fix CVE-2020-7226 and fix build error by using Java8

backport-CVE-2020-7226-2.patch

@@ -0,0 +1,81 @@
+From 132f15ead532d78d4c19d2bcb39ec8f319ad6945 Mon Sep 17 00:00:00 2001
+From: "Marvin S. Addison" <serac@vt.edu>
+Date: Mon, 27 Jan 2020 14:39:35 -0500
+Subject: [PATCH] Address code review feedback points.
+
+---
+ src/main/java/org/cryptacular/CiphertextHeader.java  |  6 +++---
+ .../java/org/cryptacular/CiphertextHeaderV2.java     | 12 +++++++-----
+ src/main/java/org/cryptacular/util/CipherUtil.java   |  1 -
+ 3 files changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/src/main/java/org/cryptacular/CiphertextHeader.java b/src/main/java/org/cryptacular/CiphertextHeader.java
+index c17e735..d43bf9a 100644
+--- a/src/main/java/org/cryptacular/CiphertextHeader.java
++++ b/src/main/java/org/cryptacular/CiphertextHeader.java
+@@ -75,12 +75,12 @@ public CiphertextHeader(final byte[] nonce)
+    */
+   public CiphertextHeader(final byte[] nonce, final String keyName)
+   {
+-    if (nonce.length > 255) {
+-      throw new IllegalArgumentException("Nonce exceeds size limit in bytes (255)");
++    if (nonce.length > MAX_NONCE_LEN) {
++      throw new IllegalArgumentException("Nonce exceeds size limit in bytes (" + MAX_NONCE_LEN + ")");
+     }
+     if (keyName != null) {
+       if (ByteUtil.toBytes(keyName).length > MAX_KEYNAME_LEN) {
+-        throw new IllegalArgumentException("Key name exceeds size limit in bytes (500)");
++        throw new IllegalArgumentException("Key name exceeds size limit in bytes (" + MAX_KEYNAME_LEN + ")");
+       }
+     }
+     this.nonce = nonce;
+diff --git a/src/main/java/org/cryptacular/CiphertextHeaderV2.java b/src/main/java/org/cryptacular/CiphertextHeaderV2.java
+index 8119f4e..1fe095b 100644
+--- a/src/main/java/org/cryptacular/CiphertextHeaderV2.java
++++ b/src/main/java/org/cryptacular/CiphertextHeaderV2.java
+@@ -102,6 +102,9 @@ public void setKeyLookup(final Function<String, SecretKey> keyLookup)
+    */
+   public byte[] encode(final SecretKey hmacKey)
+   {
++    if (hmacKey == null) {
++      throw new IllegalArgumentException("Secret key cannot be null");
++    }
+     final ByteBuffer bb = ByteBuffer.allocate(length);
+     bb.order(ByteOrder.BIG_ENDIAN);
+     bb.putInt(VERSION);
+@@ -109,10 +112,7 @@ public void setKeyLookup(final Function<String, SecretKey> keyLookup)
+     bb.put((byte) 0);
+     bb.put(ByteUtil.toUnsignedByte(nonce.length));
+     bb.put(nonce);
+-    if (hmacKey != null) {
+-      final byte[] hmac = hmac(bb.array(), 0, bb.limit() - HMAC_SIZE);
+-      bb.put(hmac);
+-    }
++    bb.put(hmac(bb.array(), 0, bb.limit() - HMAC_SIZE));
+     return bb.array();
+   }
+ 
+@@ -253,8 +253,10 @@ public static CiphertextHeaderV2 decode(final InputStream input, final Function<
+    *
+    * @param  input  Input stream.
+    * @param  output  Output buffer.
++   *
++   * @throws  StreamException  on stream IO errors.
+    */
+-  private static void readInto(final InputStream input, final byte[] output)
++  private static void readInto(final InputStream input, final byte[] output) throws StreamException
+   {
+     try {
+       input.read(output);
+diff --git a/src/main/java/org/cryptacular/util/CipherUtil.java b/src/main/java/org/cryptacular/util/CipherUtil.java
+index cdbac0d..40ef4d1 100644
+--- a/src/main/java/org/cryptacular/util/CipherUtil.java
++++ b/src/main/java/org/cryptacular/util/CipherUtil.java
+@@ -376,7 +376,6 @@ private static void process(final BlockCipherAdapter cipher, final InputStream i
+   }
+ 
+ 
+-
+   /**
+    * Writes a ciphertext header to the output stream.
+    *

backport-CVE-2020-7226-3.patch

@@ -0,0 +1,22 @@
+From 00395c232cdc62d4292ce27999c026fc1f076b1d Mon Sep 17 00:00:00 2001
+From: "Marvin S. Addison" <serac@vt.edu>
+Date: Wed, 29 Jan 2020 16:51:35 -0500
+Subject: [PATCH] Remove runtime exception from method sig.
+
+---
+ src/main/java/org/cryptacular/CiphertextHeaderV2.java | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/main/java/org/cryptacular/CiphertextHeaderV2.java b/src/main/java/org/cryptacular/CiphertextHeaderV2.java
+index 1fe095b..23d039e 100644
+--- a/src/main/java/org/cryptacular/CiphertextHeaderV2.java
++++ b/src/main/java/org/cryptacular/CiphertextHeaderV2.java
+@@ -256,7 +256,7 @@ public static CiphertextHeaderV2 decode(final InputStream input, final Function<
+    *
+    * @throws  StreamException  on stream IO errors.
+    */
+-  private static void readInto(final InputStream input, final byte[] output) throws StreamException
++  private static void readInto(final InputStream input, final byte[] output)
+   {
+     try {
+       input.read(output);

change-version-to-Java8.patch

@@ -0,0 +1,37 @@
+From 1972c658289468599bbb832bad03fe0a5a34713d Mon Sep 17 00:00:00 2001
+From: zhanghua1831 <zhanghua1831@163.com>
+Date: Fri, 26 Feb 2021 12:33:02 +0800
+Subject: [PATCH] fix build error by using Java8
+
+changes of CVE-2020-7226's patches require Java8
+---
+ pom.xml | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/pom.xml b/pom.xml
+index 1f83d44..9506e54 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -140,8 +140,8 @@
+           <showDeprecation>true</showDeprecation>
+           <showWarnings>true</showWarnings>
+           <compilerArgument>-Xlint:unchecked</compilerArgument>
+-          <source>1.7</source>
+-          <target>1.7</target>
++          <source>1.8</source>
++          <target>1.8</target>
+         </configuration>
+       </plugin>
+       <plugin>
+@@ -182,7 +182,7 @@
+         <version>2.10.3</version>
+         <configuration>
+           <links>
+-            <link>http://download.oracle.com/javase/7/docs/api</link>
++            <link>http://download.oracle.com/javase/8/docs/api</link>
+           </links>
+           <bottom><![CDATA[<i>Copyright &#169; 2003-2015 Virginia Tech. All Rights Reserved.</i>]]></bottom>
+         </configuration>
+-- 
+2.23.0
+

cryptacular.spec

@@ -1,10 +1,14 @@
 Name:                cryptacular
 Version:             1.1.0
-Release:             1
+Release:             2
 Summary:             Java Library that complement to the Bouncy Castle crypto API
 License:             ASL 2.0 or LGPLv3
 URL:                 http://www.cryptacular.org/
 Source0:             https://github.com/vt-middleware/cryptacular/archive/v%{version}.tar.gz
+Patch0000:           backport-CVE-2020-7226-1.patch
+Patch0001:           backport-CVE-2020-7226-2.patch
+Patch0002:           backport-CVE-2020-7226-3.patch
+Patch0003:           change-version-to-Java8.patch
 BuildRequires:       maven-local mvn(org.apache.felix:maven-bundle-plugin)
 BuildRequires:       mvn(org.apache.maven.plugins:maven-assembly-plugin)
 BuildRequires:       mvn(org.apache.maven.plugins:maven-release-plugin)
@@ -27,7 +31,7 @@ Obsoletes:           %{name}-javadoc < %{version}-%{release}
 This package contains man pages and other related documents for %{name}.
 
 %prep
-%setup -q -n %{name}-%{version}
+%autosetup -n %{name}-%{version} -p1
 %pom_remove_plugin :maven-source-plugin
 %pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-javadoc-plugin']/pom:executions"
 %pom_remove_plugin :maven-checkstyle-plugin
@@ -47,5 +51,8 @@ This package contains man pages and other related documents for %{name}.
 %license LICENSE LICENSE-apache2 LICENSE-lgpl NOTICE
 
 %changelog
+* Thu Feb 25 2021 zhanghua <zhanghua40@huawei.com> - 1.1.0-2
+- fix CVE-2020-7226 and fix build error by using Java8
+
 * Fri Aug 14 2020 leiju <leiju4@huawei.com> - 1.1.0-1
 - Package init