Upgrade trilead-ssh2 version to 217.293

Author: BinduSri-6522866

LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md

@@ -2585,6 +2585,7 @@
                 "cpulimit",
                 "cri-o",
                 "ecj",
+                "ed25519-java",
                 "fillup",
                 "flux",
                 "gd",
@@ -2607,6 +2608,7 @@
                 "javacc",
                 "javacc-bootstrap",
                 "javassist",
+                "jbcrypt",
                 "jboss-interceptors-1.2-api",
                 "jdepend",
                 "jflex",

LICENSES-AND-NOTICES/SPECS/data/licenses.json

@@ -0,0 +1,37 @@
+From c5629faa3e1880cc71da506263f224bc818fe827 Mon Sep 17 00:00:00 2001
+From: Jack Grigg <thestr4d@gmail.com>
+Date: Sun, 27 Jan 2019 23:27:00 +0000
+Subject: [PATCH 1/2] EdDSAEngine.initVerify(): Handle any non-EdDSAPublicKey
+ X.509-encoded pubkey
+
+sun.security.x509.X509Key is a JDK-internal API, and should not be used
+directly. Instead of looking for an instance of that class, we check the
+primary encoding format of the PublicKey, and proceed if it is "X.509".
+---
+ src/net/i2p/crypto/eddsa/EdDSAEngine.java | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/net/i2p/crypto/eddsa/EdDSAEngine.java b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
+index 1f0ba6d..6b25410 100644
+--- a/src/net/i2p/crypto/eddsa/EdDSAEngine.java
++++ b/src/net/i2p/crypto/eddsa/EdDSAEngine.java
+@@ -29,7 +29,6 @@ import java.util.Arrays;
+ import net.i2p.crypto.eddsa.math.Curve;
+ import net.i2p.crypto.eddsa.math.GroupElement;
+ import net.i2p.crypto.eddsa.math.ScalarOps;
+-import sun.security.x509.X509Key;
+ 
+ /**
+  * Signing and verification for EdDSA.
+@@ -157,7 +156,7 @@ public final class EdDSAEngine extends Signature {
+                 }
+             } else if (!key.getParams().getHashAlgorithm().equals(digest.getAlgorithm()))
+                 throw new InvalidKeyException("Key hash algorithm does not match chosen digest");
+-        } else if (publicKey instanceof X509Key) {
++        } else if (publicKey.getFormat().equals("X.509")) {
+             // X509Certificate will sometimes contain an X509Key rather than the EdDSAPublicKey itself; the contained
+             // key is valid but needs to be instanced as an EdDSAPublicKey before it can be used.
+             EdDSAPublicKey parsedPublicKey;
+-- 
+2.33.1
+

SPECS-EXTENDED/ed25519-java/0001-EdDSAEngine.initVerify-Handle-any-non-EdDSAPublicKey.patch

@@ -0,0 +1,46 @@
+From 1ea7fb5ed949d8a458fda40b186868b7cffbb271 Mon Sep 17 00:00:00 2001
+From: Mat Booth <mat.booth@gmail.com>
+Date: Wed, 1 Dec 2021 09:35:10 +0000
+Subject: [PATCH 2/2] Disable test that relies on internal sun JDK classes
+
+---
+ test/net/i2p/crypto/eddsa/EdDSAEngineTest.java | 18 ------------------
+ 1 file changed, 18 deletions(-)
+
+diff --git a/test/net/i2p/crypto/eddsa/EdDSAEngineTest.java b/test/net/i2p/crypto/eddsa/EdDSAEngineTest.java
+index 2ed793b..adc46fd 100644
+--- a/test/net/i2p/crypto/eddsa/EdDSAEngineTest.java
++++ b/test/net/i2p/crypto/eddsa/EdDSAEngineTest.java
+@@ -31,8 +31,6 @@ import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
+ import org.junit.Rule;
+ import org.junit.Test;
+ import org.junit.rules.ExpectedException;
+-import sun.security.util.DerValue;
+-import sun.security.x509.X509Key;
+ 
+ /**
+  * @author str4d
+@@ -217,20 +215,4 @@ public class EdDSAEngineTest {
+         assertThat("verifyOneShot() failed", sgr.verifyOneShot(TEST_MSG, TEST_MSG_SIG), is(true));
+     }
+ 
+-    @Test
+-    public void testVerifyX509PublicKeyInfo() throws Exception {
+-        EdDSAParameterSpec spec = EdDSANamedCurveTable.getByName("Ed25519");
+-        Signature sgr = new EdDSAEngine(MessageDigest.getInstance(spec.getHashAlgorithm()));
+-        for (Ed25519TestVectors.TestTuple testCase : Ed25519TestVectors.testCases) {
+-            EdDSAPublicKeySpec pubKey = new EdDSAPublicKeySpec(testCase.pk, spec);
+-            PublicKey vKey = new EdDSAPublicKey(pubKey);
+-            PublicKey x509Key = X509Key.parse(new DerValue(vKey.getEncoded()));
+-            sgr.initVerify(x509Key);
+-
+-            sgr.update(testCase.message);
+-
+-            assertThat("Test case " + testCase.caseNum + " failed",
+-                    sgr.verify(testCase.sig), is(true));
+-        }
+-    }
+ }
+-- 
+2.33.1
+

SPECS-EXTENDED/ed25519-java/0002-Disable-test-that-relies-on-internal-sun-JDK-classes.patch

@@ -0,0 +1,39 @@
+--- ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java	2025-03-14 14:47:43.404137953 +0100
++++ ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java	2025-03-14 14:50:31.859888550 +0100
+@@ -12,6 +12,7 @@
+ package net.i2p.crypto.eddsa;
+ 
+ import java.io.ByteArrayOutputStream;
++import java.math.BigInteger;
+ import java.nio.ByteBuffer;
+ import java.security.InvalidAlgorithmParameterException;
+ import java.security.InvalidKeyException;
+@@ -29,6 +30,7 @@
+ import net.i2p.crypto.eddsa.math.Curve;
+ import net.i2p.crypto.eddsa.math.GroupElement;
+ import net.i2p.crypto.eddsa.math.ScalarOps;
++import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
+ 
+ /**
+  * Signing and verification for EdDSA.
+@@ -69,6 +71,8 @@
+ public final class EdDSAEngine extends Signature {
+     public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
+ 
++    private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
++
+     private MessageDigest digest;
+     private ByteArrayOutputStream baos;
+     private EdDSAKey key;
+@@ -306,6 +310,11 @@
+         h = key.getParams().getScalarOps().reduce(h);
+ 
+         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
++        // RFC 8032
++        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
++        if (Sbigint.compareTo(ORDER) >= 0)
++            return false;
++ 
+         // R = SB - H(Rbar,Abar,M)A
+         GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
+                 ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);

SPECS-EXTENDED/ed25519-java/ed25519-java-CVE-2020-36843.patch

@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<project name="eddsa" default="package" basedir=".">
+
+  <!-- ====================================================================== -->
+  <!-- Build environment properties                                           -->
+  <!-- ====================================================================== -->
+
+  <property name="compiler.release" value="8"/>
+  <property name="compiler.source" value="1.${compiler.release}"/>
+  <property name="compiler.target" value="${compiler.source}"/>
+
+  <property name="project.groupId" value="net.i2p.crypto"/>
+  <property name="project.artifactId" value="eddsa"/>
+  <property name="project.version" value="0.3.0"/>
+
+  <property name="build.finalName" value="${project.artifactId}-${project.version}"/>
+  <property name="build.dir" value="target"/>
+  <property name="build.outputDir" value="${build.dir}/classes"/>
+  <property name="build.srcDir" value="src"/>
+
+  <property name="reporting.outputDirectory" value="${build.dir}/site"/>
+
+  <!-- ====================================================================== -->
+  <!-- Cleaning up target                                                     -->
+  <!-- ====================================================================== -->
+
+  <target name="clean" description="Clean the output directory">
+    <delete dir="${build.dir}"/>
+  </target>
+
+  <!-- ====================================================================== -->
+  <!-- Compilation target                                                     -->
+  <!-- ====================================================================== -->
+
+  <target name="compile" description="Compile the code">
+    <mkdir dir="${build.outputDir}"/>
+    <javac destdir="${build.outputDir}" 
+           encoding="UTF-8" 
+           nowarn="false" 
+           debug="true" 
+           optimize="false" 
+           deprecation="true" 
+           release="${compiler.release}"
+           target="${compiler.target}"
+           verbose="false"
+           fork="false"
+           source="${compiler.source}">
+      <src>
+        <pathelement location="${build.srcDir}"/>
+      </src>
+    </javac>
+  </target>
+
+  <!-- ====================================================================== -->
+  <!-- Javadoc target                                                         -->
+  <!-- ====================================================================== -->
+
+  <target name="javadoc" description="Generates the Javadoc of the application">
+    <javadoc sourcepath="${build.srcDir}" 
+             packagenames="*" 
+             destdir="${reporting.outputDirectory}/apidocs" 
+             access="protected" 
+             encoding="UTF-8" 
+             source="${compiler.source}"
+             verbose="false" 
+             version="true" 
+             use="true" 
+             author="true" 
+             splitindex="false" 
+             nodeprecated="false" 
+             nodeprecatedlist="false" 
+             notree="false" 
+             noindex="false" 
+             nohelp="false" 
+             nonavbar="false" 
+             serialwarn="false" 
+             linksource="false" 
+             breakiterator="false"/>
+  </target>
+
+  <!-- ====================================================================== -->
+  <!-- Package target                                                         -->
+  <!-- ====================================================================== -->
+
+  <target name="package" depends="compile" description="Package the application">
+    <jar jarfile="${build.dir}/${build.finalName}.jar" 
+         compress="true" 
+         index="false" 
+         basedir="${build.outputDir}" 
+         excludes="**/package.html">
+      <manifest>
+        <attribute name="Automatic-Module-Name" value="${project.groupId}.${project.artifactId}"/>
+        <attribute name="Bundle-Description" value="Implementation of EdDSA in Java"/>
+        <attribute name="Bundle-License" value="https://creativecommons.org/publicdomain/zero/1.0/"/>
+        <attribute name="Bundle-ManifestVersion" value="2"/>
+        <attribute name="Bundle-Name" value="EdDSA-Java"/>
+        <attribute name="Bundle-SymbolicName" value="${project.groupId}.${project.artifactId}"/>
+        <attribute name="Bundle-Version" value="${project.version}"/>
+        <attribute name="Export-Package" value="net.i2p.crypto.eddsa.spec;version=&quot;${project.version}&quot;,net.i2p.crypto.eddsa;uses:=&quot;net.i2p.crypto.eddsa.spec&quot;;version=&quot;${project.version}&quot;"/>
+        <attribute name="Import-Package" value="sun.security.x509;resolution:=optional"/>
+        <attribute name="JavaPackages-ArtifactId" value="${project.artifactId}"/>
+        <attribute name="JavaPackages-GroupId" value="${project.groupId}"/>
+        <attribute name="JavaPackages-Version" value="${project.version}"/>
+        <attribute name="Require-Capability" value="osgi.ee;filter:=&quot;(&amp;(osgi.ee=JavaSE)(version=${compiler.target}))&quot;"/>
+      </manifest>
+    </jar>
+  </target>
+
+  <!-- ====================================================================== -->
+  <!-- A dummy target for the package named after the type it creates         -->
+  <!-- ====================================================================== -->
+
+  <target name="jar" depends="package" description="Builds the jar for the application"/>
+
+</project>

SPECS-EXTENDED/ed25519-java/ed25519-java-build.xml

@@ -0,0 +1,6 @@
+{
+ "Signatures": {
+  "ed25519-java-0.3.0.tar.gz": "a89a2331afb1db0bd06ce029c731db2d24684cebf111e796b51deb6e2a20a310",
+  "ed25519-java-build.xml": "2eb416752ef86be27a06581dfb60c6c4693d530ffa7f8e12f28112b40d65fab7"
+ }
+}

SPECS-EXTENDED/ed25519-java/ed25519-java.signatures.json

@@ -0,0 +1,120 @@
+Vendor:         Microsoft Corporation
+Distribution:   Azure Linux
+#
+# spec file for package ed25519-java
+#
+# Copyright (c) 2025 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%global artifactId eddsa
+Name:           ed25519-java
+Version:        0.3.0
+Release:        1%{?dist}
+Summary:        Implementation of EdDSA (Ed25519) in Java
+License:        CC0-1.0
+URL:            https://github.com/str4d/ed25519-java
+Source0:        https://github.com/str4d/ed25519-java/archive/v%{version}/%{name}-%{version}.tar.gz
+Source1:        %{name}-build.xml
+Patch0:         0001-EdDSAEngine.initVerify-Handle-any-non-EdDSAPublicKey.patch
+Patch1:         0002-Disable-test-that-relies-on-internal-sun-JDK-classes.patch
+Patch2:         %{name}-CVE-2020-36843.patch
+BuildRequires:  ant
+BuildRequires:  fdupes
+BuildRequires:  java-devel >= 1.8
+BuildRequires:  javapackages-local-bootstrap >= 6
+BuildRequires:  javapackages-tools
+BuildArch:      noarch
+
+%description
+This is an implementation of EdDSA in Java. Structurally, it
+is based on the ref10 implementation in SUPERCOP (see
+http://ed25519.cr.yp.to/software.html).
+
+There are two internal implementations:
+
+* A port of the radix-2^51 operations in ref10
+  - fast and constant-time, but only useful for Ed25519.
+* A generic version using BigIntegers for calculation
+  - a bit slower and not constant-time, but compatible
+    with any EdDSA parameter specification.
+
+%package javadoc
+Summary:        Javadoc for %{name}
+
+%description javadoc
+This package contains javadoc for %{name}.
+
+%prep
+%setup -q
+cp %{SOURCE1} build.xml
+%patch -P 0 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1
+
+%build
+ant jar javadoc
+
+%install
+
+# jar
+install -dm 0755 %{buildroot}%{_javadir}
+install -pm 0644 target/%{artifactId}-%{version}.jar %{buildroot}%{_javadir}/%{artifactId}.jar
+ln -sf %{_javadir}/%{artifactId}.jar %{buildroot}%{_javadir}/%{name}.jar
+
+# pom
+install -dm 0755 %{buildroot}%{_mavenpomdir}
+install -pm 0644 pom.xml %{buildroot}%{_mavenpomdir}/%{artifactId}.pom
+%add_maven_depmap %{artifactId}.pom %{artifactId}.jar
+
+# javadoc
+install -dm 0755 %{buildroot}%{_javadocdir}/%{name}
+cp -r target/site/apidocs/* %{buildroot}%{_javadocdir}/%{name}/
+%fdupes -s %{buildroot}%{_javadocdir}
+
+%files -f .mfiles
+%{_javadir}/%{name}.jar
+%doc README.md
+%license LICENSE.txt
+
+%files javadoc
+%{_javadocdir}/%{name}
+%license LICENSE.txt
+
+%changelog
+* Tue Dec 16 2025 BinduSri Adabala <v-badabala@microsoft.com> - 0.3.0-1
+- Initial Azure Linux import from openSUSE Tumbleweed.
+- License verified
+
+* Fri Mar 14 2025 Fridrich Strba <fstrba@suse.com>
+- Added patch:
+  * ed25519-java-CVE-2020-36843.patch
+    + backport commit https://github.com/i2p/i2p.i2p/commit/
+    /d7d1dcb5399c61cf2916ccc45aa25b0209c88712
+    + Fixes bsc#1239551, CVE-2020-36843: no check performed on
+    scalar to avoid signature malleability
+* Wed Oct 30 2024 Fridrich Strba <fstrba@suse.com>
+- Rewrite the build using ant
+* Wed Feb 21 2024 Gus Kenion <gus.kenion@suse.com>
+- Use %%patch -P N instead of deprecated %%patchN.
+* Mon Sep 11 2023 Fridrich Strba <fstrba@suse.com>
+- Reproducible builds: use SOURCE_DATE_EPOCH for timestamp
+* Tue Mar 22 2022 Fridrich Strba <fstrba@suse.com>
+- Build with source and target levels 8
+- Added patches:
+  * 0001-EdDSAEngine.initVerify-Handle-any-non-EdDSAPublicKey.patch
+  * 0002-Disable-test-that-relies-on-internal-sun-JDK-classes.patch
+    + Remove use of internal sun JDK classes
+* Mon Jun 29 2020 Fridrich Strba <fstrba@suse.com>
+- Initial packaging of ed25519 0.3.0