Specifications
1.0 Introduction
The Bouncy Castle Crypto package is a Java implementation of
cryptographic algorithms.
The package is organised so that it
contains a light-weight API suitable for use in any environment
(including the newly released J2ME) with the additional infrastructure
to conform the algorithms to the JCE framework.
Except where otherwise stated, this software is distributed under a license
based on the MIT X
Consortium license.
To view the license, see .
The OpenPGP library also includes a modified BZIP2 library which
is licensed under the .
If you have the full package you will have six jar files, bcprov*.jar
which contains the BC provider, jce-*.jar which contains
the JCE provider, clean room API, and bcmail*.jar which contains the
Note: if you are using JDK 1.0, you will just find a class hierarchy in
the classes directory.
To view examples, look at the test programs in the packages:
org.bouncycastle.crypto.test
org.bouncycastle.jce.provider.test
To verify the packages, run the following Java programs with the
appropriate classpath:
java org.bouncycastle.crypto.test.RegressionTest
java org.bouncycastle.jce.provider.test.RegressionTest
2.0 Patents
Some of the algorithms in the Bouncy Castle APIs are patented in some
places. It is upon the user of the library to be aware of what the
legal situation is in their own situation, however we have been asked
to specifically mention the patents below, in the following terms, at
the request of the patent holder.
The BC distribution contains implementations of EC MQV as described in RFC 5753, "Use of ECC Algorithms in CMS". In line with the conditions in:
We state, where EC MQV has not otherwise been disabled or removed:
"The use of this product or service is subject to the reasonable, non-discriminatory terms in the Intellectual Property Rights (IPR) Disclosures of Certicom Corp. at the IETF for Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS) implemented in the product or service."
3.0 System Properties
The Bouncy Castle provider can make use of the following two system properties:
org.bouncycastle.ec.disable_mqv - setting this property to true will disable support for EC MQV in the provider.
org.bouncycastle.pkcs1.not_strict - some other providers of cryptography services fail to produce PKCS1 encoded block that are the correct length. Setting this property to true will relax the conformance check on the block length.
4.0 Specifications
clean room implementation of the JCE API
light-weight cryptographic API consisting of support for
BlockCipher
BufferedBlockCipher
AsymmetricBlockCipher
BufferedAsymmetricBlockCipher
StreamCipher
BufferedStreamCipher
KeyAgreement
JCE compatible framework for a Bouncy Castle provider "BC".
JCE compatible framework for a Bouncy Castle post-quantum provider "BCPQC".
5.0 Light-weight API
This API has been specifically developed for those circumstances
where the rich API and integration requirements of the JCE are
not required.
However as a result, the light-weight API requires more effort
and understanding on the part of a developer to initialise and
utilise the algorithms.
5.1 Example
To utilise the light-weight API in a program, the fundamentals
* This will use a supplied key, and encrypt the data
* This is the equivalent of DES/CBC/PKCS5Padding
BlockCipher engine = new DESEngine();
BufferedBlockCipher cipher = new PaddedBlockCipher(new CBCCipher(engine));
byte[] key = keyString.getBytes();
byte[] input = inputString.getBytes();
cipher.init(true, new KeyParameter(key));
byte[] cipherText = new byte[cipher.getOutputSize(input.length)];
int outputLen = cipher.processBytes(input, 0, input.length, cipherText, 0);
cipher.doFinal(cipherText, outputLen);
catch (CryptoException ce)
System.err.println(ce);
System.exit(1);
5.2 Algorithms
The light-weight API has built in support for the following:
Symmetric (Block)
The base interface is BlockCipher and has the following
implementations which match the modes the block cipher can
be operated in.
NameConstructorNotes
BufferedBlockCipherBlockCipher&
CBCBlockCipherBlockCipher&
CFBBlockCipherBlockCipher, block size (in bits)&
CCMBlockCipherBlockCipherPacket mode - requires all data up front.
GCMBlockCipherBlockCipherPacket mode - NIST SP 800-38D.
GCFBlockCipherBlockCipherGOST CFB mode with CryptoPro key meshing.
EAXBlockCipherBlockCipher&
OCBBlockCipherBlockCipher&
OFBBlockCipherBlockCipher, block size (in bits)&
SICBlockCipherBlockCipher, block size (in bits)Also known as CTR mode
OpenPGPCFBBlockCipherBlockCipher&
GOFBBlockCipherBlockCipherGOST OFB mode
The base interface for AEAD (Authenticated Encryption Associated Data) modes is AEADBlockCipher
and has the following implemenations.
NameConstructorNotes
CCMBlockCipherBlockCipherPacket mode - requires all data up front.
EAXBlockCipherBlockCipher&
GCMBlockCipherBlockCipherPacket mode - NIST SP 800-38D.
OCBBlockCipherBlockCipher&
BufferedBlockCipher has a further sub-classes
NameConstructorNotes
PaddedBufferedBlockCipherBlockCiphera buffered block cipher that can use padding - default PKCS5/7 padding
CTSBlockCipherBlockCipherCipher Text Stealing
The following paddings can be used with the PaddedBufferedBlockCipher.
NameDescription
PKCS7PaddingPKCS7/PKCS5 padding
ISO10126d2PaddingISO 10126-2 padding
X932PaddingX9.23 padding
ISO7816d4PaddingISO 7816-4 padding (ISO 9797-1 scheme 2)
ZeroBytePaddingPad with Zeros (not recommended)
The following cipher engines are implemented that can be
used with the above modes.
NameKeySizes (in bits) Block SizeNotes
AESEngine0 .. 256 128 bit&
AESWrapEngine0 .. 256 128 bitImplements FIPS AES key wrapping
BlowfishEngine0 .. 448 64 bit&
CamelliaEngine128, 192, 256128 bit&
CamelliaWrapEngine128, 192, 256128 bit&
CAST5Engine0 .. 128 64 bit&
CAST6Engine0 .. 256 128 bit&
DESEngine6464 bit&
DESedeEngine128, 19264 bit&
DESedeWrapEngine128, 19264 bitImplements Draft IETF DESede key wrapping
GOST28147Engine25664 bitHas a range of S-boxes
IDEAEngine12864 bit&
NoekeonEngine128128 bit&
RC2Engine0 .. 1024 64 bit&
RC532Engine0 .. 128 64 bitUses a 32 bit word
RC564Engine0 .. 128 128 bitUses a 64 bit word
RC6Engine0 .. 256 128 bit&
RijndaelEngine0 .. 256 128 bit, 160 bit, 192 bit, 224 bit, 256 bit&
SEEDEngine128128 bit&
SEEDWrapEngine128128 bit&
Shacal2Engine512256 bit&
SerpentEngine128, 192, 256 128 bit&
SkipjackEngine0 .. 128 64 bit&
TEAEngine12864 bit&
ThreefishEngine256/512/1024 256 bit/512 bit/1024 bitTweakable block cipher
TwofishEngine128, 192, 256 128 bit&
XTEAEngine12864 bit&
The following additional key wrapping algorithms are also available: RFC3211WrapEngine, RFC3394WrapEngine, and RFC5649WrapEngine.
Symmetric (Stream)
The base interface is StreamCipher and has the following
implementations which match the modes the stream cipher can
be operated in.
NameConstructorNotes
BlockStreamCipherBlockCipher&
The following cipher engines are implemented that can be
used with the above modes.
NameKeySizes (in bits) Notes
RC4Engine40 .. 2048&
HC128Engine128&
HC256Engine256&
ChaChaEngine128/25664 bit IV
Salsa20Engine128/25664 bit IV
XSalsa20Engine256192 bit IV
ISAACEngine32 .. 8192&
VMPCEngine8 .. 6144&
Grainv1Engine8064 bit IV
Grain128Engine12896 bit IV
Block Asymmetric
The base interface is AsymmetricBlockCipher and has the following
implementations which match the modes the cipher can be operated in.
NameConstructorNotes
BufferedAsymmetricBlockCipherAsymmetricBlockCipher&
OAEPEncodingAsymmetricBlockCipher&
PKCS1EncodingAsymmetricBlockCipher&
ISO9796d1EncodingAsymmetricBlockCipherISO9796-1
The following cipher engines are implemented that can be
used with the above modes.
NameKeySizes (in bits)Notes
RSAEngineany multiple of 8 large enough for the encoding.&
ElGamalEngineany multiple of 8 large enough for the encoding.&
NTRUEngineany multiple of 8 large enough for the encoding.&
The base interface is Digest and has the following
implementations
NameOutput (in bits)Notes
KeccakDigest224, 256, 288, 384, 512
MD2Digest128&
MD4Digest128&
MD5Digest128&
RipeMD128Digest128basic RipeMD
RipeMD160Digest160enhanced version of RipeMD
RipeMD256Digest256expanded version of RipeMD128
RipeMD320Digest320expanded version of RipeMD160
SHA1Digest160&
SHA224Digest224FIPS 180-2
SHA256Digest256FIPS 180-2
SHA384Digest384FIPS 180-2
SHA512Digest512FIPS 180-2
SHA3Digest224, 256, 384, 512FIPS 202
SHAKEDigest128, 256FIPS 202
SkeinDigestany byte length256 bit, 512 bit and 1024 state sizes. Additional parameterisation using SkeinParameters.
SM3Digest256The SM3 Digest.
TigerDigest192The Tiger Digest.
GOST3411Digest256The GOST-3411 Digest.
GOST6Digest256The GOST-6 Digest.
GOST2Digest512The GOST-2 Digest.
WhirlpoolDigest512The Whirlpool Digest.
The base interface is Mac and has the following
implementations
NameOutput (in bits)Notes
CBCBlockCipherMacblocksize/2 unless specified&
CFBBlockCipherMacblocksize/2, in CFB 8 mode, unless specified&
CMac24 to cipher block size bitsUsable with block ciphers, NIST SP 800-38B.
GMac32 to 128 bitsUsable with GCM mode ciphers, defined for AES, NIST SP 800-38D.
GOST28147Mac32 bits&
ISO9797Alg3Macmultiple of 8 bits up to underlying cipher size.&
HMacdigest length&
Poly1305128 bitsUsable with 128 bit block ciphers. Use Poly1305KeyGenerator to generate keys.
SkeinMacany byte length256 bit, 512 bit and 1024 state size variants. Additional parameterisation using SkeinParameters.
SipHash64 bits&
VMPCMac160 bits&
PBE and Password Hashing
The base class is PBEParametersGenerator and has the following
sub-classes
NameConstructorNotes
PKCS5S1ParametersGeneratorDigest&
PKCS5S2ParametersGenerator&Uses SHA1/Hmac as defined
PKCS12ParametersGeneratorDigest&
OpenSSLPBEParametersGenerator&Uses MD5 as defined
The following password hashing schemes are supported:
NameConstructorNotes
OpenBSDBcyrpt&&
The IES cipher is based on the one described in IEEE P1363a (draft 10), for
use with either traditional Diffie-Hellman or Elliptic Curve Diffie-Hellman.
Note: At the moment this is still a draft, don't use it for anything
that may be subject to long term storage, the key values produced may well
change as the draft is finalised.
Commitments
The base class is Committer and has the following
sub-classes
HashCommitterHash commitment algorithm described in Usenix RPC MixNet Paper (2002)
Key Agreement
Two versions of Diffie-Hellman key agreement are supported, the basic
version, and one for use with long term public keys. Two versions of
key agreement using Elliptic Curve cryptography are also supported,
standard Diffie-Hellman key agreement and standard key agreement with
co-factors.
The agreement APIs are in the org.bouncycastle.crypto.agreement package.
Classes for generating Diffie-Hellman parameters can be found in the
org.bouncycastle.crypto.params and org.bouncycastle.crypto.generators packages.
Key Encapsulation Mechanisms
The base class is KeyEncapsulation and has the following
sub-classes
RSAKeyEncapsulationRSA-KEM from ISO 18033-2
PKCS5S2ParametersGeneratorECIES-KEM from ISO 18033-2
DSA, ECDSA, ISO-9796-2, GOST-3410-94, GOST-, DSTU-, and RSA-PSS are supported by the org.bouncycastle.crypto.signers
package. Note: as these are light weight classes, if you need to use SHA1 or GOST-3411
(as defined in the relevant standards) you'll also need to make use of the appropriate
digest class in conjunction with these.
Classes for generating DSA and ECDSA parameters can be found in the
org.bouncycastle.crypto.params and org.bouncycastle.crypto.generators packages.
5.4 Elliptic Curve Transforms.
The org.bouncycastle.crypto.ec package contains implementations for a variety of EC cryptographic transforms such as EC ElGamal.
5.5 TLS/DTLS
The org.bouncycastle.crypto.tls package contains implementations for TLS 1.1, 1.2 and DTLS 1.0, 1.2.
5.6 Deterministic Random Bit Generators (DRBG) and SecureRandom wrappers
The org.bouncycastle.crypto.prng package contains implementations for a variety of bit generators including those from SP 800-90A and X9.31, as well as builders for SecureRandom objects based around them.
5.7 ASN.1 package
The light-weight API has direct interfaces into a package capable of
reading and writing DER-encoded ASN.1 objects and for the generation
of X.509 V3 certificate objects and PKCS12 files. BER InputStream and
OutputStream classes are provided as well.
6.0 Bouncy Castle Provider
The Bouncy Castle provider is a JCE compliant provider that
is a wrapper built on top of the light-weight API. The main provider is referred to with the name "BC", the post quantum provider is indicated by "BCPQC".
The advantage for writing application code that uses the
provider interface to cryptographic algorithms is that the
actual provider used can be selected at run time.
is extremely valuable for applications that may wish to
make use of a provider that has underlying hardware for
cryptographic computation, or where an application may have
been developed in an environment with cryptographic export
6.1 Example
To utilise the JCE provider in a program, the fundamentals
* This will generate a random key, and encrypt the data
KeyGenerator keyG
Security.addProvider(new BouncyCastleProvider());
// "BC" is the name of the BouncyCastle provider
keyGen = KeyGenerator.getInstance("DES", "BC");
keyGen.init(new SecureRandom());
key = keyGen.generateKey();
encrypt = Cipher.getInstance("DES/CBC/PKCS5Padding", "BC");
catch (Exception e)
System.err.println(e);
System.exit(1);
encrypt.init(Cipher.ENCRYPT_MODE, key);
bOut = new ByteArrayOutputStream();
cOut = new CipherOutputStream(bOut, encrypt);
cOut.write("plaintext".getBytes());
cOut.close();
// bOut now contains the cipher text
The provider can also be configured as part of your environment via static registration
by adding an entry to the java.security properties file (found in $JAVA_HOME/jre/lib/security/java.security, where $JAVA_HOME is the location of your JDK/JRE distribution). You'll find detailed
instructions in the file but basically it comes down to adding a line:
security.provider.&n&=org.bouncycastle.jce.provider.BouncyCastleProvider
Where &n& is the preference you want the provider at (1 being the most prefered).
Where you put the jar is up to mostly up to you, although with jdk1.3 and
jdk1.4 the best (and in some cases only) place to have it is in $JAVA_HOME/jre/lib/ext. Note: under Windows there will normally be a JRE and a JDK install of Java if you think you have installed it correctly and it still doesn't work chances are you have added the provider to the installation not being used.
Note: with JDK 1.4 and later you will need to have installed the unrestricted policy
files to take full advantage of the provider. If you do not install the policy files you are likely
to get something like the following:
java.lang.SecurityException: Unsupported keysize or algorithm parameters
at javax.crypto.Cipher.init(DashoA6275)
The policy files can be found at the same place you downloaded the JDK.
6.2 Algorithms
Symmetric (Block)
SIC (also known as CTR)
OpenPGPCFB
CTS (equivalent to CBC/WithCTS)
CCM (AEAD)
EAX (AEAD)
GCM (AEAD)
OCB (AEAD)
Where (n) is a multiple of 8 that gives the blocksize in bits,
eg, OFB8. Note that OFB and CFB mode can be used with plain text that
is not an exact multiple of the block size if NoPadding has been specified.
All AEAD (Authenticated Encryption Associated Data) modes support
Additional Authentication Data (AAD) using the Cipher.updateAAD()
methods added in Java SE 7.
On Java 7 and later, AEAD modes will throw javax.crypto.AEADBadTagException on an authentication failure.
On earlier version of Java, javax.crypto.BadPaddingException is thrown.
Padding Schemes:
No padding
ISO10126/ISO10126-2
ISO7816-4/ISO9797-1
X9.23/X923
withCTS (if used with ECB mode)
When placed together this gives a specification for an algorithm
DES/CBC/X9.23Padding
DES/OFB8/NoPadding
IDEA/CBC/ISO10126Padding
IDEA/CBC/ISO7816-4Padding
SKIPJACK/ECB/PKCS7Padding
DES/ECB/WithCTS
Note: default key sizes are in bold.
NameKeySizes (in bits) Block SizeNotes
AES0 .. 256 (192)128 bit&
AESWrap0 .. 256 (192)128 bitA FIPS AES key wrapper
Blowfish0 .. 448 (448)64 bit&
Camellia128, 192, 256128 bit&
CamelliaWrap128, 192, 256128 bit&
CAST50 .. 128(128)64 bit&
CAST60 .. 256(256)128 bit&
DES6464 bit&
DESede128, 19264 bit&
DESedeWrap128, 192128 bitA Draft IETF DESede key wrapper
GCM128, 192, 256(192)AEAD Mode CipherGalois/Counter Mode, as defined in NIST Special Publication SP 800-38D.
GOST2814725664 bit&
IDEA128 (128)64 bit&
Noekeon128(128)128 bit&
RC20 .. 1024 (128)64 bit&
RC50 .. 128 (128)64 bitUses a 32 bit word
RC5-640 .. 256 (256)128 bitUses a 64 bit word
RC60 .. 256 (128)128 bit&
Rijndael0 .. 256 (192)128 bit&
SEED128(128)128 bit&
SEEDWrap128(128)128 bit&
Serpent128, 192, 256 (256)128 bit&
Skipjack0 .. 128 (128)64 bit&
TEA128 (128)64 bit&
Threefish-256256256 bit&
Threefish-512512512 bit&
Threefish-102410241024 bit&
Twofish128, 192, 256 (256)128 bit&
XTEA128 (128)64 bit&
Symmetric (Stream)
Note: default key sizes are in bold.
NameKeySizes (in bits)Notes
RC440 .. 2048 bits (128)&
HC128(128)&
HC256(256)&
ChaCha128/25664 bit IV
Salsa20128/25664 bit IV
XSalsa20256182 bit IV
VMPC128/6144(128)&
Grainv18064 bit IV
Grain12812896 bit IV
Block Asymmetric
OAEP - Optimal Asymmetric Encryption Padding
PCKS1 - PKCS v1.5 Padding
ISO9796-1 - ISO9796-1 edition 1 Padding
Note: except as indicated in PKCS 1v2 we recommend you use OAEP, as
mandated in X9.44.
When placed together with RSA this gives a specification for an algorithm
RSA/NONE/NoPadding
RSA/NONE/PKCS1Padding
RSA/NONE/OAEPWithMD5AndMGF1Padding
RSA/NONE/OAEPWithSHA1AndMGF1Padding
RSA/NONE/OAEPWithSHA224AndMGF1Padding
RSA/NONE/OAEPWithSHA256AndMGF1Padding
RSA/NONE/OAEPWithSHA384AndMGF1Padding
RSA/NONE/OAEPWithSHA512AndMGF1Padding
RSA/NONE/OAEPWithSHA3-224AndMGF1Padding
RSA/NONE/OAEPWithSHA3-256AndMGF1Padding
RSA/NONE/OAEPWithSHA3-384AndMGF1Padding
RSA/NONE/OAEPWithSHA3-512AndMGF1Padding
RSA/NONE/ISO9796-1Padding
NameKeySizes (in bits)Notes
RSAany multiple of 8 bits large enough for the encryption(2048)&
ElGamalany multiple of 8 bits large enough for the encryption(1024)&
Key Agreement
Diffie-Hellman key agreement is supported using the "DH", "ECDH",
"ECCDH" (EC cofactor DH) and "ECMQV" key agreement instances and their variations. Key exchange, which also uses the KeyAgreement API is supported by "NH" (the NewHope algorithm (BCPQC)).
Support is provided for the standard SEC algorithm set for EC. Names appear
in the form of [Agreement]with[KDF PRF Digest][KDF type]. For example:
"ECCDHwithSHA256KDF" which represents EC cofactor DH using the X9.63 KDF with SHA256 as the PRF
"ECMQVwithSHA1CKDF" which represents EC MQV using the concetantion KDF with SHA1 as the PRF
Note: with basic "DH" only the basic algorithm fits in with the JCE API, if
you're using long-term public keys you may want to look at the light-weight
API, there are also additional JCE support classes for UserKeyingMaterial and MQVParameters in the org.bouncycastle.jcajce.spec package.
An implementation of ECIES (stream mode) as described in IEEE P 1363a. This now based more formally on Victor Shoup's paper and should be compatible with the implementation in Crypto++ (version 6 onwards).
NameOutput (in bits)Notes
GOST3411256&
RipeMD128128basic RipeMD
RipeMD160160enhanced version of RipeMD
RipeMD256256expanded version of RipeMD128
RipeMD320320expanded version of RipeMD160
SHA-224224FIPS 180-2
SHA-256256FIPS 180-2
SHA-384384FIPS 180-2
SHA-512512FIPS 180-2
SHA3-224224FIPS 202
SHA3-256256FIPS 202
SHA3-384384FIPS 202
SHA3-512512FIPS 202
Skein-256-*128, 160, 224, 256e.g. Skein-256-160
Skein-512-*128, 160, 224, 256, 384, 512e.g. Skein-512-256
Skein-1024-*384, 512, 1024e.g. Skein-
Whirlpool512&
NameOutput (in bits)Notes
Any MAC based on a block cipher, CBC (the default) and CFB modes.half the cipher's block size (usually 32 bits)&
*-GMAC32 to 128 bitsUsable with GCM mode ciphers, defined for AES, NIST SP 800-38D. e.g. AES-GMAC.
VMPC-MAC128&
HMac-GOST3411256&
HMac-GOST6256&
HMac-GOST2512&
HMac-KECCAK224224&
HMac-KECCAK256256&
HMac-KECCAK288288&
HMac-KECCAK384384&
HMac-KECCAK512512&
HMac-MD2128&
HMac-MD4128&
HMac-MD5128&
HMac-RipeMD128128&
HMac-RipeMD160160&
HMac-SHA1160&
HMac-SHA224224&
HMac-SHA256256&
HMac-SHA384384&
HMac-SHA512512&
HMac-SHA3-224224&
HMac-SHA3-256256&
HMac-SHA3-384384&
HMac-SHA3-512512&
HMAC-Skein-256-*128, 160, 224, 256e.g. HMAC-Skein-256-160
HMAC-Skein-512-*128, 160, 224, 256, 384, 512e.g. HMAC-Skein-512-256
HMAC-Skein-1024-*384, 512, 1024e.g. HMAC-Skein-
Siphash-2-4 (SipHash)64
Siphash-4-864
Skein-MAC-256-*128, 160, 224, 256e.g. Skein-MAC-256-160
Skein-MAC-512-*128, 160, 224, 256, 384, 512e.g. Skein-MAC-512-256
Skein-MAC-1024-*384, 512, 1024e.g. Skein-MAC-
HMac-Tiger192&
Poly1305-*128Defined for recent 128 bit block ciphers, e.g. Poly1305-AES, Poly1305-Serpent
DESMac/CFB8
DESedeMac/CFB8
DESedeMac64
SKIPJACKMac
SKIPJACKMac/CFB8
IDEAMac/CFB8
RC2Mac/CFB8
RC5Mac/CFB8
ISO9797ALG3Mac
Signature Algorithms
GOST3411withGOST3410 (GOST3411withGOST3410-94)
GOST3411withECGOST3410 (GOST3411withGOST)
MD2withRSA
MD5withRSA
SHA1withRSA
RIPEMD128withRSA
RIPEMD160withRSA
RIPEMD160withECDSA
RIPEMD256withRSA
SHA1withDSA
SHA224withDSA
SHA256withDSA
SHA384withDSA
SHA512withDSA
SHA3-224withDSA
SHA3-256withDSA
SHA3-384withDSA
SHA3-512withDSA
SHA1withDDSA
SHA224withDDSA
SHA256withDDSA
SHA384withDDSA
SHA512withDDSA
SHA3-224withDDSA
SHA3-256withDDSA
SHA3-384withDDSA
SHA3-512withDDSA
NONEwithDSA
SHA1withDetECDSA
SHA224withECDDSA
SHA256withECDDSA
SHA384withECDDSA
SHA512withECDDSA
SHA1withECDSA
NONEwithECDSA
SHA224withECDSA
SHA256withECDSA
SHA384withECDSA
SHA512withECDSA
SHA3-224withECDSA
SHA3-256withECDSA
SHA3-384withECDSA
SHA3-512withECDSA
SHA1withECNR
SHA224withECNR
SHA256withECNR
SHA384withECNR
SHA512withECNR
SHA224withRSA
SHA256withRSA
SHA384withRSA
SHA512withRSA
SHA512(224)withRSA
SHA512(256)withRSA
SHA3-224withRSA
SHA3-256withRSA
SHA3-384withRSA
SHA3-512withRSA
SHA1withRSAandMGF1
SHA256withRSAandMGF1
SHA384withRSAandMGF1
SHA512withRSAandMGF1
SHA512(224)withRSAandMGF1
SHA512(256)withRSAandMGF1
SHA1withRSA/ISO9796-2
RIPEMD160withRSA/ISO9796-2
SHA1withRSA/X9.31
SHA224withRSA/X9.31
SHA256withRSA/X9.31
SHA384withRSA/X9.31
SHA512withRSA/X9.31
SHA512(224)withRSA/X9.31
SHA512(256)withRSA/X9.31
RIPEMD128withRSA/X9.31
RIPEMD160withRSA/X9.31
WHIRLPOOLwithRSA/X9.31
SHA512withSPHINCS256 (BCPQC)
SHA3-512withSPHINCS256 (BCPQC)
Password Hashing and PBE
OpenBSDBcyrpt
PKCS5S1, any Digest, any symmetric Cipher, ASCII
PKCS5S2, any HMac, any symmetric Cipher, ASCII, UTF8
PKCS12, any Digest, any symmetric Cipher, Unicode
Defined in Bouncy Castle JCE Provider
NameKey Generation SchemeKey Length (in bits)Char to Byte conversion
PBEWithMD2AndDESPKCS5 Scheme 1648 bit chars
PBEWithMD2AndRC2PKCS5 Scheme 11288 bit chars
PBEWithMD5AndDESPKCS5 Scheme 1648 bit chars
PBEWithMD5AndRC2PKCS5 Scheme 11288 bit chars
PBEWithSHA1AndDESPKCS5 Scheme 1648 bit chars
PBEWithSHA1AndRC2PKCS5 Scheme 11288 bit chars
PBKDF2WithHmacSHA1PKCS5 Scheme 2variableUTF-8 chars
PBKDF2WithHmacSHA1AndUTF8PKCS5 Scheme 2variableUTF-8 chars
PBKDF2WithHmacSHA1And8bitPKCS5 Scheme 2variable8 bit chars
PBEWithSHAAnd2-KeyTripleDES-CBCPKCS1212816 bit chars
PBEWithSHAAnd3-KeyTripleDES-CBCPKCS1219216 bit chars
PBEWithSHAAnd128BitRC2-CBCPKCS1212816 bit chars
PBEWithSHAAnd40BitRC2-CBCPKCS124016 bit chars
PBEWithSHAAnd128BitRC4PKCS1212816 bit chars
PBEWithSHAAnd40BitRC4PKCS124016 bit chars
PBEWithSHAAndTwofish-CBCPKCS1225616 bit chars
PBEWithSHAAndIDEA-CBCPKCS1212816 bit chars
6.3 Certificates
The Bouncy Castle provider will read X.509 certficates (v2 or v3) as per the examples in
the java.security.cert.CertificateFactory class. They can be provided either
in the normal PEM encoded format, or as DER binaries.
The CertificateFactory will also read X.509 CRLs (v2) from either PEM or DER encodings.
In addition to the classes in the org.bouncycastle.asn1.x509 package for certificate, CRLs, and OCSP, CRMF, and CMP message
generation a more JCE "friendly" class is provided in the package org.bouncycastle.cert. The JCE "friendly" classes found in the jcajce
subpackages support RSA, DSA, GOST, DTSU, and EC-DSA.
6.4 Keystore
The Bouncy Castle package has three implementation of a keystore.
The first "BKS" is a keystore that will work with the keytool in the same
fashion as the Sun "JKS" keystore. The keystore is resistent to tampering
but not inspection.
The second, Keystore.BouncyCastle, or Keystore.UBER will only work with the keytool
if the password is provided on the command line, as the entire keystore
is encrypted
with a PBE based on SHA1 and Twofish. PBEWithSHAAndTwofish-CBC.
This makes the entire keystore resistant to tampering and inspection,
and forces verification.
The Sun JDK provided keytool will attempt to load a keystore even if no
password is given,
this is impossible for this version. (One might wonder about going to all
this trouble and then having the password on the command line! New keytool
In the first case, the keys are encrypted with 3-Key-TripleDES.
The third is a PKCS12 compatible keystore. PKCS12 provides a slightly
different situation from the regular key store, the keystore password is
currently the only password used for storing keys. Otherwise it supports
all the functionality required for it to be used with the keytool. In some
situations other libraries always expect to be dealing with Sun certificates,
if this is the case use PKCS12-DEF, and the certificates produced by the
key store will be made using the default provider. In the default case PKCS12 uses 3DES for key protection and 40 bit RC2 for protecting the certificates. It is also possible to use 3DES for both by using PKCS12-3DES-3DES or PKCS12-DEF-3DES-3DES as the KeyStore type.
There is an example program that produces PKCS12 files suitable for
loading into browsers. It is in the package
org.bouncycastle.jce.examples.
6.5 Additional support classes for Elliptic Curve.
There are no classes for supporting EC in the JDK prior to JDK 1.5. If you are using
an earlier JDK you can find classes for using EC in the following
org.bouncycastle.jce.spec
org.bouncycastle.jce.interfaces
org.bouncycastle.jce
7.0 BouncyCastle S/MIME
To be able to fully compile and utilise the BouncyCastle S/MIME
package (including the test classes) you need the jar files for
the following APIs.
JavaMail -
The Java Activation Framework -
7.1 Setting up BouncyCastle S/MIME in JavaMail
The BouncyCastle S/MIME handlers may be set in JavaMail two ways.
STATICALLY
Add the following entries to the mailcap file:
application/pkcs7-; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_signature
application/pkcs7-; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_mime
application/x-pkcs7-; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_signature
application/x-pkcs7-; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_mime
multipart/; x-java-content-handler=org.bouncycastle.mail.smime.handlers.multipart_signed
DYNAMICALLY
The following code will add the BouncyCastle S/MIME handlers dynamically:
import javax.activation.MailcapCommandM
import mandM
public static void setDefaultMailcap()
MailcapCommandMap _mailcap =
(MailcapCommandMap)CommandMap.getDefaultCommandMap();
_mailcap.addMailcap("application/pkcs7-; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_signature");
_mailcap.addMailcap("application/pkcs7-; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_mime");
_mailcap.addMailcap("application/x-pkcs7-; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_signature");
_mailcap.addMailcap("application/x-pkcs7-; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_mime");
_mailcap.addMailcap("multipart/; x-java-content-handler=org.bouncycastle.mail.smime.handlers.multipart_signed");
CommandMap.setDefaultCommandMap(_mailcap);