Quantcast

Updating BouncyCastle dependency in iText

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Updating BouncyCastle dependency in iText

Amedee Van Gasse
Hi list!

I am QA Engineer at iText Software. In our product iText, a Java/C# SDK
for PDF files, we use BouncyCastle for crypto.

Currently we have 2 product lines:
iText 5 - 5.5.11 released 2017-03-20, maintenance mode (EOL 2018-12-31)
iText 7 - 7.0.2 released 2017-02-14, current development

In both versions we have a dependency on BouncyCastle 1.49, which was
released 2013-06-01. We haven't really kept up with current
BouncyCastle, for the simple reason that It Just Works.

For iText 7.1.0 we are investigating a possible upgrade to BC 1.56 (or
1.57 if that is a close target), but no decision has been made yet. I
have already gone through the release notes on
https://www.bouncycastle.org/releasenotes.html, but I am also looking
for very specific pitfalls like breaking API changes, such as there have
been in the past (I think 1.47 did some API breaks - see
http://www.bouncycastle.org/wiki/display/JA1/Porting+from+earlier+BC+releases+to+1.47+and+later).

I also remember having a conversation with a BouncyCastle contributor a
couple of months ago, and they generously proposed to do a pull request
on our Github repo of iText 5, to update the BC dependency. I declined,
because there is a feature freeze on iText 5. Unfortunately I don't
remember their name, and I don't remember where that conversation
happened: on a mailing list, on Stack Overflow, on Github? If you
recognize yourself, please get in touch, we would accept your pull
request for iText 7 (https://github.com/itext/itext7).

Just to be clear: if nobody contributes then we will do the update
ourselves anyway, but if someone contributes then your name will be in
the commit log and you'll be mentioned in our quarterly overview of top
contributors. :)
This is not intended to get cheap labor either. We are prepared for
possible API breaks, updates to our test suite, etc... Those might take
a lot of work and *will* be done by iText. This is just about a short
pull request to update the POM file. We just want to show our love to
the Open Source community. :)

--
Amedee Van Gasse
QA Engineer | iText Software BVBA
[hidden email]
http://itextpdf.com

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Updating BouncyCastle dependency in iText

Eugene Grosbein
On 18.04.2017 16:43, Amedee Van Gasse wrote:
> Hi list!
>
> I am QA Engineer at iText Software. In our product iText, a Java/C# SDK
> for PDF files, we use BouncyCastle for crypto.
>
> Currently we have 2 product lines:
> iText 5 - 5.5.11 released 2017-03-20, maintenance mode (EOL 2018-12-31)
> iText 7 - 7.0.2 released 2017-02-14, current development

Just For Your Information: some time ago I've struggled trying to sign existing
PDF document with PKCS#12 based on GOST3410/3411 using iText PDF and BouncyCastle.

I've discovered a bug in the iText PDF both 5.5.9 and 7.0.0 being latest that time
that lead to corrupted crypto hash in resulting PDF because itextpdf library
silently replaced ECGOST3410 with ECDSA while generating signature.

I've solved my problem with little local patches to itextpdf allowing me
to fix breakage with new setEncryptionAlgorithm() method. You can get these
patches here:

http://www.grosbein.net/signpdf/patches-5.5.9/
http://www.grosbein.net/signpdf/patches-7.0.0/

Detailed description of the case is also available in my blog post.
It's in Russian but AFAIR there are Russian-speaking developers at iText:

http://dadv.livejournal.com/207651.html


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Updating BouncyCastle dependency in iText

Amedee Van Gasse
Op 18-04-17 om 12:24 schreef Eugene Grosbein:

> On 18.04.2017 16:43, Amedee Van Gasse wrote:
>> Hi list!
>>
>> I am QA Engineer at iText Software. In our product iText, a Java/C# SDK
>> for PDF files, we use BouncyCastle for crypto.
>>
>> Currently we have 2 product lines:
>> iText 5 - 5.5.11 released 2017-03-20, maintenance mode (EOL 2018-12-31)
>> iText 7 - 7.0.2 released 2017-02-14, current development
>
> Just For Your Information: some time ago I've struggled trying to sign existing
> PDF document with PKCS#12 based on GOST3410/3411 using iText PDF and BouncyCastle.
>
> I've discovered a bug in the iText PDF both 5.5.9 and 7.0.0 being latest that time
> that lead to corrupted crypto hash in resulting PDF because itextpdf library
> silently replaced ECGOST3410 with ECDSA while generating signature.
>
> I've solved my problem with little local patches to itextpdf allowing me
> to fix breakage with new setEncryptionAlgorithm() method. You can get these
> patches here:
>
> http://www.grosbein.net/signpdf/patches-5.5.9/
> http://www.grosbein.net/signpdf/patches-7.0.0/
>
> Detailed description of the case is also available in my blog post.
> It's in Russian but AFAIR there are Russian-speaking developers at iText:
>
> http://dadv.livejournal.com/207651.html
>

Somehow your email ended up in the spam folder, so my apologies for the
delay.
I invite you to submit your patches as a pull request, so you get proper
credit in the changelog:

https://github.com/itext/itextpdf/pulls
https://github.com/itext/itext7/pulls


--
Amedee Van Gasse
QA Engineer | iText Software BVBA
[hidden email]
http://itextpdf.com

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Updating BouncyCastle dependency in iText

Eugene Grosbein
On 24.04.2017 17:15, Amedee Van Gasse wrote:

> Somehow your email ended up in the spam folder, so my apologies for the
> delay.
> I invite you to submit your patches as a pull request, so you get proper
> credit in the changelog:
>
> https://github.com/itext/itextpdf/pulls
> https://github.com/itext/itext7/pulls

Well, I don't have any github account (nor I need one) and my patches serve me just fine
but I doubt they are suitable for general usage in their current form.

I just like to get some attention to the problem from someone at iText to pass it to developers
for real solution.


Loading...