From 46a1548f8321379f107ae0cede92ec98308df4e2 Mon Sep 17 00:00:00 2001
From: PJ Fanning <fanningpj@apache.org>
Date: Fri, 10 Feb 2023 20:34:01 +0000
Subject: [PATCH] upgrade bouncycastle

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1907568 13f79535-47bb-0310-9956-ffa450edef68
---
 build.gradle                                              | 2 +-
 build.xml                                                 | 8 ++++----
 osgi/README.md                                            | 4 ++--
 poi-ooxml/build.gradle                                    | 8 ++++----
 .../org/apache/poi/poifs/crypt/dsig/SignatureInfo.java    | 6 +++---
 5 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/build.gradle b/build.gradle
index b8a6e0de91..3049735011 100644
--- a/build.gradle
+++ b/build.gradle
@@ -115,7 +115,7 @@ subprojects {
     apply plugin: 'org.cyclonedx.bom'
 
     ext {
-        bouncyCastleVersion = '1.70'
+        bouncyCastleVersion = '1.72'
         commonsCodecVersion = '1.15'
         commonsCompressVersion = '1.22'
         commonsIoVersion = '2.11.0'
diff --git a/build.xml b/build.xml
index c87c8811e3..752790068a 100644
--- a/build.xml
+++ b/build.xml
@@ -296,11 +296,11 @@ under the License.
 
     <!-- xml signature libs - not part of the distribution -->
     <dependency prefix="dsig.xmlsec" artifact="org.apache.santuario:xmlsec:3.0.1" usage="ooxml-provided"/>
-    <dependency prefix="dsig.bouncycastle-prov" artifact="org.bouncycastle:bcprov-jdk15on:1.70" usage="ooxml-provided"/>
-    <dependency prefix="dsig.bouncycastle-pkix" artifact="org.bouncycastle:bcpkix-jdk15on:1.70" usage="ooxml-provided"/>
-    <dependency prefix="dsig.bouncycastle-util" artifact="org.bouncycastle:bcutil-jdk15on:1.70" usage="ooxml-provided"/>
+    <dependency prefix="dsig.bouncycastle-prov" artifact="org.bouncycastle:bcprov-jdk18on:1.72" usage="ooxml-provided"/>
+    <dependency prefix="dsig.bouncycastle-pkix" artifact="org.bouncycastle:bcpkix-jdk18on:1.72" usage="ooxml-provided"/>
+    <dependency prefix="dsig.bouncycastle-util" artifact="org.bouncycastle:bcutil-jdk18on:1.72" usage="ooxml-provided"/>
     <!-- only used for signing the release - not used with the ooxml signatures -->
-    <dependency prefix="dsig.bouncycastle-bcpg" artifact="org.bouncycastle:bcpg-jdk15on:1.70" usage="util"/>
+    <dependency prefix="dsig.bouncycastle-bcpg" artifact="org.bouncycastle:bcpg-jdk18on:1.72.2" usage="util"/>
     <dependency prefix="ooxml.test.stax2" artifact="org.codehaus.woodstox:stax2-api:4.2.1" usage="ooxml-provided"/>
 
     <!-- svg/batik/pdf libs - not part of the distribution - move batik to its own directory because of JPMS module-path issues -->
diff --git a/osgi/README.md b/osgi/README.md
index 50f9365800..1a9b7bef51 100644
--- a/osgi/README.md
+++ b/osgi/README.md
@@ -25,11 +25,11 @@ Available in Maven Central (but version might be too old): https://mvnrepository
 3. Apache XML Security for Java, Bouncy Castle and XML Commons Resolver 
 These are required to sign or validate signed Office documents. The OSGi bundles are available in Maven Central:
 
-    - Apache XML Security for Java: https://mvnrepository.com/artifact/org.apache.santuario/xmlsec/3.0.0 (use v2.3.0 with POI v5.2.2)
+    - Apache XML Security for Java: https://mvnrepository.com/artifact/org.apache.santuario/xmlsec/3.0.1 (use v2.3.0 with POI v5.2.2)
     
     - XML Commons Resolver: https://mvnrepository.com/artifact/xml-resolver/xml-resolver/1.2-osgi
     
-    - Bouncy Castle: https://mvnrepository.com/artifact/org.bouncycastle/bcprov-ext-jdk15on/1.70, https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk15on/1.70
+    - Bouncy Castle: https://mvnrepository.com/artifact/org.bouncycastle/bcprov-ext-jdk18on/1.72, https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-jdk18on/1.72
 4. PDFBox and PDFBox Graphics2D  
 Required to render to PDF documents.
 The required jars can be downloaded from:
diff --git a/poi-ooxml/build.gradle b/poi-ooxml/build.gradle
index 75808796ef..d03752bdb8 100644
--- a/poi-ooxml/build.gradle
+++ b/poi-ooxml/build.gradle
@@ -67,12 +67,12 @@ dependencies {
     api 'org.apache.commons:commons-collections4:4.4'
 
     signingImplementation 'org.apache.santuario:xmlsec:3.0.1'
-    signingImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
-    signingImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}"
+    signingImplementation "org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}"
+    signingImplementation "org.bouncycastle:bcutil-jdk18on:${bouncyCastleVersion}"
 
     rendersignImplementation 'org.apache.santuario:xmlsec:3.0.1'
-    rendersignImplementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
-    rendersignImplementation "org.bouncycastle:bcutil-jdk15on:${bouncyCastleVersion}"
+    rendersignImplementation "org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}"
+    rendersignImplementation "org.bouncycastle:bcutil-jdk18on:${bouncyCastleVersion}"
 
     renderImplementation "org.apache.pdfbox:pdfbox:${pdfboxVersion}"
     renderImplementation "de.rototor.pdfbox:graphics2d:${graphics2dVersion}"
diff --git a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
index 3c300d7e8d..782f72b4f3 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/poifs/crypt/dsig/SignatureInfo.java
@@ -153,9 +153,9 @@ import org.w3c.dom.events.MutationEvent;
  * <p>To use SignatureInfo and its sibling classes, you'll need to have the following libs
  * in the classpath:</p>
  * <ul>
- * <li>BouncyCastle bcpkix and bcprov (tested against 1.70)</li>
- * <li>Apache Santuario "xmlsec" (tested against 2.3.0)</li>
- * <li>and log4j-api (tested against 2.17.x)</li>
+ * <li>BouncyCastle bcpkix and bcprov (tested against 1.72)</li>
+ * <li>Apache Santuario "xmlsec" (tested against 3.0.1)</li>
+ * <li>and log4j-api (tested against 2.19.x)</li>
  * </ul>
  */
 public class SignatureInfo {