Code Monkey home page Code Monkey logo

Comments (6)

bitgamma avatar bitgamma commented on July 17, 2024

BouncyCastle is used as the crypto provider through JCE, so while the depedency is not apparent from code (except for those two methods which of course do not warrant by themselves pulling that lib), we actually need it at runtime for the crypto stuff to work properly

from react-native-status-keycard.

jakubgs avatar jakubgs commented on July 17, 2024

Okay, then if that is the case, then should we upgrade it?

from react-native-status-keycard.

jakubgs avatar jakubgs commented on July 17, 2024

Also, such an indirect runtime dependency should probably be clarified in a comment, preferably in build.gradle.

from react-native-status-keycard.

jakubgs avatar jakubgs commented on July 17, 2024

The current version is 1.60, which came out in Jul 06, 2018:
https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.60

Which apparently is affected by CVE-2020-15522:

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

If we use it more widely at runtime that might be something we care about.

from react-native-status-keycard.

bitgamma avatar bitgamma commented on July 17, 2024

the reason why it hasn't been upgraded is that trying to do so generated builds of status-mobile which crashed at runtime. Since status-mobile is indirectly dependent on bouncycastle through other dependencies as well, I guessed it was some kind of conflict between required versions.

I have checked that CVE but it doesn't affect us because we don't use BouncyCastle for ECDSA signing. We use it for verifying, for ECDH, AES, DES and SHA in the context of Keycard. Outside Keycard I don't know exactly where it is used, but all blockchain related crypto is done in status-go so it is probably used for TLS (again, ECDH).

We could try again upgrading it and investigating what breaks the app at runtime, but unless there is a pressing reason to upgrade I would say it is low-prio.

from react-native-status-keycard.

jakubgs avatar jakubgs commented on July 17, 2024

Thanks for explaining, then I will reopen the issue:

Could you please also paste your comment there?

from react-native-status-keycard.

Related Issues (13)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.