Comments (6)
BouncyCastle is used as the crypto provider through JCE, so while the depedency is not apparent from code (except for those two methods which of course do not warrant by themselves pulling that lib), we actually need it at runtime for the crypto stuff to work properly
from react-native-status-keycard.
Okay, then if that is the case, then should we upgrade it?
from react-native-status-keycard.
Also, such an indirect runtime dependency should probably be clarified in a comment, preferably in build.gradle
.
from react-native-status-keycard.
The current version is 1.60
, which came out in Jul 06, 2018:
https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.60
Which apparently is affected by CVE-2020-15522:
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
If we use it more widely at runtime that might be something we care about.
from react-native-status-keycard.
the reason why it hasn't been upgraded is that trying to do so generated builds of status-mobile which crashed at runtime. Since status-mobile is indirectly dependent on bouncycastle through other dependencies as well, I guessed it was some kind of conflict between required versions.
I have checked that CVE but it doesn't affect us because we don't use BouncyCastle for ECDSA signing. We use it for verifying, for ECDH, AES, DES and SHA in the context of Keycard. Outside Keycard I don't know exactly where it is used, but all blockchain related crypto is done in status-go so it is probably used for TLS (again, ECDH).
We could try again upgrading it and investigating what breaks the app at runtime, but unless there is a pressing reason to upgrade I would say it is low-prio.
from react-native-status-keycard.
Thanks for explaining, then I will reopen the issue:
Could you please also paste your comment there?
from react-native-status-keycard.
Related Issues (13)
- Packages aren't published HOT 1
- Missing documentation for the RNStatusKeycard object HOT 2
- Can not build RN app with react-native-status-keycard HOT 3
- Move to status-keycard-java
- Please update Bouncy Castle HOT 3
- Change error handling in getApplicationInfo HOT 3
- Unable to pair with password HOT 1
- unable to build Android app
- implement iOS version
- Please update Bouncy Castle HOT 2
- Can we implement this for IOS device right now ? HOT 1
- Update README.md
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from react-native-status-keycard.