Bouncy Castle - what is it?


No, I'm not talking about the inflatable play castles. Bouncy Castle is an encryption library made available for Java and .NET platforms. I have run into it off and on over the last 4 years and recently implemented a Certificate Generator tool that uses the Bouncy Castle API for Key, Certificate and Keystore generation.

I'm getting back into it after being away for a year or so. Hopefully I'll have time to document some of the things I find this time around.

Notes:

 

The Bouncy Castle project originated around the turn of the century (Year 2000). According to wikipedia, the project was founded when a couple of co-workers got tired of having to re-implement cryptography libraries each time they changed jobs. Originally implemented in Java, it has since been ported to the .NET Platform (C#). Bouncy Castle is released under a Modified X11 MIT license which means it's pretty darn open.

Bouncy Castle is a very capable Cryptographic package and has an impressive feature list including (but not limited to):

  • A clean room implementation of the JCE 1.2.1.
  • A library for reading and writing encoded ASN.1 objects.
  • A lightweight client-side TLS API.
  • Generators for Version 1 and Version 3 X.509 certificates, Version 2 CRLs, and PKCS12 files.
  • Generators for Version 2 X.509 attribute certificates.
  • Generators/Processors for S/MIME and CMS (PKCS7/RFC 3852).
  • Generators/Processors for OCSP (RFC 2560).
  • Generators/Processors for TSP (RFC 3161 & RFC 5544).
  • Generators/Processors for CMP and CRMF (RFC 4210 & RFC 4211).
  • Generators/Processors for OpenPGP (RFC 4880).

After downloading Bouncy Castle it will be apparent that there is not enough documentation to really do anything useful. Every now and then you'll find some XML documentation for a method- they are rare moments, so treasure them as they come. Fortunately there are some helpful tips floating around out there on the Interwebs. Unfortunately, aside from basic examples you will probably be on your own to figure out the full breadth & depth of the BouncyCastle API.

So, if Bouncy Castle is so poorly documented and kind of difficult to get started with, why do people use it at all? After all, both .NET and Java provide cryptographic services- it would make senes to use Native methods where possible.

There are a few reasons why I've occasionally used the .NET variant of Bouncy Castle over the last few years:

  • .NET used to not come with a BigInteger type. The newest editions (.NET 4 / 4.5) do come with a BigInteger
  • Sometimes there is just some wonkiness with the .NET Cryptographic API. Bouncy Castle  provides a great alternate route to accomplish crypto tasks when .NET 'breaks'
  • Convenience / why reinvent the wheel: Bouncy Castle is a stable, mature crypto library. If something goes wrong I'm not entirely on my own in troubleshooting. If I learn Bouncy Castle I can use it anywhere (Unlike the crypto classes where I work- there's no way I could release any of that code outside of work!)

 

Final word of advice: If you want to try out Bouncy Castle, try out the Source release. That way you'll be able to make use of the XML Code comments. As few in number as they are, they can be a life saver!