As there are multiple vulnerabilities in the bouncycastle libraries, it is really important to know what are the supported and required bouncycastle versions. What I can see, only the Cells provide direct requriement for the library in the installation package. Could you provide a full list of required dependencies, what versions are used and if those can be updated to newer versions without conflicts?
@mhill.labvantage,
Thank you for your question.
As for Aspose.Slides, the latest version of Bouncy Castle supported by our library is 1.59. But Aspose.Slides does not require Bouncy Castle. You may not use it.
My colleagues will reply to you about other Aspose products soon.
@mhill.labvantage
Aspose.Imaging uses inside the FIPS version of Bouncy Castle namely bc-fips-1.0.2.1.jar and bcpkix-fips-1.0.5.jar. For each release, we check and update them to newer versions without any conflicts.
@Andrey_Potapov, thank you for your answer, could you please elaborate a bit - is there some functionality that will not work if we don’t include the bouncycastle -libraries?
Aspose.Note for Java depends on the ‘Bouncy Castle Crypto APIs’ binaries (bcprov-jdk15on-152.jar
or bcprov-jdk14-152.jar for Java 1.4).
No, Aspose.Slides provides all the same functionality without this library. It makes sense to use this library only if you want to speed up the encryption functions a little, but by and large it is no longer needed.
Aspose.Cells for Java depends on the following ‘Bouncy Castle APIs’ binaries:
bcpkix-jdk15on-1.60.jar
bcprov-jdk15on-1.60.jar
These libraries are used for AES encryption and digital signatures of VBA project only for MS Excel file formats.
@evgsidenko - are these libraries included in the aspose-imaging-xxx.jar or do these need to be added as additional libraries?
Aspose.Words for Java uses bc-fips-1.0.2.jar and bcpkix-fips-1.0.3.jar internally and does not contain external dependencies on bouncycastle libraries. These libraries are included in aspose-words-xxxx.jar and do not need to be added as additional libraries.
Aspose.PDF for Java uses 1.51 version of bouncycastle library. But we will update it soon. Furthermore, Aspose.OCR, do not use this library. We will let you know further about other APIs.
Aspose.PDF for Java uses 1.51 version of bouncycastle library. But we will update it soon. Furthermore, Aspose.OCR, do not use this library. We will let you know further about other APIs.
@asad.ali, are these dependencies built into the aspose jar internally or do these need to be externally loaded?
Aspose.Cells for Java depends on the following ‘Bouncy Castle APIs’ binaries:
bcpkix-jdk15on-1.60.jar
bcprov-jdk15on-1.60.jar
These libraries are used for AES encryption and digital signatures of VBA project only for MS Excel file formats.
@Amjad_Sahi, can these libraries be upgraded to the latest versions (.171 is the latest?)- and will the aspose library continue to work?
It is better to use the same bouncy castle libraries in the release archive of Aspose.Cells for Java. But for your question:
I have logged an investigation ticket with an id “CELLSJAVA-44658” for your query. We need to test and evaluate with latest versions of bouncy castle libraries thoroughly and then we can share our results. We will get back to you soon with updates.
This library is built into Aspose.PDF for Java JAR internally. Furthermore, Aspose.Diagram and Aspose.Page also do not use bouncycastle library.
We tested and Aspose.Cells v22.5 works OK with Bouncy Castle v1.71 except VBA signature.
In short, encryption, decryption and workbook signature work OK but VBA signature doesn’t work with Aspose.Cells v22.5 and Bouncy Castle v1.71. We will evaluate and look into it further.
In our upcoming release Aspose.Cells for Java v22.6 (which is due in the next few days (4-6 days or so), Aspose.Cells will work OK with BouncyCastle v1.71.(VBA signature will work fine),
With BouncyCastle v1.71, the jar bcutil-jdk18on-171 is also needed besides bcprov-jdk18on-171.jar and bcpkix-jdk18on-171.jar jars.
The issues you have found earlier (filed as CELLSJAVA-44658) have been fixed in this update. This message was posted using Bugs notification tool by Peyton.Xu