On Wed, Nov 2, 2011 at 9:17 PM, perumal316 <[email protected]> wrote:
> Hi All, > > Are Android Crypto libraries are based on Bouncycastle APIs? > yes and no > > Are all the functionality included? no > Because in some Android code > snippets, it is mentioned that need to include the external > bouncycastle library and add in the following line of code. > yes, it is not part of the public API, so you can't depend on it to be available. The main reason is that the bouncycastle API is not intended to be stable. For example when we upgraded it from 1.34 to 1.45 between Froyo and Gingerbread, they changed their APIs so people getting lucky and using the internally bundled version found their code may have stopped working. In Honeycomb we used jarjar to move it to a different package name (no longer org.bouncycastle.*) to prevent people from adding further dependencies accidentally. > > "Security.insertProviderAt(new BouncyCastleProvider(), 1);" > > What is the difference? But the libraries imported are as follows: > > "import javax.crypto.*" > > Is Android using Bouncycastle APIs or Java Security packages? > you should use the APIs provided in the SDK. the SDK has a api jar file to compile against that contains solely the public APIs without any internal classes to prevent accidents. the Android SDK documentation also covers what classes are included at http://developer.android.com/reference/packages.html. which include packages such asjavax.crypto<http://developer.android.com/reference/javax/crypto/package-summary.html> and java.security<http://developer.android.com/reference/java/security/package-summary.html> . one main use case not covered by the java/javax apis is x509 certificate generation (not just parsing existing certs, that is done with CertificateFactory). Historically many of the people accidentally using BouncyCastle APIs were doing so for the certificate generator. they now typically jarjar a stripped down (with proguard potentially) copy of BC that contains just what they need in their own app. -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
