[Git][java-team/bouncycastle][master] 2 commits: Backport the fix for EncryptionOperationNotPossibleException

Tony Mancill (@tmancill) gitlab at salsa.debian.org
Sat Apr 26 17:39:45 BST 2025 


Tony Mancill pushed to branch master at Debian Java Maintainers / bouncycastle


Commits:
7c3b58d0 by Julien Plissonneau Duquène at 2025-04-11T14:48:34+00:00
Backport the fix for EncryptionOperationNotPossibleException

Not a direct cherry pick, but as finally fixed by:
https://github.com/bcgit/bc-java/commit/66f21aaa43a6bfb2ca20dea0dea983dccf38a03d

https://github.com/bcgit/bc-java/issues/1985#issuecomment-2692447133:

> BC 1.81 (beta) Fix: In BC 1.81 (beta), compatibility with older versions
> (e.g., 1.79) was restored. If a 0-byte IV is provided, BC internally
> generates a PKCS12-derived IV from the password and salt, mimicking pre-1.80
> behavior.

Signed-off-by: Julien Plissonneau Duquène <sre4ever at free.fr>

- - - - -
dafe34dc by Tony Mancill at 2025-04-26T16:39:43+00:00
Merge branch 'fix-1100227' into 'master'

Backport the fix for EncryptionOperationNotPossibleException

See merge request java-team/bouncycastle!5
- - - - -


3 changed files:

- debian/changelog
- + debian/patches/backport-1.81-fix-jasypt.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+bouncycastle (1.80-3) UNRELEASED; urgency=medium
+
+  * Backport the fix for EncryptionOperationNotPossibleException with jasypt.
+    (Closes: #1100227)
+
+ -- Julien Plissonneau Duquène <sre4ever at free.fr>  Fri, 11 Apr 2025 14:03:01 +0000
+
 bouncycastle (1.80-2) unstable; urgency=medium
 
   * libbcutil-java now depends on libbcprov-java


=====================================
debian/patches/backport-1.81-fix-jasypt.patch
=====================================
@@ -0,0 +1,106 @@
+Description: Backport the fix for EncryptionOperationNotPossibleException
+Origin: backport, https://github.com/bcgit/bc-java/commit/66f21aaa43a6bfb2ca20dea0dea983dccf38a03d
+Bug: https://github.com/bcgit/bc-java/issues/1985
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100227
+Forwarded: not-needed
+Applied-Upstream: 66f21aaa43a6bfb2ca20dea0dea983dccf38a03d
+Last-Update: 2025-04-11
+
+Not a direct cherry pick, but as finally fixed by:
+https://github.com/bcgit/bc-java/commit/66f21aaa43a6bfb2ca20dea0dea983dccf38a03d
+
+https://github.com/bcgit/bc-java/issues/1985#issuecomment-2692447133:
+
+> BC 1.81 (beta) Fix: In BC 1.81 (beta), compatibility with older versions
+> (e.g., 1.79) was restored. If a 0-byte IV is provided, BC internally
+> generates a PKCS12-derived IV from the password and salt, mimicking pre-1.80
+> behavior.
+
+--- a/prov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseBlockCipher.java
++++ b/prov/src/main/java/org/bouncycastle/jcajce/provider/symmetric/util/BaseBlockCipher.java
+@@ -448,7 +448,7 @@
+             {
+                 throw new NoSuchAlgorithmException("no mode support for " + modeName);
+             }
+-            
++
+             ivLength = baseEngine.getBlockSize();
+             cipher = new BufferedGenericBlockCipher(
+                 new PGPCFBBlockCipher(baseEngine, inlineIV));
+@@ -821,14 +821,16 @@
+             param = null;
+         }
+ 
+-        AlgorithmParameterSpec params;
++        AlgorithmParameterSpec params = paramSpec;
+         if (paramSpec instanceof PBEParameterSpec)
+         {
+             params = ((PBEParameterSpec)paramSpec).getParameterSpec();
+-        }
+-        else
+-        {
+-            params = paramSpec;
++            // If params.getIv() returns an empty byte array, ivParam will be assigned an IV generated by PBE.Util.makePBEParameters
++            // according to RFC 7292. This behavior is intended for Jasypt users who choose to use NoIvGenerator.
++            if (params instanceof IvParameterSpec && ((IvParameterSpec)params).getIV().length == 0)
++            {
++                params = paramSpec;
++            }
+         }
+ 
+         if (params instanceof AEADParameterSpec)
+--- a/prov/src/test/java/org/bouncycastle/jce/provider/test/PBETest.java
++++ b/prov/src/test/java/org/bouncycastle/jce/provider/test/PBETest.java
+@@ -564,6 +564,43 @@
+ 
+         isTrue(Arrays.areEqual(input, decryptedBytes));
+     }
++
++    private void testNoIvPBEParameterSpec()
++        throws Exception
++    {
++        String cipherAlgo = "PBEWITHSHA256AND256BITAES-CBC-BC";
++
++        SecureRandom random = new FixedSecureRandom(Hex.decode(
++            "000102030405060708090a0b0c0d0e0f"
++                + "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf"));
++
++        char[] password = "abcdefghijklmnop".toCharArray();
++        PBEKeySpec pbeKeySpec = new PBEKeySpec(password);
++
++        SecretKeyFactory factory = SecretKeyFactory.getInstance(
++            "PBEWITHSHA256AND256BITAES-CBC-BC",
++            "BC");
++        SecretKey key = factory.generateSecret(pbeKeySpec);
++
++        byte[] salt = new byte[16];
++        random.nextBytes(salt);
++        // simulate the situation for issue #1985
++        byte[] iv = new byte[0];
++
++        PBEParameterSpec pbeParamSpec = new PBEParameterSpec(salt, 1000, new IvParameterSpec(iv));
++
++        Cipher encryptCipher = Cipher.getInstance(cipherAlgo, "BC");
++        Cipher decryptCipher = Cipher.getInstance(cipherAlgo, "BC");
++
++        encryptCipher.init(Cipher.ENCRYPT_MODE, key, pbeParamSpec);
++        decryptCipher.init(Cipher.DECRYPT_MODE, key, pbeParamSpec);
++
++        byte[] input = Strings.toByteArray("testing");
++        byte[] encryptedBytes = encryptCipher.doFinal(input);
++        byte[] decryptedBytes = decryptCipher.doFinal(encryptedBytes);
++
++        isTrue(Arrays.areEqual(input, decryptedBytes));
++    }
+     
+     public void performTest()
+         throws Exception
+@@ -710,7 +747,7 @@
+         }
+ 
+         testExtendedPBEParameterSpec();
+-
++        testNoIvPBEParameterSpec();
+         testPKCS12Interop();
+ 
+         testPBEHMac("PBEWithHMacSHA1", hMac1);


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 exclude-X509LDAPCertStoreTest.patch
 skip-javadoc.patch
+backport-1.81-fix-jasypt.patch



View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/-/compare/43217deb2f401e92bbbdb07e388e8ad0b81860fd...dafe34dcb8fa6e2a3ea68264520a9b056909467a

-- 
View it on GitLab: https://salsa.debian.org/java-team/bouncycastle/-/compare/43217deb2f401e92bbbdb07e388e8ad0b81860fd...dafe34dcb8fa6e2a3ea68264520a9b056909467a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20250426/072583c8/attachment.htm>

More information about the pkg-java-commits mailing list