migrate from net.i2p.crypto.eddsa to org.bouncycastle.bcpkix-jdk18on to remediate CVE-2020-36843

Before this commit we were using net.i2p.crypto.eddsa which was vulnerable to CVE-2020-36843, now we are moving to org.bouncycastle.bcpkix-jdk18on to remediate cve

Author: Muthu-Palaniyappan-OL

pom.xml

@@ -85,9 +85,9 @@
 		</dependency>
 
 		<dependency>
-			<groupId>net.i2p.crypto</groupId>
-			<artifactId>eddsa</artifactId>
-			<version>0.3.0</version>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpkix-jdk18on</artifactId>
+			<version>1.78</version>
 		</dependency>
 	</dependencies>
-</project>
+</project>

src/main/java/org/simplejavamail/utils/mail/dkim/DkimSigner.java

@@ -2,9 +2,10 @@
 
 import jakarta.mail.Header;
 import jakarta.mail.MessagingException;
-import net.i2p.crypto.eddsa.EdDSAPrivateKey;
 import net.markenwerk.utils.data.fetcher.BufferedDataFetcher;
 import net.markenwerk.utils.data.fetcher.DataFetchException;
+
+import org.bouncycastle.jcajce.interfaces.EdDSAPrivateKey;
 import org.eclipse.angus.mail.util.CRLFOutputStream;
 import org.eclipse.angus.mail.util.QPEncoderStream;
 

src/main/java/org/simplejavamail/utils/mail/dkim/DomainKey.java

@@ -1,9 +1,9 @@
 package org.simplejavamail.utils.mail.dkim;
 
-import java.nio.charset.StandardCharsets;
 import java.security.InvalidKeyException;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
 import java.security.Signature;
@@ -20,12 +20,10 @@
 import java.util.StringTokenizer;
 import java.util.regex.Pattern;
 
-import net.i2p.crypto.eddsa.EdDSAPublicKey;
-import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
-import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
-
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+import org.bouncycastle.jcajce.interfaces.EdDSAPublicKey;
+
 /**
  * A {@code DomainKey} holds the information about a domain key.
  * 
@@ -151,11 +149,12 @@ private RSAPublicKey getRsaPublicKey(String publicKeyTagValue) {
 
    private EdDSAPublicKey getEd25519PublicKey(String publicKeyTagValue) {
       try {
-         KeyFactory keyFactory = KeyFactory.getInstance(KeyPairType.ED25519.getJavaNotation());
-         EdDSAPublicKeySpec publicKeySpec = new EdDSAPublicKeySpec(Base64.getDecoder().decode(publicKeyTagValue),
-               EdDSANamedCurveTable.ED_25519_CURVE_SPEC);
-         return (EdDSAPublicKey) keyFactory.generatePublic(publicKeySpec);
-      } catch (NoSuchAlgorithmException nsae) {
+         byte[] keyBytes = Base64.getDecoder().decode(publicKeyTagValue);
+         X509EncodedKeySpec keySpec = new X509EncodedKeySpec(keyBytes);
+
+         KeyFactory keyFactory = KeyFactory.getInstance("Ed25519", "BC");
+         return (EdDSAPublicKey) keyFactory.generatePublic(keySpec);
+      } catch (NoSuchAlgorithmException | NoSuchProviderException nsae) {
          throw new DkimException("Ed25519 algorithm not found by JVM");
       } catch (IllegalArgumentException e) {
          throw new DkimException("The public key " + publicKeyTagValue + " couldn't be read.", e);
@@ -297,4 +296,4 @@ private void checkKeyCompatiblilty(PrivateKey privateKey)
 
    }
 
-}
+}

src/main/java/org/simplejavamail/utils/mail/dkim/KeyPairType.java

@@ -4,7 +4,7 @@
 import java.util.Arrays;
 import java.util.List;
 
-import net.i2p.crypto.eddsa.EdDSASecurityProvider;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
 
 public enum KeyPairType {
 
@@ -25,7 +25,7 @@ protected void initialize() {
       @Override
       protected void initialize() {
          if (!initailized) {
-            Security.addProvider(new EdDSASecurityProvider());
+            Security.addProvider(new BouncyCastleProvider());
             initailized = true;
          }
       }