|Set|Iterator) >" replace="\1" flags="g" byline="true">
             <fileset dir="${src.dir}">
                 <include name="**/*.java"/>
+                <exclude name="**/SICBlockCipher.java"/>
                 <exclude name="**/MultipartParserTest.java"/>
             </fileset>
         </replaceregexp>

ant/jdk15+.xml

@@ -10,6 +10,8 @@
     <property name="src.dir" value="${build.dir}/${jdk.name}" />
     <property name="target.prefix" value="jdk15to18" />
     <property name="javadoc.args" value="-breakiterator" />
+    <property name="jmail.present" value="true" />
+    <property name="junit.maxmemory" value="1536m" />
 
     <target name="clean">
         <delete dir="${build.dir}" />
@@ -39,22 +41,18 @@
             <fileset dir="prov/src/test/resources" includes="**/*.*" />
 
             <fileset dir="tls/src/main/java" includes="**/*.java" />
-            <fileset dir="tls/src/main/jdk1.5" includes="**/*.java" />
             <fileset dir="tls/src/main/javadoc" includes="**/*.html" />
             <fileset dir="tls/src/test/java" includes="**/*.java" />
-            <fileset dir="tls/src/test/jdk1.5" includes="**/*.java" />
             <fileset dir="tls/src/test/resources" includes="**/*.*" />
 
             <fileset dir="pkix/src/main/java" includes="**/*.java" />
-            <fileset dir="pkix/src/main/jdk1.5" includes="**/*.java" />
             <fileset dir="pkix/src/main/javadoc" includes="**/*.html" />
             <fileset dir="pkix/src/main/resources" includes="**/*.properties" />
             <fileset dir="pkix/src/test/java" includes="**/*.java" />
             <fileset dir="pkix/src/test/javadoc" includes="**/*.html" />
             <fileset dir="pkix/src/test/resources" includes="**/*.*" />
 
             <fileset dir="pg/src/main/java" includes="**/*.java" />
-            <fileset dir="pg/src/main/jdk1.5" includes="**/*.java" />
             <fileset dir="pg/src/main/javadoc" includes="**/*.html" />
             <fileset dir="pg/src/main/java" includes="**/*.properties" />
             <fileset dir="pg/src/test/java" includes="**/*.java" />
@@ -74,6 +72,14 @@
             <fileset dir="mail/src/test/resources" includes="**/*.*" />
 
         </copy>
+        <copy todir="${src.dir}" overwrite="true">
+            <fileset dir="pkix/src/main/jdk1.5" includes="**/*.java" />
+            <fileset dir="tls/src/main/jdk1.5" includes="**/*.java" />
+            <fileset dir="tls/src/test/jdk1.5" includes="**/*.java" />
+            <fileset dir="pg/src/main/jdk1.5" includes="**/*.java" />
+            <fileset dir="pg/src/test/jdk1.5" includes="**/*.java" />
+        </copy>
+
         <available classname="com.puppycrawl.tools.checkstyle.CheckStyleTask" property="checkstyle.on" />
     </target>