Search code examples
javaencryptionbouncycastle

BouncyCastle required in Java 8 121?

So we recently updated Java on our Centos servers to java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/ from java-1.8.0-openjdk-1.8.0.60-2.b27.el7_1.x86_64 and we ran into problems with communications and TLS encryption, etc. We discovered the solution to those issues being the java.security file was not being overwritten with the new one (as we have specified BouncyCastleProvider in the file). Once we moved the java.security.rmpnew into place as java.security, our communication problems went away.

We did NOT update the new java.security file with the BouncyCastleProvider, however, yet the encryption in our application, which uses the BouncyCastleProvider, did NOT break. We even removed the bcprov-*.jar from the jre/lib/ext directory, restarted tomcat, rebooted the entire server, and STILL it works. I have checked the release notes and not found anything mentioning it. I worry that these changes will eventually break and our encryption will start to fail. Yet it is working WITHOUT and BouncyCastleProvider on the server.I have checked the release notes and not found anything mentioning it. I worry that these changes will eventually break and our encryption will start to fail. Yet it is working WITHOUT and BouncyCastleProvider on the server.

TLDR; my question is is BouncyCastle now included in Java8? We have removed the provider from java.security and the bcprov.jar from the /ext directory and it is still working. We are using jasypt v1.9.2 for the encryption.

pom.xml

<dependency>
  <groupId>org.bouncycastle</groupId>
  <artifactId>bcprov-jdk15on</artifactId>
  <version>1.52</version>
  <scope>provided</scope>
</dependency>

Code:

StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
String algorithm = "PBEWITHSHA256AND256BITAES-CBC-BC";
String providerName = "BC";

encryptor.setAlgorithm(algorithm);
encryptor.setProviderName(providerName);

String encData = EMPTY_STRING;

try{
  encryptor.setPassword("myPassword");
  encData = encryptor.encrypt(dataToEncrypt);
}
Solution

  • No. BouncyCastle isn't included in OpenJDK 8, or prior versions.

    Most likely, the library is bundled in the web applications or is present in one of Tomcat's extension libraries.