Bump bc-version from 1.76 to 1.77

[dependabot]

Bumps bc-version from 1.76 to 1.77.
Updates org.bouncycastle:bcpkix-jdk18on from 1.76 to 1.77

Changelog

Sourced from org.bouncycastle:bcpkix-jdk18on's changelog.

2.1.1 Version Release: 1.77 Date:      2023, November 13th

... (truncated)

Commits

• See full diff in compare view

Updates org.bouncycastle:bcprov-jdk18on from 1.76 to 1.77

Changelog

Sourced from org.bouncycastle:bcprov-jdk18on's changelog.

2.1.1 Version Release: 1.77 Date:      2023, November 13th

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[MarkEWaite]

The list of recent commits looks very promising. The release notes need more review by others more expert in crypto than I am. I found them confusing because they use numbered headings when most other release notes use unnumbered headings. I've inserted a copy of the release notes here without the numbered headings for reference.

Bugs fixed:

• Using an unescaped '=' in an X.500 RDN would result in the RDN being truncated silently. The issue is now detected and an exception is thrown.
• asn1.eac.CertificateBody was returning certificateEffectiveDate from getCertificateExpirationDate(). This has been fixed to return certificateExpirationDate.
• DTLS: Fixed retransmission in response to re-receipt of an aggregated ChangeCipherSpec.
• (D)TLS: Fixed compliance for supported_groups extension. Server will no longer negotiate an EC cipher suite using a default curve when the ClientHello includes the supported_groups extension but it contains no curves in common with the server. Similarly, a DH cipher suite will not be negotiated when the ClientHello includes supported_groups, containing at least one FFDHE group, but none in common with the server.
• IllegalStateException was being thrown by the Ed25519/Ed448 SignatureSpi. This has been fixed.
• TLS: class annotation issues that could occur between the BC provider and the TLS API for the GCMParameterSpec class when the jars were loaded on the boot class path have been addressed.
• Attempt to create an ASN.1 OID from a zero length byte array is now caught at construction time.
• Attempt to create an X.509 extension block which is empty will now be blocked cause an exception.
• IES implementation will now accept a null ParameterSpec if no nonce is needed.
• An internal method in Arrays was failing to construct its failure message correctly on an error. This has been fixed.
• HSSKeyPublicParameters.generateLMSContext() would fail for a unit depth key. This has been fixed.

Additional features and functionality

• BCJSSE: Added org.bouncycastle.jsse.client.omitSigAlgsCertExtension and org.bouncycastle.jsse.server.omitSigAlgsCertExtension boolean system properties to control (for client and server resp.) whether the signature_algorithms_cert extension should be omitted if it would be identical to signature_algorithms. Defaults to true, the historical behaviour.
• The low-level HPKE API now allows the sender to specify an ephemeral key pair.
• Support has been added for the delta-certificate requests in line with the current Chameleon Cert draft from the IETF.
• Some accommodation has been added for historical systems to accommodate variations in the SHA-1 digest OID for CMS SignedDatat.
• TLS: the TLS API will now try "RSAwithDigestAndMFG1" as well as the newer RSAPSS algorithm names when used with the JCA.
• TLS: RSA key exchange cipher suites are now disabled by default.
• Support has been added for PKCS#10 requests to allow certificates using the altSignature/altPublicKey extensions.

Notes

• Kyber and Dilithium have been updated according to the latest draft of the standard. Dilithium-AES and Kyber-AES have now been removed. Kyber now produces 256 bit secrets for all parameter sets (in line with the draft standard).
• NTRU has been updated to produce 256 bit secrets in line with Kyber.
• SPHINCS+ can now be used to generate certificates in line with those used by (Open Quantum Safe) OQS.
• Falcon object idenitifiers are now in line with OQS as well.
• PQC CMS SignedData now defaults to SHA-256 for signed attributes rather than SHAKE-256. This is also a compatibility change, but may change further again as the IETF standard for CMS is updated.

[basil]

De minimis (test dependency)