bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

bc-fips 1.0.2.5 not documented on www.bouncycastle.org

Open sfc-gh-jzana opened this issue 1 year ago • 8 comments

Converting this to an issue. Can we please get release notes for bc-fips 1.0.2.5 ?

Discussed in https://github.com/bcgit/bc-java/discussions/1678

Originally posted by sfc-gh-jzana May 23, 2024 Hi there, I see a version 1.0.2.5 of bc-fips on Maven Central but no mention of it on the bouncycastle website. I would expect it to be listed under both Downloads and Release notes here. Are there release notes available elsewhere? Should I log an Issue requesting release notes? In particular, I would like to check if a few security vulnerabilities have been addressed.

Thanks! Josh

sfc-gh-jzana avatar May 29 '24 18:05 sfc-gh-jzana

Here's the current ones. I'm a bit hesitant about doing anything more "official" as BC-FJA 1.0.2.5 is not certified yet.

RELEASE_NOTES.md

dghgit avatar Jun 03 '24 03:06 dghgit

@dghgit thanks! I don't see any mention of CVE‐2024‐30171 in there. Do you know if this release addresses the vulnerability?

See https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9030171 and https://github.com/bcgit/bc-java/issues/1528

Apologies if this is not relevant to bc-fips. I'm not clear on the exact breakdown of the different libraries here.

sfc-gh-jzana avatar Jun 03 '24 04:06 sfc-gh-jzana

Yes, it's not relevant for the FIPS APIs.

dghgit avatar Jun 03 '24 05:06 dghgit

@dghgit I tried searching for 1.0.2.5 certification process request in https://csrc.nist.gov/ but couldnt find any.

Can you please clarity on if the version is going to be certified in future ? If so, is there a certification request that is currently open ?

rakcheru avatar Aug 24 '24 11:08 rakcheru

Our lab got suspended... I gather this will be resolved soon, that said, 1.0.2.4 is now historical, so I'm not sure what affect that will have on 1.0.2.5 as the 140-2 certificate will not be extended. I would recommend moving to 2.0.0 if you can.

dghgit avatar Aug 24 '24 19:08 dghgit

I have been waiting for the bc-fips-1.0.2.5.jar and have been using bc-fips-1.0.2.3.jar in the meantime. The bc-fips-1.0.2.4.jar had a FipsSelfTestFailedError (see issue #1532). In issue #1592 I was told "Yes" to the following question (in bold):

**I found these somewhat equivalent classes in bc-fips-1.0.2.3.jar:

import org.bouncycastle.crypto.SymmetricKey; import org.bouncycastle.crypto.SymmetricSecretKey; import org.bouncycastle.crypto.fips.FipsAES; import org.bouncycastle.crypto.fips.FipsMACOperatorFactory; import org.bouncycastle.crypto.fips.FipsOutputMACCalculator;

Will these classes be carried forward "as is" to bc-fips-1.0.2.5.jar? (Answer: Yes)

So, now my questions are:

Is this also true for the 2.0.0 version?

Also, what will happen to bc-fips-1.0.2.5.jar?

Thanks.

smartycardpants avatar Sep 03 '24 19:09 smartycardpants

The above are all in bc-fips-2.0.0.jar

1.0.2.5 will remain available on Maven Central. Certification has had to be abandoned for reasons outside of our control, for the moment we're concentrating on adding PQC to the 2.X.X series.

dghgit avatar Sep 03 '24 22:09 dghgit

Thanks :)

smartycardpants avatar Sep 11 '24 12:09 smartycardpants