Please update Bouncy Castle

[Neustradamus]

Please update Bouncy Castle

• https://www.bouncycastle.org/
• https://www.bouncycastle.org/releasenotes.html
• http://www.bouncycastle.org/latest_releases.html
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncy%20castle
• https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bouncycastle
• https://www.cvedetails.com/vulnerability-list/vendor_id-7637/Bouncycastle.html

[jakubgs]

Based on conversation in:

• Remove dependency on BouncyCastle #47

It appears we are indeed using this at runtime, but the CVE-2020-15522 doesn't appear to affect us.

[bitgamma]

the reason why it hasn't been upgraded is that trying to do so generated builds of status-mobile which crashed at runtime. Since status-mobile is indirectly dependent on bouncycastle through other dependencies as well, I guessed it was some kind of conflict between required versions.

I have checked that CVE but it doesn't affect us because we don't use BouncyCastle for ECDSA signing. We use it for verifying, for ECDH, AES, DES and SHA in the context of Keycard. Outside Keycard I don't know exactly where it is used, but all blockchain related crypto is done in status-go so it is probably used for TLS (again, ECDH).

We could try again upgrading it and investigating what breaks the app at runtime, but unless there is a pressing reason to upgrade I would say it is low-prio.