[Bug 914685] New: current distro-release of BouncyCastle crypto provider incompatible with official release of openjdk v1.8.0.40~b10
http://bugzilla.suse.com/show_bug.cgi?id=914685 Bug ID: 914685 Summary: current distro-release of BouncyCastle crypto provider incompatible with official release of openjdk v1.8.0.40~b10 Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: All OS: openSUSE 13.2 Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: grantksupport@operamail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- On lsb_release -rd Description: openSUSE 13.2 (Harlequin) (x86_64) Release: 13.2 I have installed only v1.8 jdk's rpm -qa | grep -i jdk | sort java-1_8_0-openjdk-1.8.0.40~b22-61.1.x86_64 java-1_8_0-openjdk-devel-1.8.0.40~b22-61.1.x86_64 java-1_8_0-openjdk-headless-1.8.0.40~b22-61.1.x86_64 java-1_8_0-openjdk-javadoc-1.8.0.40~b22-61.1.noarch Installing BouncyCastle crypto proceeds without error, zypper in bouncycastle rpm -qa | grep -i bouncycastle bouncycastle-1.46-13.1.3.noarch But, BC ver < jdk15on-152b05, including latest release, is *not* compatible with jdk 1.8, failing tests: java \ -classpath /usr/share/java/bcprov-jdk15on-151.jar:/usr/share/java/bctest-jdk15on-151.jar \ org.bouncycastle.jce.provider.test.RegressionTest Picked up _JAVA_OPTIONS: -Xmx1024M Testing BouncyCastle Security Provider v1.51 version: 1.51 FIPSDESTest: Okay DESEDE: Okay AES: Okay AEAD: Okay Camellia: Okay SEED: Okay AESSIC: Okay GOST28147: Okay PBETest: Okay BlockCipher: Okay Mac: Okay HMac: Okay SealedObject: Okay RSATest: Okay DH: Okay DHIES: Okay DSA/ECDSA: Okay ImplicitlyCA: Okay ECNR: Okay ECIES: Okay ECDSA5: Okay GOST3410/ECGOST3410: Okay ElGamal: Okay IES: Okay SigTest: Okay CertTest: BC/Sun hashCode test failed PKCS10CertRequest: Okay EncryptedPrivateKeyInfoTest: Okay KeyStore: Okay PKCS12Store: Okay Digest: Okay PSSTest: Okay WrapTest: Okay DoFinalTest: Okay CipherStreamTest: Okay java.io.IOException: javax.crypto.AEADBadTagException: mac check in EAX failed at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:115) at javax.crypto.CipherInputStream.read(CipherInputStream.java:186) at org.bouncycastle.jce.provider.test.CipherStreamTest2.testTamperedRead(Unknown Source) at org.bouncycastle.jce.provider.test.CipherStreamTest2.testModes(Unknown Source) at org.bouncycastle.jce.provider.test.CipherStreamTest2.performTests(Unknown Source) at org.bouncycastle.jce.provider.test.CipherStreamTest2.performTest(Unknown Source) at org.bouncycastle.util.test.SimpleTest.perform(Unknown Source) at org.bouncycastle.jce.provider.test.RegressionTest.main(Unknown Source) Caused by: javax.crypto.AEADBadTagException: mac check in EAX failed at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:408) at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$AEADGenericBlockCipher.doFinal(Unknown Source) at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Cipher.java:2004) at javax.crypto.CipherInputStream.getMoreData(CipherInputStream.java:112) ... 7 more CipherStreamTest: Exception: java.io.IOException: javax.crypto.AEADBadTagException: mac check in EAX failed NamedCurve: Okay PKIX: Okay NetscapeCertRequest: Okay X509StreamParser: Okay X509CertificatePair: Okay CertPath: Okay CertStore: Okay org.bouncycastle.jce.exception.ExtCertPathValidatorException: No CRLs found for issuer "CN=Test CA Certificate" at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source) at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) at org.bouncycastle.jce.provider.test.CertPathValidatorTest.performTest(Unknown Source) at org.bouncycastle.util.test.SimpleTest.perform(Unknown Source) at org.bouncycastle.jce.provider.test.RegressionTest.main(Unknown Source) Caused by: org.bouncycastle.jce.provider.AnnotatedException: No CRLs found for issuer "CN=Test CA Certificate" at org.bouncycastle.jce.provider.CertPathValidatorUtilities.getCompleteCRLs(Unknown Source) at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.checkCRL(Unknown Source) at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.checkCRLs(Unknown Source) ... 6 more CertPathValidator: Exception: org.bouncycastle.jce.exception.ExtCertPathValidatorException: No CRLs found for issuer "CN=Test CA Certificate" java.security.cert.CertPathBuilderException: Certification path could not be validated. at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at org.bouncycastle.jce.provider.test.CertPathBuilderTest.baseTest(Unknown Source) at org.bouncycastle.jce.provider.test.CertPathBuilderTest.performTest(Unknown Source) at org.bouncycastle.util.test.SimpleTest.perform(Unknown Source) at org.bouncycastle.jce.provider.test.RegressionTest.main(Unknown Source) Caused by: org.bouncycastle.jce.exception.ExtCertPathValidatorException: No CRLs found for issuer "CN=Test CA Certificate" at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source) at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source) at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292) at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.build(Unknown Source) at org.bouncycastle.jce.provider.PKIXCertPathBuilderSpi.build(Unknown Source) ... 6 more Caused by: org.bouncycastle.jce.provider.AnnotatedException: No CRLs found for issuer "CN=Test CA Certificate" at org.bouncycastle.jce.provider.CertPathValidatorUtilities.getCompleteCRLs(Unknown Source) at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.checkCRL(Unknown Source) at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.checkCRLs(Unknown Source) ... 11 more CertPathBuilder: Exception: java.security.cert.CertPathBuilderException: Certification path could not be validated. ECEncodingTest: Okay AlgorithmParameters: Okay NISTCertPathTest: Okay PKIXPolicyMapping: Okay SlotTwo: Okay PKIXNameConstraintsTest: Okay MultiCertStore: Okay Noekeon: Okay Serialisation: Okay SigNameTest: Okay MQV: Okay CMac: Okay GMac: Okay OCB: Okay DSTU4145: Okay CRL5: Okay Poly1305: Okay SipHash: Okay SHA3: Okay Skein: Okay Shacal2: Okay DetDSA: Okay Whereas with current beta, java \ -classpath /usr/share/java/bcprov-jdk15on-152b05.jar:/usr/share/java/bctest-jdk15on-152b05.jar \ org.bouncycastle.jce.provider.test.RegressionTest the 3 exceptions CipherStreamTest: Exception: java.io.IOException: javax.crypto.AEADBadTagException: mac check in EAX failed CertPathValidator: Exception: org.bouncycastle.jce.exception.ExtCertPathValidatorException: No CRLs found for issuer "CN=Test CA Certificate" CertPathBuilder: Exception: java.security.cert.CertPathBuilderException: Certification path could not be validated. are resolved/gone. (1) Current BC's spec in distro should limit install/use to jdk <= v1.7 (2) BC >= v jdk15on-152b05 should be prep'd for inclusion in opensuse distro, specifically for jdk 1.8 compatibility -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=914685
grant k
http://bugzilla.suse.com/show_bug.cgi?id=914685
grant k
http://bugzilla.suse.com/show_bug.cgi?id=914685
grant k
http://bugzilla.suse.com/show_bug.cgi?id=914685
Tomáš Chvátal
http://bugzilla.suse.com/show_bug.cgi?id=914685
grant k
Well 1.8 is preview on the 13.2 so no biggie and we won't update to beta in the maintenance update anyway.
For Factory I updated for 1.50 for now, feel free to open a bug for update there when the 1.52 is released.
I am closing it as wontfix as per the version bump like this is no-no for maintenance, but for Factory/next release we definitely should do it when upstream publishes the release.
It's arguably a security, not simply a maintenance, issue. The pkg update, as allowed and installed, BREAKS the expected BC signing functionality. So that I understand, why would this NOT be upgraded for 13.2 as a result? Why was Factory only updated to 1.50, as 1.51 has been out as current release for awhile? Fyi, yes, having checked with upstream, v1.52 is "any day now" Thx. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=914685
Tomáš Chvátal
participants (1)
-
bugzilla_noreply@novell.com