bouncy-castle-java

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. Certificates consist of various object fields, some of which describe the allowed certificate uses. Digital certificates can only be used for code signing if that property is found in its list of extended key usage policies. It is possible to mistakenly use an SSL certificate as a code signing certificate during software publishing.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. Certificates have a validity period during which they can be used to create signatures. For application signatures, or digital code signing, it is recommended to countersign the signatures for time-stamping. Countersigned software components have their signature period validity extended past the signing certificate expiration date. Such signatures are considered valid indefinitely. We detected that the digital signature was not countersigned for time-stamping, and that the signing certificate has expired. Failing to countersign software components may result in application errors and availability outages.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures are made using digital certificates, which can either be purchased from certificate authorities or be self-issued. When purchased from a certificate authority, a certificate must conform to industry standards and best practices. One such requirement is that a certificate authority must be able revoke a certificate if its misuse was reported and independently confirmed. Software users rely on the certificate revocation process to defend from malicious actors that might be controlling a certificate issued to a trusted publisher. Operating systems periodically refresh local copies of certificate revocation lists. If the signature does not include a hyperlink to the certificate revocation server, its status cannot be checked. While a commercial certificate authority is unlikely to omit this information, some policy deviations can occur in practice.

Problem

Software composition analysis has identified a component with one or more known vulnerabilities. Based on the CVSS scoring, these vulnerabilities have been marked as high severity.

Problem

Digital signatures are applied to applications, packages and documents as a cryptographically secured authenticity record. Signatures verify the origin and the integrity of the object they apply to. For application signatures, or digital code signing, it is recommended to countersign the signatures for time-stamping. Countersigned software components have their signature period validity extended past the signing certificate expiration date. Such signatures are considered valid indefinitely. Failing to countersign software components may result in application errors and availability outages.