I'm familiar with basic cryptography in java But have zero experience in bouncycastle, Recently I came across a requirement that needs to read an encrypted and signed file from FTP.
The sender has directed me to use bcfips ebook for reading those encrypted and signed files. I went through the download page of the bouncy castle website, But I'm confused by a lot of jargon that I can't understand and I don't know which jar file should I use.
I'm wondering what's the difference between bcprov
and bcpkix
and bcfips
?
I appreciate it if someone points me on the correct path.
First of all, bcprov
contains the Java security provider as well as the "lightweight API". Quite often this library is simply referred to as "Bouncy Castle", shortened to the acronym "BC" as provider name in Java. These providers provide SPI's (service provider implementations) or implementation classes that allow specific algorithms to be used by the Cipher
, Signature
, MessageDigest
and Mac
classes (etc.) that provide a unified API for your applications.
The Bouncy Castle library has it's own specific architecture and API. It is this public API is generally revered to as the "lightweight API". The Bouncy Castle library provides most of this functionality as services that are registered using the Bouncy Castle provider implementation. That way the supplied algorithms can be used from generic classes such as Cipher
.
The library also contains a lot of utility classes, some of which are simply required to implement the provider. All the implementation classes are available to the user, which means that the lightweight API is a bit of a maze. It also means that there is a chance that updates break software that make use of the lightweight API. For instance, there have been a few updates of the ASN.1 encoder / decoder that weren't backwards compatible.
The main reason to use the Bouncy Castle library is the extended functionality that is provided. For instance, the Bouncy Castle provider provides a lot of ciphers that are not present in the standard Java runtime. However, you should keep in mind that the algorithms that are provided by the Java runtime can be optimized to use CPU speedups and may receive better testing. So before choosing it you should definitely check if the algorithms are not present in the Java provided algorithms.
A relatively new development is the support for CPU hardware acceleration when using an LTS release - currently only on Linux.
bcfips
is the certified FIPS provider. FIPS uses a specific set of algorithms defined by NIST and bcfips
therefore contains a subset of the functionality provided by bcprov
. FIPS also has strict rules when it comes to e.g. destruction of key material. FIPS certification is rather expensive and time consuming and BC would want you to get a support contract when using their FIPS provider.
You may need this library if your software is required to use FIPS certified algorithm implementations. Note that they will still be implemented in software and will therefore e.g. not use AES acceleration.
Now bcpkix
is a different beast altogether. It provides support for "PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL" protocols and container formats.
The following modules are present:
cert
package) means "X.509 based Public Key Infrastructure and contains support for certificates, certificate requests, CRL's etc.; the same type of certificates that are used for TLS that is used for HTTPS, i.e. the secure connections that your browser uses. There are some separate related packages inside the main package:
cmc
: Certificate Management over CMSdvcs
: Data Validation and Certification Server Protocolsest
: Enrollment over Secure Transport.p7
file extension) which is the standard in which it is defined. CMS is a flexible, descriptive format, i.e. it indicates which algorithms are used and helps with key management. It uses X.509 certificates and is based on the same technology.
.p8
, .p10
/ .csr
and .12
/ .pfx
file extensions.The operator
in the PKIX library seems to be a way to operate directly on the "lightweight API" or on the JCA provided API using a generalized interface (basically a way of performing dependency injection).
You'd use this library if you need to implement any of the higher level protocols / container formats. Many of these formats are relatively old, so you might be looking for e.g. NaCL instead of CMS. That said, CMS certainly can be secured and having these protocols implemented is great for (backwards) compatibility with existing systems.
If I'm not mistaken the PKIX library can be used without installing the Bouncy Castle ("BC"
) provider, except when you're using specific algorithms not provided by the existing providers in your Java runtime.
Unfortunately the documentation of Bouncy Castle is very sparse, most packages do not even explain what they are for or how they can be used. There isn't a huge amount of JUnit tests or demo applications either.