switch from spongycastle to latest official bouncycastle

#1379

app/build.gradle

@@ -49,9 +49,8 @@ dependencies {
     compile 'com.fasterxml.jackson.core:jackson-annotations:2.8.7'
     compile 'com.fasterxml.jackson.core:jackson-databind:2.8.7'
 
-    compile 'com.madgag.spongycastle:pkix:1.54.0.0'
-    compile 'com.madgag.spongycastle:prov:1.54.0.0'
-    compile 'com.madgag.spongycastle:core:1.54.0.0'
+    compile 'org.bouncycastle:bcpkix-jdk15on:1.59'
+    compile 'org.bouncycastle:bcprov-jdk15on:1.59'
 
     testCompile "org.robolectric:robolectric:3.3.2"
     testCompile 'junit:junit:4.12'
@@ -85,6 +84,7 @@ dependencyVerification {
             'com.android.support:design:7225973f7ee03765008a9c2f17a40b154c6885169fef022276e811c926a2202c',
             'com.android.support:gridlayout-v7:2f5af33c4be1d3e4e3fa999323265718ac1a4c81df4c0373d6ce8901613b1671',
             'com.android.support:palette-v7:6d24037fb375c7884f878edeb88c812b87a05c69221513507ecea21c257d6314',
+            'com.android.support:preference-v7:a1798a826b4097d00e49280f412b21af08f9bf1179c2e3838dc339d9f843416d',
             'com.android.support:recyclerview-v7:d735e4727878e99ef3980c10d15dc3468462fd509d4fb60cb8bd20b0f735085c',
             'com.android.support:support-annotations:3365960206c3d2b09e845f555e7f88f8effc8d2f00b369e66c4be384029299cf',
             'com.android.support:support-compat:880ce01ff5be42b233ff8ec0c61cefb7dc3dc9500fea9e24423214813ac27ea2',
@@ -101,16 +101,16 @@ dependencyVerification {
             'com.github.pserwylo:BottomNavigation:83d7941a7a8d21ba1a8a708cd683b1bb07c6cf898044dc92eadf18a7a7d54f90',
             'com.google.zxing:core:52dd6211bbaf4e600de693834d597e49707f3e6606e1f5d3740fbb8274466abe',
             'com.hannesdorfmann:adapterdelegates3:1b20d099d6e7afe57aceca13b713b386959d94a247c3c06a7aeb65b866ece02f',
-            'com.madgag.spongycastle:core:1e7fa4b19ccccd1011364ab838d0b4702470c178bbbdd94c5c90b2d4d749ea1e',
-            'com.madgag.spongycastle:pkix:721a302f5ce18bf6fff89d514ef224c37b5dd9ca67a16b56fafaea4b24a51482',
-            'com.madgag.spongycastle:prov:cf89c550fda86c0f26858c3d851ac1d2ce49cd78dd144cd86f307b7ea3e6afd7',
             'com.nostra13.universalimageloader:universal-image-loader:dbd5197ffec3a8317533190870a7c00ff3750dd6a31241448c6a5522d51b65b4',
             'eu.chainfire:libsuperuser:018344ff19ee94d252c14b4a503ee8b519184db473a5af83513f5837c413b128',
             'info.guardianproject.netcipher:netcipher:eeeb5d0d95ccfe176b4296cbd71a9a24c6efb0bab5c4025a8c6bc36abdddfc75',
             'info.guardianproject.panic:panic:a7ed9439826db2e9901649892cf9afbe76f00991b768d8f4c26332d7c9406cb2',
             'io.reactivex:rxandroid:35c1a90f8c1f499db3c1f3d608e1f191ac8afddb10c02dd91ef04c03a0a4bcda',
             'io.reactivex:rxjava:2c162afd78eba217cdfee78b60e85d3bfb667db61e12bc95e3cf2ddc5beeadf6',
+            'org.bouncycastle:bcpkix-jdk15on:601d85cfbcef76a1cb77cbf755a6234a4ba1d4c02a98d9a81028d471f388694f',
+            'org.bouncycastle:bcprov-jdk15on:1c31e44e331d25e46d293b3e8ee2d07028a67db011e74cb2443285aed1d59c85',
             'org.jmdns:jmdns:24e7e3a50a579136400e8c9b0750399eb3c7558918bdf52c0ffa5e0fa5aad503',
+            'org.nanohttpd:nanohttpd:de864c47818157141a24c9acb36df0c47d7bf15b7ff48c90610f3eb4e5df0e58',
             'org.slf4j:slf4j-api:e56288031f5e60652c06e7bb6e9fa410a61231ab54890f7b708fc6adc4107c5b',
     ]
 }

app/proguard-rules.pro

@@ -22,7 +22,7 @@
 # removed, proguard will strip classes which are required, which may result in
 # crashes.
 -keep class kellinwood.security.zipsigner.** {*;}
--keep class org.spongycastle.** {*;}
+-keep class org.bouncycastle.** {*;}
 
 # This keeps class members used for SystemInstaller IPC.
 #   Reference: https://gitlab.com/fdroid/fdroidclient/issues/79

app/src/main/java/kellinwood/security/zipsigner/optional/CertCreator.java

@@ -1,8 +1,8 @@
 package kellinwood.security.zipsigner.optional;
 
 import kellinwood.security.zipsigner.KeySet;
-import org.spongycastle.jce.X509Principal;
-import org.spongycastle.x509.X509V3CertificateGenerator;
+import org.bouncycastle.jce.X509Principal;
+import org.bouncycastle.x509.X509V3CertificateGenerator;
 
 import java.io.File;
 import java.io.IOException;

app/src/main/java/kellinwood/security/zipsigner/optional/DistinguishedNameValues.java

@@ -1,8 +1,8 @@
 package kellinwood.security.zipsigner.optional;
 
-import org.spongycastle.asn1.ASN1ObjectIdentifier;
-import org.spongycastle.asn1.x500.style.BCStyle;
-import org.spongycastle.jce.X509Principal;
+import org.bouncycastle.asn1.ASN1ObjectIdentifier;
+import org.bouncycastle.asn1.x500.style.BCStyle;
+import org.bouncycastle.jce.X509Principal;
 
 import java.util.Iterator;
 import java.util.LinkedHashMap;

app/src/main/java/kellinwood/security/zipsigner/optional/Fingerprint.java

@@ -3,7 +3,7 @@ package kellinwood.security.zipsigner.optional;
 import kellinwood.logging.LoggerInterface;
 import kellinwood.logging.LoggerManager;
 import kellinwood.security.zipsigner.Base64;
-import org.spongycastle.util.encoders.HexTranslator;
+import org.bouncycastle.util.encoders.HexTranslator;
 
 import java.security.MessageDigest;
 

app/src/main/java/kellinwood/security/zipsigner/optional/KeyStoreFileManager.java

@@ -3,7 +3,7 @@ package kellinwood.security.zipsigner.optional;
 
 import kellinwood.logging.LoggerInterface;
 import kellinwood.logging.LoggerManager;
-import org.spongycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 import java.io.*;
 import java.security.*;
@@ -28,8 +28,8 @@ public class KeyStoreFileManager {
     static LoggerInterface logger = LoggerManager.getLogger( KeyStoreFileManager.class.getName());
 
     static {
-        // Add the spongycastle version of the BC provider so that the implementation classes returned
-        // from the keystore are all from the spongycastle libs.
+        // Add the bouncycastle version of the BC provider so that the implementation classes returned
+        // from the keystore are all from the bouncycastle libs.
         Security.addProvider(getProvider());
     }
 

app/src/main/java/kellinwood/security/zipsigner/optional/SignatureBlockGenerator.java

@@ -1,14 +1,14 @@
 package kellinwood.security.zipsigner.optional;
 
 import kellinwood.security.zipsigner.KeySet;
-import org.spongycastle.cert.jcajce.JcaCertStore;
-import org.spongycastle.cms.*;
-import org.spongycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
-import org.spongycastle.operator.ContentSigner;
-import org.spongycastle.operator.DigestCalculatorProvider;
-import org.spongycastle.operator.jcajce.JcaContentSignerBuilder;
-import org.spongycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
-import org.spongycastle.util.Store;
+import org.bouncycastle.cert.jcajce.JcaCertStore;
+import org.bouncycastle.cms.*;
+import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.DigestCalculatorProvider;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
+import org.bouncycastle.util.Store;
 
 import java.util.ArrayList;
 import java.util.List;

app/src/main/java/org/fdroid/fdroid/FDroidApp.java

@@ -121,7 +121,7 @@ public class FDroidApp extends Application {
     private static volatile int timeout = 10000;
 
     // Leaving the fully qualified class name here to help clarify the difference between spongy/bouncy castle.
-    private static final org.spongycastle.jce.provider.BouncyCastleProvider SPONGYCASTLE_PROVIDER;
+    private static final org.bouncycastle.jce.provider.BouncyCastleProvider BOUNCYCASTLE_PROVIDER;
 
     @SuppressWarnings("unused")
     BluetoothAdapter bluetoothAdapter;
@@ -135,8 +135,8 @@ public class FDroidApp extends Application {
     NotificationHelper notificationHelper;
 
     static {
-        SPONGYCASTLE_PROVIDER = new org.spongycastle.jce.provider.BouncyCastleProvider();
-        enableSpongyCastle();
+        BOUNCYCASTLE_PROVIDER = new org.bouncycastle.jce.provider.BouncyCastleProvider();
+        enableBouncyCastle();
     }
 
     private static Theme curTheme = Theme.light;
@@ -209,19 +209,19 @@ public class FDroidApp extends Application {
         activity.overridePendingTransition(0, 0);
     }
 
-    public static void enableSpongyCastle() {
-        Security.addProvider(SPONGYCASTLE_PROVIDER);
+    public static void enableBouncyCastle() {
+        Security.addProvider(BOUNCYCASTLE_PROVIDER);
     }
 
-    public static void enableSpongyCastleOnLollipop() {
+    public static void enableBouncyCastleOnLollipop() {
         if (Build.VERSION.SDK_INT == 21) {
-            Security.addProvider(SPONGYCASTLE_PROVIDER);
+            Security.addProvider(BOUNCYCASTLE_PROVIDER);
         }
     }
 
-    public static void disableSpongyCastleOnLollipop() {
+    public static void disableBouncyCastleOnLollipop() {
         if (Build.VERSION.SDK_INT == 21) {
-            Security.removeProvider(SPONGYCASTLE_PROVIDER.getName());
+            Security.removeProvider(BOUNCYCASTLE_PROVIDER.getName());
         }
     }
 

app/src/main/java/org/fdroid/fdroid/RepoUpdater.java

@@ -203,10 +203,10 @@ public class RepoUpdater {
                 throw new UpdateException(downloadedFile + " does not exist!");
             }
 
-            // Due to a bug in Android 5.0 Lollipop, the inclusion of spongycastle causes
+            // Due to a bug in Android 5.0 Lollipop, the inclusion of bouncycastle causes
             // breakage when verifying the signature of the downloaded .jar. For more
             // details, check out https://gitlab.com/fdroid/fdroidclient/issues/111.
-            FDroidApp.disableSpongyCastleOnLollipop();
+            FDroidApp.disableBouncyCastleOnLollipop();
 
             JarFile jarFile = new JarFile(downloadedFile, true);
             JarEntry indexEntry = (JarEntry) jarFile.getEntry("index.xml");
@@ -237,7 +237,7 @@ public class RepoUpdater {
         } catch (SAXException | ParserConfigurationException | IOException e) {
             throw new UpdateException("Error parsing index", e);
         } finally {
-            FDroidApp.enableSpongyCastleOnLollipop();
+            FDroidApp.enableBouncyCastleOnLollipop();
             Utils.closeQuietly(indexInputStream);
             if (downloadedFile != null) {
                 if (!downloadedFile.delete()) {

app/src/main/java/org/fdroid/fdroid/data/App.java

@@ -797,7 +797,7 @@ public class App extends ValueObject implements Comparable<App>, Parcelable {
         // breakage when verifying the signature of most .jars. For more
         // details, check out https://gitlab.com/fdroid/fdroidclient/issues/111.
         try {
-            FDroidApp.disableSpongyCastleOnLollipop();
+            FDroidApp.disableBouncyCastleOnLollipop();
             final InputStream tmpIn = apkJar.getInputStream(aSignedEntry);
             byte[] buff = new byte[2048];
             //noinspection StatementWithEmptyBody
@@ -818,7 +818,7 @@ public class App extends ValueObject implements Comparable<App>, Parcelable {
             final Certificate signer = aSignedEntry.getCertificates()[0];
             rawCertBytes = signer.getEncoded();
         } finally {
-            FDroidApp.enableSpongyCastleOnLollipop();
+            FDroidApp.enableBouncyCastleOnLollipop();
         }
         apkJar.close();
 

app/src/main/java/org/fdroid/fdroid/installer/ApkSignatureVerifier.java

@@ -26,7 +26,7 @@ import android.content.pm.PackageManager;
 import android.content.pm.Signature;
 import org.acra.ACRA;
 import org.fdroid.fdroid.Utils;
-import org.spongycastle.util.encoders.Hex;
+import org.bouncycastle.util.encoders.Hex;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;

app/src/main/java/org/fdroid/fdroid/localrepo/LocalRepoKeyStore.java

@@ -5,19 +5,19 @@ import android.util.Log;
 import kellinwood.security.zipsigner.ZipSigner;
 import org.fdroid.fdroid.FDroidApp;
 import org.fdroid.fdroid.Utils;
-import org.spongycastle.asn1.ASN1Sequence;
-import org.spongycastle.asn1.x500.X500Name;
-import org.spongycastle.asn1.x509.GeneralName;
-import org.spongycastle.asn1.x509.GeneralNames;
-import org.spongycastle.asn1.x509.SubjectPublicKeyInfo;
-import org.spongycastle.asn1.x509.Time;
-import org.spongycastle.asn1.x509.X509Extension;
-import org.spongycastle.cert.X509CertificateHolder;
-import org.spongycastle.cert.X509v3CertificateBuilder;
-import org.spongycastle.cert.jcajce.JcaX509CertificateConverter;
-import org.spongycastle.operator.ContentSigner;
-import org.spongycastle.operator.OperatorCreationException;
-import org.spongycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
+import org.bouncycastle.asn1.x509.Time;
+import org.bouncycastle.asn1.x509.X509Extension;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;

app/src/main/java/org/fdroid/fdroid/net/HttpDownloader.java

@@ -9,7 +9,7 @@ import org.apache.commons.io.FileUtils;
 import org.fdroid.fdroid.BuildConfig;
 import org.fdroid.fdroid.FDroidApp;
 import org.fdroid.fdroid.Utils;
-import org.spongycastle.util.encoders.Base64;
+import org.bouncycastle.util.encoders.Base64;
 
 import java.io.BufferedInputStream;
 import java.io.File;

extern/zipsigner/build.gradle

@@ -1,14 +0,0 @@
-apply plugin: 'java'
-
-repositories {
-    jcenter()
-}
-
-sourceCompatibility = 1.7
-targetCompatibility = 1.7
-
-dependencies {
-    compile 'com.madgag.spongycastle:pkix:1.53.0.0'
-    compile 'com.madgag.spongycastle:prov:1.53.0.0'
-    compile 'com.madgag.spongycastle:core:1.53.0.0'
-}