rollback update

Author: dghgit

docs/releasenotes.html

@@ -35,7 +35,6 @@ <h3>2.1.2 Defects Fixed</h3>
 <li>JcaPGPKeyConverter.getPublicKey threw "InvalidParameterSpecException: Not a supported curve" on JDK 11 when the underlying JCE provider was Sun's, because the converter unconditionally fed the X9.62 OID-encoded form to AlgorithmParameters and Sun's CurveDB couldn't resolve it. The converter now resolves the curve name first via ECNamedCurveTable.getName(...) and only falls back to the OID encoding when the provider doesn't recognise the name (issue #1230).</li>
 <li>CertPathBuilder could recurse without bound (StackOverflowError on small stacks) when CRL revocation was enabled and a CRL had multiple candidate signers, e.g. several trust-anchor roots sharing the issuer DN. A re-entry guard in RFC3280CertPathUtilities.processCRLF now breaks the cycle, and candidates whose path can't be built are skipped instead of aborting the whole check (issue #2291).</li>
 <li>OpenSSHPrivateKeyUtil.encodePrivateKey now wraps ECDSA keys in the openssh-key-v1 envelope (matching the Ed25519 path) instead of emitting a raw RFC 5915 ECPrivateKey SEQUENCE, so the output is loadable by OpenSSH and JSCH (issue #2240).</li>
-<li>IPAddress.isValidIPv6 now accepts RFC 4007 sec. 11 scoped IPv6 addresses of the form &lt;address&gt;%&lt;zone_id&gt;, where the zone identifier is a non-empty sequence of printable characters that are not used as IPv6 / netmask separators. Validators that go through this method (e.g. GeneralName iPAddress consumers) now accept link-local addresses with interface scopes (issue #2024).</li>
 <li>X500Name string parsing rejected RDNs whose attributeValue contained an unescaped '=', e.g. "CN==^_^=" or "CN=foo=bar", with "badly formatted directory string". RFC 4514 sec. 3 lists '=' (0x3D) as a valid stringchar, so only the FIRST '=' separates the attributeType from the attributeValue. IETFUtils now rejoins any subsequent '='-split tokens, matching the behaviour of javax.security.auth.x500.X500Principal (issue #2226).</li>
 <li>AuthorityKeyIdentifier (id-ce 35) construction and parsing now enforce the RFC 5280 sec. 4.2.1.1 constraint that authorityCertIssuer and authorityCertSerialNumber MUST both be present or both be absent. The ASN1Sequence parse path and the (byte[], GeneralNames, BigInteger), (SubjectPublicKeyInfo, GeneralNames, BigInteger) and (GeneralNames, BigInteger) public constructors all throw IllegalArgumentException when only one of the two fields is supplied (issue #2036).</li>
 <li>TBSCertList, TBSCertificate and AttributeCertificateInfo parsing, plus the V1/V3 TBSCertificate, V2 TBSCertList and V2 AttributeCertificateInfo generators, now enforce the RFC 5280 sec. 4.1.2.4 / 5.1.2.3 and RFC 3281 sec. 4.2.3 requirement that the issuer field contain a non-empty identifier. Empty X.500 issuer names, empty v1 GeneralNames AttCertIssuer values, and V2Form AttCertIssuer values lacking issuerName / baseCertificateID / objectDigestInfo are now rejected with an Illegal{Argument,State}Exception instead of being silently accepted. As a side fix, V2Form parsing no longer throws ArrayIndexOutOfBoundsException on an empty SEQUENCE input (issue #2010).</li>