For more security spongycastle -> bouncycastle #1870
Comments
|
Hmmm... this is a hard one. We chose to use spongycastle since we need to use updated BouncyCastle for updated crypto code not available from stock BouncyCastle, which versions differ with different Android versions. Happy to know if there is a way to use updated BouncyCastle without letting Android apps ignore the version we want to use, but always fall back to Android's own BouncyCastle. |
|
@TranceLove: Thanks for your comment! Since several years, a lot of projects have already moved from Spongy Castle to Bouncy Castle because the project is dead. You can see discussion "34" in https://github.com/rtyley/spongycastle/issues. |
|
Thanks @Neustradamus, @rtyley/spongycastle#34 and a quick Google/StackOverflow both pointed to a node.js module to help building bouncycastle at their own namespace: @jbuhacoff/nodejs-mybc-util Let's see when I have time to make our own bouncycastle jars. |
TranceLove
added
Area-CodeHealth
|
@TranceLove: nodejs-mybc-util is optional because a lot of projects have been migrated without... |
Fixes TeamAmaze#1870. Steps to reproduce the required jars: (assume Ubuntu here) 1. install openjdk-8-jdk, maven, ant, git 2a. curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash - 2b. sudo apt-get install -y nodejs 3. install mybc: sudo npm install -g @jbuhacoff/mybc 4. git clone https://github.com/bcgit/bc-java && cd bc-java 5. git checkout r1v65 (as of Apr 2020, latest release version is 1.65) 6. mybc prebuild --providerName SC --packageName org.spongycastle --displayName SpongyCastle 7. bash ./build15+ 8. mybc postbuild --groupId com.madgag.spongycastle 9. find the jars in $HOME/.m2/repository, copy bc{prix,prov}-jdk15on-{latestReleaseVersion}.jar to app/libs, replace any previous versions of the jars 10. resync, rebuild as usual Tested on Fairphone 3 running LineageOS 16 GSI establishing SSH connection to home server; also tested with Robolectric and Espresso tests that depends on crypto libraries (with the help of TeamAmaze#1831).
|
@TranceLove: Not possible to add directly in gradle? |
Sorry for overlooking - that the discussion mentioned above actually pointed out that there is no namespace collision since Android 3.0. I then tried a bit, seems promising. But is getting Espresso test failures on Kitkat - Will retract #1874 after tests passed using changeset from #1831. |
Fixes TeamAmaze#1870. Per - Remove stock Bouncycastle provider bundled with Android - Register updated Bouncycastle provider as first crypto provider available - Remove proguard config related to Spongycastle - Update code to obtain crypto provider directly without prefix
|
Great, thanks for looking into this @TranceLove |
Fixes #1870. Per - Remove stock Bouncycastle provider bundled with Android - Register updated Bouncycastle provider as first crypto provider available - Remove proguard config related to Spongycastle - Update code to obtain crypto provider directly without prefix
|
@TranceLove, @VishalNehra, @bowiechen: Thanks a lot! |
A continuation of TeamAmaze#1870, remove any other SpongyCastle references in code comments
Fixes TeamAmaze#1870. Per - Remove stock Bouncycastle provider bundled with Android - Register updated Bouncycastle provider as first crypto provider available - Remove proguard config related to Spongycastle - Update code to obtain crypto provider directly without prefix
A continuation of TeamAmaze#1870, remove any other SpongyCastle references in code comments
For more security, can you change old spongycastle (based on old bouncycastle) to bouncycastle?
The text was updated successfully, but these errors were encountered: