patches/README - platform/external/bouncycastle - Git at Google

 android.patch:

 patch against Bouncy Castle:

 The main differences involve removing algorithms not included in the
 reference implementation (RI).  The libcore
 java.security.StandardNames test support class provides the most
 up-do-date documentation of differences between the RI's list of
 supported algorithms and Android's. Some notable omissions versus the
 RI:
 - LDAP
 - MD2
 - RC2

 Other performance (both speed and memory) changes:
 - singleton DERNull (BouncyCastle now does this but we make constructor private to be sure)
 - similarly made DERBoolean constructor private and moved to DERBoolean.{getInstance,TRUE,FALSE}
 - DERPrintableString interns its internal String values
 - DERObjectIdentifier interns its internal String indentifer value
 - changed uses of 'new Integer' to 'Integer.valueOf'
 - Added X509NameElementList to reduce small Vector allocation for X509Name key/value operations
 - Replaced X509Extensions hash/vector with new OrderedTable instance to cut down on memory allocation
 - PKCS12BagAttributeCarrier also uses OrderedTable to cut down on memory allocation
 - X509CertificateObject.getEncoded caches its result
 - Added IndexedPKIXParameters for faster cert lookup in CertPathValidatorUtilities.findTrustAnchor
 - CertPathValidatorUtilities.findTrustAnchor fast path compares encoded certs similar to PKIXCertPathValidatorSpi
 - Added ASN1Collection for use as new parent for ASN1Collection and ASN1Set to reduce small Vector allocation
 - removed references to SecretKeyFactory.PBE/PKCS5 SecretKeyFactory.PBE/PKCS12
 - OpenSSLDigest uses NativeCrypto JNI API
 - KeyStoreSpis made more tolerant of non-existant and null aliases
 - PKCS12 KeyStore.getCreationDate tries to mimic RI behavior on null and missing aliases
 - Make PKCS12 KeyStore throw error when setting non-PrivateKey, instead of on get
 - Make PKCS12 KeyStore tolerate setting with an empty certificate chain
 - Added wrapper for SecretKeyFactory.PBKDF2WithHmacSHA1

 Other security changes:
 - blacklist fraudulent Comodo certificates in PKIXCertPathValidatorSpi
 - blacklist compromised DigiNotar Root CA by public key to block cross-signed intermediates
	android.patch:

	patch against Bouncy Castle:

	The main differences involve removing algorithms not included in the
	reference implementation (RI). The libcore
	java.security.StandardNames test support class provides the most
	up-do-date documentation of differences between the RI's list of
	supported algorithms and Android's. Some notable omissions versus the
	RI:
	- LDAP
	- MD2
	- RC2

	Other performance (both speed and memory) changes:
	- singleton DERNull (BouncyCastle now does this but we make constructor private to be sure)
	- similarly made DERBoolean constructor private and moved to DERBoolean.{getInstance,TRUE,FALSE}
	- DERPrintableString interns its internal String values
	- DERObjectIdentifier interns its internal String indentifer value
	- changed uses of 'new Integer' to 'Integer.valueOf'
	- Added X509NameElementList to reduce small Vector allocation for X509Name key/value operations
	- Replaced X509Extensions hash/vector with new OrderedTable instance to cut down on memory allocation
	- PKCS12BagAttributeCarrier also uses OrderedTable to cut down on memory allocation
	- X509CertificateObject.getEncoded caches its result
	- Added IndexedPKIXParameters for faster cert lookup in CertPathValidatorUtilities.findTrustAnchor
	- CertPathValidatorUtilities.findTrustAnchor fast path compares encoded certs similar to PKIXCertPathValidatorSpi
	- Added ASN1Collection for use as new parent for ASN1Collection and ASN1Set to reduce small Vector allocation
	- removed references to SecretKeyFactory.PBE/PKCS5 SecretKeyFactory.PBE/PKCS12
	- OpenSSLDigest uses NativeCrypto JNI API
	- KeyStoreSpis made more tolerant of non-existant and null aliases
	- PKCS12 KeyStore.getCreationDate tries to mimic RI behavior on null and missing aliases
	- Make PKCS12 KeyStore throw error when setting non-PrivateKey, instead of on get
	- Make PKCS12 KeyStore tolerate setting with an empty certificate chain
	- Added wrapper for SecretKeyFactory.PBKDF2WithHmacSHA1

	Other security changes:
	- blacklist fraudulent Comodo certificates in PKIXCertPathValidatorSpi
	- blacklist compromised DigiNotar Root CA by public key to block cross-signed intermediates