JCE Signing Expire in 7u80 (was: Bouncy Castle Crypto Provider Package version 1.65 now available)

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

JCE Signing Expire in 7u80 (was: Bouncy Castle Crypto Provider Package version 1.65 now available)

Eckenfels. Bernd
Hello Jon,

congrats to the release! :)

I have a question, maybe somebody knows this:

> Please also note the JCE certificate in the public access versions of
> Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expiring on the 20th
> April this year (2020).

I just tested this with 7u80 and I can see that jarsigner -verify shows this expire date. However when I run a Cipher test program I can still use AES with SunJCE and BC. I can also see the registered BC provider. So is there any enforcing in the JDK, what will fail after 2020-04-25(!)?

BTW 7u80 jarsigner says unsigned for bcprov-jdk15on-1.64.jar - it shows signatures for jdk15to18, is this what "jdk5to11" is for?

bcprov-jdk14-1.45.jar
      X.509, CN=The Legion of the Bouncy Castle, OU=Java Software Code Signing, O=Sun Microsystems Inc
      [certificate expired on 18/03/13 21:58]
      X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
      [certificate expired on 25/04/20 09:00]

bcprov-jdk15to18-165.jar
   [entry was signed on 31/03/20 06:35]
   X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc
   [certificate is valid from 11/03/17 02:15 to 25/04/20 09:00]
   X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
   [certificate is valid from 25/04/01 09:00 to 25/04/20 09:00]
   [CertPath not validated: Path does not chain with any of the trust anchors]


Testcode

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;

import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.SecretKeySpec;

import org.bouncycastle.jce.provider.BouncyCastleProvider;

public class AesTest
{

    public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeExc
eption, BadPaddingException, NoSuchProviderException
    {
        Security.addProvider(new BouncyCastleProvider());
        Cipher c = Cipher.getInstance("AES","BC");
        // UNSECURE!
        c.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(new byte[128/8], "AES"));
        byte[] r = c.doFinal("test".getBytes());
        System.out.println(" r0" + r[0]);
    }
}
--
http://www.seeburger.com
________________________________________
From: Jon Eaves [[hidden email]]
Sent: Wednesday, April 01, 2020 06:24
To: [hidden email]; [hidden email]
Subject: [dev-crypto] Bouncy Castle Crypto Provider Package version 1.65 now available

Hello everybody,

Release 1.65 is now out.

This release is primarily about the TLS APIs and the BCJSSE provider.
API support has been added for specifying sessions on resumption,
Ed25519/Ed448 is now supported for TLS and additional work has been done
on the handling of SNI and OCSP stapling. Additional work has been done
to improve operation with Java 11+, including a fix for RSA PSS and
support for the XECKey interfaces. Support has been added for LMS/HSS
post-quantum algorithms (RFC 8554) and for SipHash128. In addition some
failures that could occur for specific payload sizes with
ChaCha20Poly1305 have been fixed.

Please also note the JCE certificate in the public access versions of
Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expiring on the 20th
April this year (2020). Oracle does distribute JVMs for Java 6 (6u131)
and Java 7 (7u121) which includes a newer, and stronger, certificate to
holders of Java Support Contracts.

Further details on other additions and bug fixes can be found in the
release notes at:

https://www.bouncycastle.org/releasenotes.html

Thanks also goes to other people and organisations who have
contributed/donated to the project and you can find the updated list at

https://www.bouncycastle.org/contributors.html

We would also like to thank holders of Crypto Workshop support contracts
as we were again able to fund extra work on this release through time
available from those.

For the actual release and other details go to our latest releases page:

https://www.bouncycastle.org/latest_releases.html

And for those who like living on the bleeding edge, the betas for future
releases can be downloaded from:

https://www.bouncycastle.org/betas/

and changes to the code base can be tracked via:

https://github.com/bcgit

On the FIPS front, work on Java FIPS 2.0.0 has now begun. This release
will incorporate more of the features found in Java 11 and later.
Details on future plans can be found at:

https://www.bouncycastle.org/fips_java_roadmap.html

We are looking to raise money for the NIST recovery fees for our next
certification. If you are interested helping support the Bouncy Castle
project through donation, you can find the details on how to donate via
PayPal or Bitcoin, at:

https://www.bouncycastle.org/donate

The Legion of the Bouncy Castle Inc is a registered Australian
charity based in the State of Victoria, Australia.

If you wish to sponsor specific work on Bouncy Castle, get early access
to the FIPS APIs under development, or get a commercial support contract
for the APIs please contact us at Crypto Workshop
(https://www.cryptoworkshop.com ) details about support can be found at:

https://www.cryptoworkshop.com/support_faq.html

Remember, you can also follow this project on Facebook (
https://www.facebook.com/legionofthebouncycastle ), and/or Twitter (
https://twitter.com/bccrypto ).

Finally, for users of the maven repositories, 1.65 should be appearing
shortly on maven central. The GitHub repository has been updated as well.












SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
Edisonstr. 1
D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
Fax: 07252 / 96 - 2222
Internet: http://www.seeburger.de               Registergericht/Commercial Register:
e-mail: [hidden email]               HRB 240708 Mannheim


Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.


This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.

Reply | Threaded
Open this post in threaded view
|

Re: JCE Signing Expire in 7u80 (was: Bouncy Castle Crypto Provider Package version 1.65 now available)

David Hook-3


Yes, so the bcprov-jdk15on jar is not recognised by some earlier JVMs
now as it can't understand the stronger certificates and the
timestamping. The jdk15to18 jars is a compromise for this (it's not a
mulit-release jar and it's signed using Oracle Java 7 (7u80) to ensure
that the signature, as "old school" as it is, allows the provider jar to
function).

In terms of what happens when the date arrives, we've been told that
things will start complaining about the expired certificate, but will
still continue to work. If you are using the Oracle Java 6 or Java 7 in
production though it's also worth considering that the supported
releases are now at 6u131 and 7u120. In addition to being able to deal
with stronger signature algorithms, it's likely there have been many
other patches to both these as well and at least some of these will be
security related.

Regards,

David

On 1/4/20 10:16 pm, Eckenfels. Bernd wrote:

> Hello Jon,
>
> congrats to the release! :)
>
> I have a question, maybe somebody knows this:
>
>> Please also note the JCE certificate in the public access versions of
>> Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expiring on the 20th
>> April this year (2020).
> I just tested this with 7u80 and I can see that jarsigner -verify shows this expire date. However when I run a Cipher test program I can still use AES with SunJCE and BC. I can also see the registered BC provider. So is there any enforcing in the JDK, what will fail after 2020-04-25(!)?
>
> BTW 7u80 jarsigner says unsigned for bcprov-jdk15on-1.64.jar - it shows signatures for jdk15to18, is this what "jdk5to11" is for?
>
> bcprov-jdk14-1.45.jar
>       X.509, CN=The Legion of the Bouncy Castle, OU=Java Software Code Signing, O=Sun Microsystems Inc
>       [certificate expired on 18/03/13 21:58]
>       X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
>       [certificate expired on 25/04/20 09:00]
>
> bcprov-jdk15to18-165.jar
>    [entry was signed on 31/03/20 06:35]
>    X.509, CN=Legion of the Bouncy Castle Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc
>    [certificate is valid from 11/03/17 02:15 to 25/04/20 09:00]
>    X.509, CN=JCE Code Signing CA, OU=Java Software Code Signing, O=Sun Microsystems Inc, L=Palo Alto, ST=CA, C=US
>    [certificate is valid from 25/04/01 09:00 to 25/04/20 09:00]
>    [CertPath not validated: Path does not chain with any of the trust anchors]
>
>
> Testcode
>
> import java.security.InvalidKeyException;
> import java.security.NoSuchAlgorithmException;
> import java.security.NoSuchProviderException;
> import java.security.Security;
>
> import javax.crypto.BadPaddingException;
> import javax.crypto.Cipher;
> import javax.crypto.IllegalBlockSizeException;
> import javax.crypto.NoSuchPaddingException;
> import javax.crypto.spec.SecretKeySpec;
>
> import org.bouncycastle.jce.provider.BouncyCastleProvider;
>
> public class AesTest
> {
>
>     public static void main(String[] args) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, IllegalBlockSizeExc
> eption, BadPaddingException, NoSuchProviderException
>     {
>         Security.addProvider(new BouncyCastleProvider());
>         Cipher c = Cipher.getInstance("AES","BC");
>         // UNSECURE!
>         c.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(new byte[128/8], "AES"));
>         byte[] r = c.doFinal("test".getBytes());
>         System.out.println(" r0" + r[0]);
>     }
> }
> --
> http://www.seeburger.com
> ________________________________________
> From: Jon Eaves [[hidden email]]
> Sent: Wednesday, April 01, 2020 06:24
> To: [hidden email]; [hidden email]
> Subject: [dev-crypto] Bouncy Castle Crypto Provider Package version 1.65 now available
>
> Hello everybody,
>
> Release 1.65 is now out.
>
> This release is primarily about the TLS APIs and the BCJSSE provider.
> API support has been added for specifying sessions on resumption,
> Ed25519/Ed448 is now supported for TLS and additional work has been done
> on the handling of SNI and OCSP stapling. Additional work has been done
> to improve operation with Java 11+, including a fix for RSA PSS and
> support for the XECKey interfaces. Support has been added for LMS/HSS
> post-quantum algorithms (RFC 8554) and for SipHash128. In addition some
> failures that could occur for specific payload sizes with
> ChaCha20Poly1305 have been fixed.
>
> Please also note the JCE certificate in the public access versions of
> Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expiring on the 20th
> April this year (2020). Oracle does distribute JVMs for Java 6 (6u131)
> and Java 7 (7u121) which includes a newer, and stronger, certificate to
> holders of Java Support Contracts.
>
> Further details on other additions and bug fixes can be found in the
> release notes at:
>
> https://www.bouncycastle.org/releasenotes.html
>
> Thanks also goes to other people and organisations who have
> contributed/donated to the project and you can find the updated list at
>
> https://www.bouncycastle.org/contributors.html
>
> We would also like to thank holders of Crypto Workshop support contracts
> as we were again able to fund extra work on this release through time
> available from those.
>
> For the actual release and other details go to our latest releases page:
>
> https://www.bouncycastle.org/latest_releases.html
>
> And for those who like living on the bleeding edge, the betas for future
> releases can be downloaded from:
>
> https://www.bouncycastle.org/betas/
>
> and changes to the code base can be tracked via:
>
> https://github.com/bcgit
>
> On the FIPS front, work on Java FIPS 2.0.0 has now begun. This release
> will incorporate more of the features found in Java 11 and later.
> Details on future plans can be found at:
>
> https://www.bouncycastle.org/fips_java_roadmap.html
>
> We are looking to raise money for the NIST recovery fees for our next
> certification. If you are interested helping support the Bouncy Castle
> project through donation, you can find the details on how to donate via
> PayPal or Bitcoin, at:
>
> https://www.bouncycastle.org/donate
>
> The Legion of the Bouncy Castle Inc is a registered Australian
> charity based in the State of Victoria, Australia.
>
> If you wish to sponsor specific work on Bouncy Castle, get early access
> to the FIPS APIs under development, or get a commercial support contract
> for the APIs please contact us at Crypto Workshop
> (https://www.cryptoworkshop.com ) details about support can be found at:
>
> https://www.cryptoworkshop.com/support_faq.html
>
> Remember, you can also follow this project on Facebook (
> https://www.facebook.com/legionofthebouncycastle ), and/or Twitter (
> https://twitter.com/bccrypto ).
>
> Finally, for users of the maven repositories, 1.65 should be appearing
> shortly on maven central. The GitHub repository has been updated as well.
>
>
>
>
>
>
>
>
>
>
>
>
> SEEBURGER AG            Vorstand/SEEBURGER Executive Board:
> Sitz der Gesellschaft/Registered Office:                Axel Haas, Michael Kleeberg, Axel Otto, Dr. Martin Kuntz, Matthias Feßenbecker
> Edisonstr. 1
> D-75015 Bretten         Vorsitzende des Aufsichtsrats/Chairperson of the SEEBURGER Supervisory Board:
> Tel.: 07252 / 96 - 0            Prof. Dr. Simone Zeuchner
> Fax: 07252 / 96 - 2222
> Internet: http://www.seeburger.de               Registergericht/Commercial Register:
> e-mail: [hidden email]               HRB 240708 Mannheim
>
>
> Dieses E-Mail ist nur für den Empfänger bestimmt, an den es gerichtet ist und kann vertrauliches bzw. unter das Berufsgeheimnis fallendes Material enthalten. Jegliche darin enthaltene Ansicht oder Meinungsäußerung ist die des Autors und stellt nicht notwendigerweise die Ansicht oder Meinung der SEEBURGER AG dar. Sind Sie nicht der Empfänger, so haben Sie diese E-Mail irrtümlich erhalten und jegliche Verwendung, Veröffentlichung, Weiterleitung, Abschrift oder jeglicher Druck dieser E-Mail ist strengstens untersagt. Weder die SEEBURGER AG noch der Absender (Eckenfels. Bernd) übernehmen die Haftung für Viren; es obliegt Ihrer Verantwortung, die E-Mail und deren Anhänge auf Viren zu prüfen.
>
>
> This email is intended only for the recipient(s) to whom it is addressed. This email may contain confidential material that may be protected by professional secrecy. Any fact or opinion contained, or expression of the material herein, does not necessarily reflect that of SEEBURGER AG. If you are not the addressee or if you have received this email in error, any use, publication or distribution including forwarding, copying or printing is strictly prohibited. Neither SEEBURGER AG, nor the sender (Eckenfels. Bernd) accept liability for viruses; it is your responsibility to check this email and its attachments for viruses.
>