For more security spongycastle -> bouncycastle

[Neustradamus]

Dear Wultra,

I do not understand in:

• https://github.com/wultra/powerauth-crypto/blob/master/docs/Maven-Modules.md
• https://github.com/wultra/wultra-developers/blob/master/app/docs/develop/powerauth-crypto/Maven-Modules.md
• https://github.com/wultra/wultra-developers/blob/master/docs/docs/develop/powerauth-crypto/Maven-Modules.html

There is:
powerauth-java-prov - A technical module exporting an interface for a generic provider implementation. This is needed in order to be able to have the same cryptography module for Java SE / Java EE and Android (that requires SpongyCastle).

-> SpongyCastle is a dead project with CVEs and it was a fork of BouncyCastle (always developed).

Can you change it to BouncyCastle?

It is really bad to speak about SpongyCastle for security, it is better to speak about BouncyCastle.

In more:
* And we don't want to include Spongy Castle (https://rtyley.github.io/spongycastle)

• https://github.com/wultra/ssl-pinning-android/blob/master/library/src/main/java/com/wultra/android/sslpinning/util/CertUtils.kt

Informations:

• https://www.bouncycastle.org/
• https://www.bouncycastle.org/releasenotes.html
• http:https://www.bouncycastle.org/latest_releases.html
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncy%20castle
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncycastle
• https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.html

[petrdvorak]

Hello @Neustradamus, in the current "develop" version, the SpongyCastle dependency is already removed along with the crypto provider abstraction layer. We need to update the docs to reflect that. Also, SpongyCastle was never included in the project automatically, it was a "provided" dependency. It was just allowed to use this, this was handy mostly for some Android tests but nothing that we had to keep (hence it is removed).

Also, please note that this is a server-side project. All server-side projects use BouncyCastle and nothing else for a long time. For the client-side project (mobile app), we use OpenSSL and low-level crypto on both iOS and Android (bridge via NDK). Please follow the docs here for more info about the client-side implementation: https://github.com/wultra/powerauth-mobile-sdk

Finally, please let us know more about your project ([email protected]). We would be interested in how you are using our libraries! :)

[Neustradamus]

@petrdvorak: Thanks for your reply!
Please inform me when it is done, normally we close the ticket after ;)

[petrdvorak]

@Neustradamus The implementation is done already, it was done in PR #322 (closing #270). I opened a new ticket #326 for the documentation improvements.

[Neustradamus]

@petrdvorak: Thanks, if all companies were like you!
But it is not complete yet, links previously published have always SpongyCastle informations ^^

[petrdvorak]

@Neustradamus Yes, this is why I opened #326, to check the documentation files and fix those. In "master" branch, the changes will be visible on the next release (04-05/2020).

Just to repeat the important thing here for the record: We did not bundle SpongyCastle to any projects. We just allowed it's usage via a provided dependency and a crypto provider abstraction (that we recently removed).

[Neustradamus]

@petrdvorak: Yes yes, it is good.
My original request was to remove promotion of SpongyCastle and indicate BouncyCastle, but it is good :)

[Neustradamus]

@petrdvorak: Can you update to 1.69?