nats.java icon indicating copy to clipboard operation
nats.java copied to clipboard
verified publisher icon nats-io

Consider replacing the `net.i2p.crypto:eddsa` with maintained alternative.

Open tomekl007 opened this issue 1 year ago • 2 comments

Proposed change

The net.i2p.crypto:eddsa used in the jnats has not been updated for five years. Maybe the library will need to be switched to a different one or replaced with custom code?

Use case

The dependant library is old and not maintained.

Contribution

No response

tomekl007 avatar Sep 04 '24 13:09 tomekl007

Are there any security issues with it? Are you aware of a suitable replacement?

scottf avatar Sep 09 '24 13:09 scottf

Isn't bouncycastle a well-maintained security library for Java with support for EdDSA? Support within JDK was added in Java 15 (and not backported to Java 11)

laurentgo avatar Sep 25 '24 18:09 laurentgo

security problem is reported on Mar 13, 2025. Would you please fix the security problem? https://nvd.nist.gov/vuln/detail/CVE-2020-36843

The implementation of EdDSA in EdDSA-Java (aka ed25519-java) through 0.3.0 exhibits signature malleability and does not satisfy the SUF-CMA (Strong Existential Unforgeability under Chosen Message Attacks) property. This allows attackers to create new valid signatures different from previous signatures for a known message.

yuanyangwu avatar Mar 14 '25 02:03 yuanyangwu

Fixed in https://github.com/nats-io/nats.java/pull/1290. Will be released soon.

scottf avatar Mar 15 '25 13:03 scottf