开发者

How to add Bouncy Castle algorithm to Android?

开发者 https://www.devze.com 2022-12-25 14:45 出处:网络
I am trying to write a small application using bouncycastle algorithm, from the BouncyCastleProvider.java it says we have to import and add the provider during runtime by the following code

I am trying to write a small application using bouncycastle algorithm, from the BouncyCastleProvider.java it says we have to import and add the provider during runtime by the following code

import org.bouncycastle.jce.provider.BouncyCastleProvider; Security.addProvider(new BouncyCastleProvider());

error - The import org.bouncycastle cannot be resolved; during import error - BouncyCastleProvider cannot be resolved to a type; when calling addProvider

I though bouncycastle is not provided with the Android 1.6 SDK, so thought of installing separately. how should 开发者_运维技巧i do this? If Bouncycastle is shipped along with SDK, what should i do to avoid these errors? I am using Android 1.6, eclipse-V3.4.0 on winXP . Thanks in advance


None of these answers is accurate in 2021 or even several years prior.

Neither using Spongy Castle nor recompiling Bouncy Castle with a different package namespace are necessary since the package name conflicts on Android platform were resolved in Honeycomb (unless you still support pre-honeycomb devices). For details why see: https://github.com/rtyley/spongycastle/issues/34

The correct solution is to include the standard Bouncy Castle libraries in your Android application as follows.

The first step is to include the necessary libraries in your gradle file. You can get standard Bouncy Castle from maven, no need to download and check-in the JARs into your project.

When building with gradle add the following to your dependencies section in your gradle project file:

// See https://www.bouncycastle.org/releasenotes.html for latest revision
implementation 'org.bouncycastle:bcpkix-jdk15to18:1.68'
implementation 'org.bouncycastle:bcprov-jdk15to18:1.68'

Depending on your needs you may not need to actually add the Java security provider from the officially released Bouncy Castle. If you just want to use Bouncy Castle classes directly you may do so now. For example I can write this code that builds an X500Name object without installing the security provider:

X500NameBuilder nameBuilder = new X500NameBuilder();
nameBuilder.addRDN(BCStyle.PSEUDONYM, "xyz");
nameBuilder.addRDN(BCStyle.E, "e@example.com");
X500Name name = nameBuilder.build();

On the other hand if you want to write code that takes advantage of Bouncy Castle via the security provider then you should first replace the built-in Android Bouncy Castle security provider with the standard one since Java does not allow two security providers with the same name. This should be done as early as possible during application startup:

import org.bouncycastle.jce.provider.BouncyCastleProvider;

public class MyApplication extends Application {
    static {
        Security.removeProvider("BC");
        // Confirm that positioning this provider at the end works for your needs!
        Security.addProvider(new BouncyCastleProvider());
    }
}

Note that Java security providers rely heavily on reflection. If you are using obfuscation or shrinking your project then the Bouncy Castle classes will end being culled or renamed inappropriately, to prevent that you need to add the following or similar to proguard.pro file:

-keep class org.bouncycastle.jcajce.provider.** { *; }
-keep class org.bouncycastle.jce.provider.** { *; }

Finally you can write code that will use the standard Bouncy Castle security provider under the hood:

// MD2 hash is not secure, just demonstrating...
MessageDigest md = MessageDigest.getInstance("MD2");
byte[] messageDigest = md.digest(byteData);

Since MD2 isn't provided by any of the Android built-in security providers it will only be found if you've added the Bouncy Castle security provider as described above.


Or better still use SpongyCastle since the BC shipped with Android is both crippled and old.


You shouldn't need to explicitly add BouncyCastle as a provider. As you say, it's already included with Android.

Here's what I do to get a BouncyCastle AES cipher,

SecretKeyFactory keyFac = SecretKeyFactory.getInstance("PBEWithSHA256And256BitAES-CBC-BC");

If you look in BouncyCastleProvider.java you'll see a reference to PBEWithSHA256And256BitAES-CBC-BC along with a few other ciphers provided by BouncyCastle.


I'm not familiar with this particular library. However, here are general instructions on how to include a library delivered as a 'jar' file into an Android project.

Download the jar file and put it somewhere on your workstation. You may want to put in the root directory of the project your are installing it in, or maybe in a 'lib' directory in the root.

In Eclipse, select Project->Properties, then select Java Build Path. Then click Add External Jars, navigate to where you put the .jar file, select it and click Open.

Now type or paste some code that attempts to use the classes in the jar. If you are lucky a light bulb icon will appear in the left margin. Clicking on this will prompt you to add the correct Import statement to the top of your .java file.

There are still things that can go wrong at this point. The library may make use of java.* or javax.* content not supplied by Android (it has just a subset of these libraries). Also it may have additional library dependencies of its own. There are other reasons why the .jar may not be compatible with the Android platform.

Note also that it will increase the size of your .apk to accommodate the new content.


You would need to compile the BC library under a different name, as it will have a conflict with the built-in BC already in Android - recompile and reference as BC2 or org.BouncyCastle2.x

0

精彩评论

暂无评论...
验证码 换一张
取 消