How to Include the Spongy Castle Jar in Android

How to include the Spongy Castle JAR in Android?

These are two very simple examples of how to include Spongy Castle in a project:

  • github.com/rtyley/spongycastle-eclipse - Eclipse
  • github.com/rtyley/toy-android-ssh-agent - Maven

Since v1.47, Spongy Castle has been split into separate sub-jars that exactly mirror the matching Bouncy Castle artifacts (eg sc-light-jdk15on.jar, scpg-jdk15on.jar, etc), and it is important to ensure you include all the Spongy Castle jars required for what you're doing.

Full information on dependencies can be found at:

http://rtyley.github.com/spongycastle/#downloads

At minimum you'll need the sc-light-jdk15on.jar (the base lightweight-API implementation) and probably scprov-jdk15on.jar (the JCE wrapper around the lightweight-API). If you're using Maven then all this dependency-management stuff is taken care of for you.

The problematic dependencies you describe on javax.mail, javax.activation, etc, indicate that you might have chosen an incorrect jar (e.g. the every-single-library-component one, rather than the 'core provider' one) - as the scprov-jdk15on jar definitely doesn't have any of those weird dependencies, and runs happily on Android.

(disclaimer, I'm the maintainer of Spongy Castle, but I've had plenty of success reports from other users too!)

Spongycastle provider not working on Android

If you use Eclipse, I recommended you download this example and compile it. Based on the example, "SC" is not a KeyStore.

If you need another example, there is a good tutorial here (ECDH - Elliptic Curve Diffie Hellman on Android).

Android Spongy Castle Gradle dependencies

Both pg and pkix depend on prov which depends core, so this should be sufficient to add all four jars to your project.

compile 'com.madgag.spongycastle:bcpkix-jdk15on:<version>'
compile 'com.madgag.spongycastle:bcpg-jdk15on:<version>'

But do you need both pkix and pg? One contains the APIs for PKIX, CMS, EAC, TSP, PKCS, OCSP, CMP, and CRMF and the other contains the OpenPGP APIs. You should only include the one you actually need.

Finally, unless you have a VERY GOOD REASON you should use the latest version of SpongyCastle - not just the version you copy-pasted from another StackOverflow answer. You can find the latest version on Maven Central

How I know if I using Bouncy Castle from jar or the one implemented in Android?

For at least the last several versions Android has fixed the namespace conflict by renaming the bouncycastle classes they use to com.android.**. I'm not exactly sure when this occurred, but looking at the source code repository at https://android.googlesource.com/platform/external/bouncycastle/+refs suggests the change happened starting with Ice Cream Sandwich -- API level 14.

I'm not sure what they did about the string-based provider lookups, e.g. Cipher.getInstance("AES/GCM/PKCS5PADDING", "BC"). However, every getInstance() method in the JCE also has a version where you can explicitly specify the Provider class, e.g. Cipher.getInstance("AES/GCM/PKCS5PADDING", new org.bouncycastle.jce.provider.BouncyCastleProvider()) which eliminates any ambiguity.

Add spongycastle as provider to Android Studio

You are missing the Spongy Castle JCE provider JAR.

compile 'com.madgag.spongycastle:prov:1.54.0.0'

Spongy Castle in Android

It maybe too late for this answer, however, here is an example of the implementation:

SpongyCastle should be the same as BountyCastle, just usable in Android.

import java.security.SecureRandom;
import java.security.Security;

public class SHA1PRNG {
//here i swapped out the bountycastle provider and used the spongycatle
static {
Security.addProvider(new org.spongycastle.jce.provider.BouncyCastleProvider());
}

public static void main(String[] args) throws Exception {

SecureRandom rng = SecureRandom.getInstance("SHA1PRNG");
rng.setSeed(711);

int numberToGenerate = 999;
byte randNumbers[] = new byte[numberToGenerate];

rng.nextBytes(randNumbers);
for(int j=0; j<numberToGenerate; j++) {
System.out.print(randNumbers[j] + " ");
}

}
}

From:
www.java2s.com/Code/Java/Security/SecureRandomSHA1PRNG.htm

java.util.zip.ZipException with spongycastle LICENSE.class

This is what happens if developers include their dependencies directly. The bad guy here is jumio-mobile-sdk. This package includes classes of com.madgag.spongycastle directly, instead of specifying them in a pom as it should be done.

Luckily for you, the other package is set up correctly, so you should be able to exclude spongycastle from it:

compile ('com.worldpay:cse-android-sdk:1.0.2'){
exclude group: 'com.madgag.spongycastle'
}

Now imagine both packages would've included the classes directly. The would've been no other possibility then to manually edit the files. This is why I hate it if someone does what the guys of jumio are doing. If you have the contacts, tell them to prepare their package for dependency systems, so this problem won't arise again.



Related Topics



Leave a reply



Submit