For more security spongycastle -> bouncycastle

[Neustradamus]

For more security, can you change old spongycastle (based on old bouncycastle) to bouncycastle?

• https://www.bouncycastle.org/
• https://www.bouncycastle.org/releasenotes.html
• http://www.bouncycastle.org/latest_releases.html
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncy%20castle
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncycastle
• https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.html

[boring-cyborg]

Thanks for opening your first issue here!

Be sure to follow the issue template. Your issue will be reviewed by a maintainer and labeled for further action.

[ripcurlx]

As far as I remember we did have bouncycastle before, but needed to switch to the default oracle one as external libs support wasn't supported anymore when we upgraded the JDK. Maybe @freimair has more details on this.

[Neustradamus]

@ripcurlx: Thanks for your comment!
Currently Bouncy Castle last version is 1.65 and Spongy Castle last version is 1.58.
Spongy Castle is a fork of Bouncy Castle.
Please look previous links :)

Since several years, a lot of projects have already moved from Spongy Castle to Bouncy Castle because the project is dead.

You can see discussion "34" in https://github.com/rtyley/spongycastle/issues.

[Neustradamus]

@ripcurlx: Any news?

[ripcurlx]

@ripcurlx: Any news?

@Neustradamus Sorry - completely missed your response. As mentioned above I don't think we are using Spongy Castle at all (we previously did use BoncyCastle). Where did you find this in the codebase? Maybe I missed something.

[Neustradamus]

@ripcurlx: Spongy Castle was a fork of Bouncy Castle and it is obsolete:

• You can see discussion "34" in https://github.com/rtyley/spongycastle/issues.

Spongy Castle has vulnerabilities from Bouncy Castle.

Time to update to Bouncy Castle 1.68.

[Neustradamus]

@ripcurlx: Please look in all repositories:

• Spongy Castle: https://github.com/search?q=org%3Abisq-network+spongycastle&type=code
• https://github.com/search?q=org%3Abisq-network+bcVersion&type=code

---

I see in this project:

• Spongy Castle: https://github.com/bisq-network/bisq/search?q=spongycastle
• https://github.com/bisq-network/bisq/search?q=bouncycastle
• https://github.com/bisq-network/bisq/blob/master/build.gradle#L30

Please update, there are CVEs

[ripcurlx]

• Spongy Castle: https://github.com/bisq-network/bisq/search?q=spongycastle

That is an old formatting instruction. I'll get rid of it.

• https://github.com/bisq-network/bisq/search?q=bouncycastle

Yes, I did look myself as well and found some bouncycastle libs used. We use version 1.63 right now. I'll forward it to check if we should/can move to 1.68 without any problems.

[ripcurlx]

• Spongy Castle: https://github.com/search?q=org%3Abisq-network+spongycastle&type=code
• https://github.com/search?q=org%3Abisq-network+bcVersion&type=code

Those are all deprecated/archived or unused projects. But it was a good reminder to archive two of them as well (bisq-network/incubator-bisq-api and bisq-network/incubator-bisq-xmr-integration).

[ripcurlx]

Yes, I did look myself as well and found some bouncycastle libs used. We use version 1.63 right now. I'll forward it to check if we should/can move to 1.68 without any problems.

@stejbac @chimp1984 Do you think it is safe to update to the latest bouncycastle version?

[chimp1984]

@ripcurlx Are the any important changes? Basically we prefer to not update libs as long not needed. Risk to get new targeted vulnerabilities is higher IMO than potential security fixes for some exotic edge cases. To do it safely someone would need to review/audit all the changes there which is unfeasible from our dev work force.