David Hook
David Hook
Thanks for the report, and thanks for your efforts in putting together the example, however this is the wrong place for the bug report. If you replace: if (!csd.verifySignatures(vProv)) {...
Peter's correct about this. That said I'd recommend outputting messages DER sorted - some recipients can't re-encode, but can at least validate the stream as DER, where this limitation applies...
1.0.3 is currently suspended. 2.0.0 is available for early access and will be made available on Maven when it's finally certified. As to when that happens, 2.0.0 was submitted in...
Yes. The ACVP certificate for 2.0.0 is here: https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/details?validation=37009
It depends a lot on how they are being used as to whether you'd have issues. I would certainly not recommend using multiple versions like this, if only because it...
Appears dead.
This is now fixed in the early access version. Still in negotiations about organizing a release date.
If you've got a support contract 1.0.2.5 is now in early access, otherwise you'll need to role back to 1.0.2.3.
Yes, in 1.0.2.4 - note the CVE only applies if you are running Java 17.
Details about support and early access are available here https://www.keyfactor.com/open-source/bouncy-castle-support/ Contracts start at 25K USD. I'd guess we're currently looking at about 6 months for public release - the changes...