create an SSLContext instance using a Bouncy Castle provider

Question

I\'m stuck at the creation of an SSLContext (which I want to use to instantiate an SSLEngine to handle encrypted transport via the java-nio):

The code

Answer 1

Bouncy Castle implements two types of providers for JSSE:

• An ordinary DTLS/TLS and JSSE provider package
• A FIPS-compliant (D)TLS API and JSSE Provider

Current documentation for each provider can be found here: ordinary and FIPS-compliant.

The JAR files for these differ from the JAR file for Bouncy Castle JCE provider. At the time of these writing, the JSSE provider JAR files are called bctls-jdk15on-1.64.jar and bctls-fips-1.0.9.jar, whereas the JCE provider is bcprov-jdk15on-1.64.jar.

Here's an excerpt from the documentation:

2.1 BCJSSE Provider installation into the JRE

Once the bctls jar is installed, the provider class BouncyCastleJsseProvider may need to be installed if it is required in the application globally.

Installation of the provider can be done statically in the JVM by adding it to the provider definition to the java.security file in in the jre/lib/security directory for your JRE/JDK.

The provider can also be added during execution. If you wish to add the provider to the JVM globally during execution you can add the following imports to your code:

import java.security.Security
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

Then insert the line

Security.addProvider(new BouncyCastleJsseProvider());

The provider can then be used by referencing the name BCJSSE, for example:

SSLContext clientContext = SSLContext.getInstance("TLS", "BCJSSE");

Alternately if you do not wish to install the provider globally, but use it locally instead, it is possible to pass the provider to the getInstance() method on the JSSE class you are creating an instance of.

For example:

SSLContext clientContext = SSLContext.getInstance("TLS",
       new BouncyCastleJsseProvider());

Answer 2

Bouncy Castle actually provides a JSSE implementation as of version 1.56. Just make sure to configure it with a higher priority at the application startup:

Security.insertProviderAt(new BouncyCastleJsseProvider(), 1);

or, as alternative, in global <JRE_HOME>/lib/security/java.security file:

security.provider.1=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
...
security.provider.6=com.sun.net.ssl.internal.ssl.Provider

You can use it then with the standard API:

SSLContext context = SSLContext.getInstance("TLS");

Answer 3

I know this is kind of an old question, but I needed an answer (so I am creating one):

• [Is it possible to] create an SSLContext instance using a Bouncy Castle provider [?]
• No

Why not?

Debugging this line of code:

Provider [] providers = Security.getProviders();

• the default SunJSSE version 1.7 implements the following SSLContext values:

  Alg.Alias.SSLContext.SSL=TLSv1
  Alg.Alias.SSLContext.SSLv3=TLSv1
  SSLContext.Default=sun.security.ssl.SSLContextImpl$DefaultSSLContext
  SSLContext.TLSv1=sun.security.ssl.SSLContextImpl$TLS10Context
  SSLContext.TLSv1.1=sun.security.ssl.SSLContextImpl$TLS11Context
  SSLContext.TLSv1.2=sun.security.ssl.SSLContextImpl$TLS12Context
  

• using bcprov-jdk15on-152.jar and adding a new BouncyCastleProvider() to Security, one can observe that there are no SSLContext values available.

This should make sense since Bouncy Castle is a JCE implementation, not a JSSE implementation.