patches/README - platform/external/bouncycastle - Git at Google

 bcprov.patch:

 patch against Bouncy Castle's bcprov:

 The main differences involve removing algorithms not included in the
 reference implementation (RI).  The libcore
 java.security.StandardNames test support class provides the most
 up-do-date documentation of differences between the RI's list of
 supported algorithms and Android's. Some notable omissions versus the
 RI:
 - LDAP
 - MD2
 - RC2

 Other performance (both speed and memory) and correctness changes:
 - singleton DERNull (BouncyCastle now does this but we make constructor private to be sure)
 - similarly made DERBoolean constructor private and moved to DERBoolean.{getInstance,TRUE,FALSE}
 - removed use of Boolean constructor
 - DERObjectIdentifier interns its internal String indentifer value
 - changed uses of 'new Integer' to 'Integer.valueOf'
 - X509CertificateObject.getEncoded caches its result
 - removed references to SecretKeyFactory.PBE/PKCS5 SecretKeyFactory.PBE/PKCS12
 - OpenSSLDigest uses NativeCrypto JNI API
 - KeyStoreSpis made more tolerant of non-existant and null aliases
 - PKCS12 KeyStore.getCreationDate tries to mimic RI behavior on null and missing aliases
 - Make PKCS12 KeyStore throw error when setting non-PrivateKey, instead of on get
 - Make PKCS12 KeyStore tolerate setting with an empty certificate chain
 - Fixed cut & paste instanceof error in EncryptedPrivateKeyInfo
 - Make BouncyCastleProvider.PROVIDER_NAME final
 - Added wrapper for SecretKeyFactory.PBKDF2WithHmacSHA1
 - Fixed BaseKeyFactorySpi to convert all Exceptions to InvalidKeySpecException for KeyRepTest
 - Added support for getSubjectAlternativeNames and getIssuerAlternativeNames to the JCE interface
 - Changed subjectAlternativeNames to match X509Certificate documentation's specified output
 - T61String are decoded as UTF-8 to match RI

 Other security changes:
 - Blacklist fraudulent Comodo certificates in PKIXCertPathValidatorSpi
 - Blacklist compromised DigiNotar Root CA by public key to block cross-signed intermediates

 Other changes:
 - Log entry and exit to DHParametersHelper.generateSafePrimes which has long, unpredictable runtime


 bcpkix.patch:

 patch against Bouncy Castle's bcpkix:

 The main differences involve:
 - removing algorithms not in our bcprov (MD2, MD4, SHA224, RIPEMD, GOST)
 - using the singleton DERNull.INSTANCE
	bcprov.patch:

	patch against Bouncy Castle's bcprov:

	The main differences involve removing algorithms not included in the
	reference implementation (RI). The libcore
	java.security.StandardNames test support class provides the most
	up-do-date documentation of differences between the RI's list of
	supported algorithms and Android's. Some notable omissions versus the
	RI:
	- LDAP
	- MD2
	- RC2

	Other performance (both speed and memory) and correctness changes:
	- singleton DERNull (BouncyCastle now does this but we make constructor private to be sure)
	- similarly made DERBoolean constructor private and moved to DERBoolean.{getInstance,TRUE,FALSE}
	- removed use of Boolean constructor
	- DERObjectIdentifier interns its internal String indentifer value
	- changed uses of 'new Integer' to 'Integer.valueOf'
	- X509CertificateObject.getEncoded caches its result
	- removed references to SecretKeyFactory.PBE/PKCS5 SecretKeyFactory.PBE/PKCS12
	- OpenSSLDigest uses NativeCrypto JNI API
	- KeyStoreSpis made more tolerant of non-existant and null aliases
	- PKCS12 KeyStore.getCreationDate tries to mimic RI behavior on null and missing aliases
	- Make PKCS12 KeyStore throw error when setting non-PrivateKey, instead of on get
	- Make PKCS12 KeyStore tolerate setting with an empty certificate chain
	- Fixed cut & paste instanceof error in EncryptedPrivateKeyInfo
	- Make BouncyCastleProvider.PROVIDER_NAME final
	- Added wrapper for SecretKeyFactory.PBKDF2WithHmacSHA1
	- Fixed BaseKeyFactorySpi to convert all Exceptions to InvalidKeySpecException for KeyRepTest
	- Added support for getSubjectAlternativeNames and getIssuerAlternativeNames to the JCE interface
	- Changed subjectAlternativeNames to match X509Certificate documentation's specified output
	- T61String are decoded as UTF-8 to match RI

	Other security changes:
	- Blacklist fraudulent Comodo certificates in PKIXCertPathValidatorSpi
	- Blacklist compromised DigiNotar Root CA by public key to block cross-signed intermediates

	Other changes:
	- Log entry and exit to DHParametersHelper.generateSafePrimes which has long, unpredictable runtime


	bcpkix.patch:

	patch against Bouncy Castle's bcpkix:

	The main differences involve:
	- removing algorithms not in our bcprov (MD2, MD4, SHA224, RIPEMD, GOST)
	- using the singleton DERNull.INSTANCE