Merge branch 'main' into pg-synchronize-bc_csharp

Author: gefeili

ci/check_java.sh

@@ -18,8 +18,11 @@ export BC_JDK21=`openjdk_21`
 export JAVA_HOME=`openjdk_17`
 export PATH=$JAVA_HOME/bin:$PATH
 
+# Checkstyle
 ./gradlew check -x test;
 
 
-
+# OSGI scanner only, no testing
+./gradlew clean build -x test
+./osgi_scan.sh
 

docs/releasenotes.html

@@ -92,7 +92,7 @@ <h3>2.3.5 Security Advisories.</h3>
 <li>CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.</li>
 <li>CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to exception processing eliminated.</li>
 <li>CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.</li>
-<li>CVE-2024-301XX - When endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed.</li>
+<li>CVE-2024-34447 - When endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed.</li>
 </ul>
 
 <a id="r1rv77"><h3>2.4.1 Version</h3></a>

osgi_scan.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+
+if ! command -v osgiscanner &> /dev/null
+then
+    echo "osgiscanner not on path"
+    exit 1
+fi
+
+export script_loc=$( cd -- "$( dirname -- "$0" )" &> /dev/null && pwd )
+cd $script_loc
+
+export BCHOME=`pwd`
+
+osgiscanner -f osgi_scan.xml

osgi_scan.xml

@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<osgiscanner>
+
+
+    <prop load="gradle.properties"/>
+
+    <!-- Make bundle regular expression -->
+    <prop name="bundle_ver" value="${version}" find="-SNAPSHOT" replace=".0.[0-9]+"/>
+    <prop name="bundle_ver" value="^${bundle_ver}" find="\." replace="\\."/>
+
+    <!-- Make import range expression -->
+    <prop name="import_low" value="${version}" find="-SNAPSHOT" replace=".0.[0-9]+"/>
+    <prop name="import_low" value="${import_low}" find="\." replace="\\."/>
+    <prop name="import_max" value="${maxVersion}" find="-SNAPSHOT" replace=".0.[0-9]+"/>
+    <prop name="import_max" value="${import_max}" find="\." replace="\\."/>
+    <prop name="import_range" value="^\[${import_low}\,${import_max}\)"/>
+
+    <jar file="${ENV.BCHOME}/libs/jakarta.activation-api-2.0.0.jar"/>
+    <jar file="${ENV.BCHOME}/libs/jakarta.mail-2.0.1.jar"/>
+    <jar file="${ENV.BCHOME}/core/build/libs/core-${version}.jar"/>
+    <jar file="${ENV.BCHOME}/core/build/libs/core-${version}.jar"/>
+    <jar file="${ENV.BCHOME}/jmail/build/libs/bcjmail-jdk18on-${version}.jar"/>
+    <jar file="${ENV.BCHOME}/mls/build/libs/bcmls-jdk18on-${version}.jar"/>
+    <jar file="${ENV.BCHOME}/pg/build/libs/bcpg-jdk18on-${version}.jar"/>
+    <jar file="${ENV.BCHOME}/pkix/build/libs/bcpkix-jdk18on-${version}.jar"/>
+    <jar file="${ENV.BCHOME}/prov/build/libs/bcprov-jdk18on-${version}.jar"/>
+    <jar file="${ENV.BCHOME}/tls/build/libs/bctls-jdk18on-${version}.jar"/>
+    <jar file="${ENV.BCHOME}/util/build/libs/bcutil-jdk18on-${version}.jar"/>
+
+    <bundle matches="^bcprov" version="${bundle_ver}">
+        <ignore-package package="^mls_client"/>
+        <ignore-package package="^org\.bouncycastle\.mls\.client"/>
+
+        <header key="Bundle-Version" matches="${bundle_ver}"/>
+
+        <header key="Export-Package" matches=".*" on-undefined="fail">
+            <package matches="^org\.bouncycastle\.*" param="version" test="${bundle_ver}" on-match="pass"
+                     on-undefined="fail"/>
+        </header>
+
+    </bundle>
+
+
+    <bundle matches="^bc(jmail|mls|pg|pkix|tls|util)" version="${bundle_ver}">
+        <ignore-package package="^mls_client"/>
+        <ignore-package package="^org\.bouncycastle\.mls\.client"/>
+
+        <header key="Bundle-Version" matches="${bundle_ver}"/>
+
+        <header key="Export-Package" matches=".*" on-undefined="fail">
+            <package matches="^org\.bouncycastle\.*" param="version" test="${bundle_ver}" on-match="pass"
+                     on-undefined="fail"/>
+        </header>
+
+        <header key="Import-Package" matches=".*" on-undefined="fail">
+            <package matches="^org\.bouncycastle\.*" param="version" test="${import_range}" on-match="pass"
+                     on-undefined="fail"/>
+        </header>
+
+
+    </bundle>
+
+</osgiscanner>

pkix/src/main/java/org/bouncycastle/openssl/PEMParser.java

@@ -10,7 +10,7 @@
 import java.util.Set;
 import java.util.StringTokenizer;
 
-import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1BitString;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.ASN1Primitive;
@@ -110,22 +110,19 @@ public Object readObject()
         throws IOException
     {
         PemObject obj = readPemObject();
+        if (obj == null)
+        {
+            return null;
+        }
 
-        if (obj != null)
+        String type = obj.getType();
+        Object pemObjectParser = parsers.get(type);
+        if (pemObjectParser == null)
         {
-            String type = obj.getType();
-            Object pemObjectParser = parsers.get(type);
-            if (pemObjectParser != null)
-            {
-                return ((PemObjectParser)pemObjectParser).parseObject(obj);
-            }
-            else
-            {
-                throw new IOException("unrecognised object: " + type);
-            }
+            throw new IOException("unrecognised object: " + type);
         }
 
-        return null;
+        return ((PemObjectParser)pemObjectParser).parseObject(obj);
     }
 
     /**
@@ -268,16 +265,14 @@ public PEMKeyPair parse(byte[] encoding)
                     pKey.getParametersObject());
                 PrivateKeyInfo privInfo = new PrivateKeyInfo(algId, pKey);
 
-                if (pKey.getPublicKey() != null)
+                ASN1BitString publicKey = pKey.getPublicKey();
+                SubjectPublicKeyInfo pubInfo = null;
+                if (publicKey != null)
                 {
-                    SubjectPublicKeyInfo pubInfo = new SubjectPublicKeyInfo(algId, pKey.getPublicKey().getBytes());
-
-                    return new PEMKeyPair(pubInfo, privInfo);
-                }
-                else
-                {
-                    return new PEMKeyPair(null, privInfo);
+                    pubInfo = new SubjectPublicKeyInfo(algId, publicKey.getBytes());
                 }
+
+                return new PEMKeyPair(pubInfo, privInfo);
             }
             catch (IOException e)
             {
@@ -353,9 +348,10 @@ public Object parseObject(PemObject obj)
         {
             try
             {
+                AlgorithmIdentifier algId = new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE);
                 RSAPublicKey rsaPubStructure = RSAPublicKey.getInstance(obj.getContent());
 
-                return new SubjectPublicKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, DERNull.INSTANCE), rsaPubStructure);
+                return new SubjectPublicKeyInfo(algId, rsaPubStructure);
             }
             catch (IOException e)
             {
@@ -475,9 +471,7 @@ public Object parseObject(PemObject obj)
         {
             try
             {
-                ASN1InputStream aIn = new ASN1InputStream(obj.getContent());
-
-                return ContentInfo.getInstance(aIn.readObject());
+                return ContentInfo.getInstance(obj.getContent());
             }
             catch (Exception e)
             {
@@ -508,7 +502,7 @@ public Object parseObject(PemObject obj)
 
                 if (param instanceof ASN1ObjectIdentifier)
                 {
-                    return ASN1Primitive.fromByteArray(obj.getContent());
+                    return param;
                 }
                 else if (param instanceof ASN1Sequence)
                 {

pkix/src/main/java/org/bouncycastle/pkcs/PKCS10CertificationRequest.java

@@ -80,7 +80,7 @@ private static ASN1Encodable getSingleValue(Attribute at)
     }
 
     /**
-     * Create a PKCS10CertificationRequestHolder from an underlying ASN.1 structure.
+     * Create a PKCS10CertificationRequest from an underlying ASN.1 structure.
      *
      * @param certificationRequest the underlying ASN.1 structure representing a request.
      */
@@ -134,7 +134,7 @@ public PKCS10CertificationRequest(CertificationRequest certificationRequest)
     }
 
     /**
-     * Create a PKCS10CertificationRequestHolder from the passed in bytes.
+     * Create a PKCS10CertificationRequest from the passed in bytes.
      *
      * @param encoded BER/DER encoding of the CertificationRequest structure.
      * @throws IOException in the event of corrupted data, or an incorrect structure.

pkix/src/test/java/org/bouncycastle/openssl/test/ParserTest.java

@@ -301,7 +301,7 @@ public void performTest()
         {
             if (privInfo instanceof PrivateKeyInfo)
             {
-                privKey = (RSAPrivateCrtKey)converter.getPrivateKey(PrivateKeyInfo.getInstance(privInfo));
+                privKey = (RSAPrivateCrtKey)converter.getPrivateKey((PrivateKeyInfo)privInfo);
             }
             else
             {

prov/src/main/java/org/bouncycastle/pqc/jcajce/spec/SPHINCSPlusParameterSpec.java

@@ -21,8 +21,8 @@ public class SPHINCSPlusParameterSpec
     public static final SPHINCSPlusParameterSpec sha2_256f_robust = new SPHINCSPlusParameterSpec("sha2-256f-robust");
     public static final SPHINCSPlusParameterSpec sha2_256s_robust = new SPHINCSPlusParameterSpec("sha2-256s-robust");
 
-    public static final SPHINCSPlusParameterSpec sha2_128f = new SPHINCSPlusParameterSpec("sha2-128s");
-    public static final SPHINCSPlusParameterSpec sha2_128s = new SPHINCSPlusParameterSpec("sha2-128f");
+    public static final SPHINCSPlusParameterSpec sha2_128f = new SPHINCSPlusParameterSpec("sha2-128f");
+    public static final SPHINCSPlusParameterSpec sha2_128s = new SPHINCSPlusParameterSpec("sha2-128s");
 
     public static final SPHINCSPlusParameterSpec sha2_192f = new SPHINCSPlusParameterSpec("sha2-192f");
     public static final SPHINCSPlusParameterSpec sha2_192s = new SPHINCSPlusParameterSpec("sha2-192s");