Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tuweni project appears to be unmaintained, switch to other options? #177

Open
ghsa-retrieval opened this issue Oct 14, 2024 · 8 comments
Open

Comments

@ghsa-retrieval
Copy link

ghsa-retrieval commented Oct 14, 2024

Is your feature request related to a problem? Please describe.
The Tuweni project appears to be abandoned, with the Apache Incubator repository being archived. A fork by the original author exists, but besides one version it has also not seen any updates. Without maintenance of the library this could lead to bugs and vulnerabilities not getting addressed.

Describe the solution you'd like
Perhaps switching to BouncyCastle or other libraries might be an option.

Describe alternatives you've considered
None

Additional context

Copy link

Thanks for submitting your first issue, we will have a look as quickly as possible.

@nbaars
Copy link
Owner

nbaars commented Oct 26, 2024

@ghsa-retrieval correct we need to move away from Tuweni. Do you have interest in picking this up?

@robertguetzkow
Copy link

@nbaars I would be interested in this. Replacing the library could be challenging though, as we need to ensure that it remains fully compatible with how libsodium works.

@nbaars
Copy link
Owner

nbaars commented Nov 4, 2024

@robertguetzkow would be great if you can pick this up! let me know if you need any help.

@robertguetzkow
Copy link

robertguetzkow commented Nov 4, 2024

@nbaars I'll give it a try. What would be your preferred approach, should we use a specific provider (like Bouncy Castle) or just implement generically against JCA? The decision may have impact on the minimum required Java version to support all cryptographic algorithms.

@nbaars
Copy link
Owner

nbaars commented Nov 6, 2024

Using a specific provider is fine. Bouncycastle is already used in the project.

@robertguetzkow
Copy link

Will do. Currently quite busy at work though, so it might take a bit until I can implement it.

@robertguetzkow
Copy link

I'm starting to map out what changes are needed and in particular how libsodium and Bouncy Castle implement their Ed25519. I need to check whether or not we can ensure that the validation rejects the same inputs, e.g. libsodium performs small-order checks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants