问题
How I know if I using Bouncy Castle from jar or the one implemented in Android? I've downloaded from https://www.bouncycastle.org/latest_releases.html and add jar to my Android Studio project. How can I check if I am using it (The one I downloaded)?
回答1:
For at least the last several versions Android has fixed the namespace conflict by renaming the bouncycastle classes they use to com.android.**. I'm not exactly sure when this occurred, but looking at the source code repository at https://android.googlesource.com/platform/external/bouncycastle/+refs suggests the change happened starting with Ice Cream Sandwich -- API level 14.
I'm not sure what they did about the string-based provider lookups, e.g. Cipher.getInstance("AES/GCM/PKCS5PADDING", "BC"). However, every getInstance() method in the JCE also has a version where you can explicitly specify the Provider class, e.g. Cipher.getInstance("AES/GCM/PKCS5PADDING", new org.bouncycastle.jce.provider.BouncyCastleProvider()) which eliminates any ambiguity.
回答2:
The Android platform bundle a restricted subset of Bouncy Castle, and will be selected by default if you set the provider by the name "BC". (not if you do it by class as James indicates)
Signature.getInstance("SHA1WithRSA","BC")
Alternatives to use your own cryptographic provider:
1 Incluye your own version of BouncyCastle
Include bouncycastle's jars, remove the bundled provider and add new one.
Security.removeProvider("BC");
BouncyCastleProvider bc = new BouncyCastleProvider();
Security.insertProviderAt(bc,1);
2 Use Spongycastle:
SpongyCastle is the official repackage of BouncyCastle for Android. https://rtyley.github.io/spongycastle/. Include the dependency and use "SC" instead of "BC"
Signature.getInstance("SHA1WithRSA","SC")
Why?
The Android platform unfortunately ships with a cut-down version of Bouncy Castle - as well as being crippled, it also makes installing an updated version of the libraries difficult due to classloader conflicts.
Spongy Castle is the stock Bouncy Castle libraries with a couple of small changes to make it work on Android:
all package names have been moved from org.bouncycastle.* to org.spongycastle.*
to avoid classloader conflicts the Java Security API Provider name is now SC rather than BC
no class names change, so the BouncyCastleProvider class remains Bouncy, not Spongy, but moves to the org.spongycastle.jce.provider package.
来源:https://stackoverflow.com/questions/42304193/how-i-know-if-i-using-bouncy-castle-from-jar-or-the-one-implemented-in-android