In the meanwhile Android has changed the package name and BC can be used in its latest version. But there is still at least one problem:
The provider name "BC" is taken by the old built-in BC version. Adding BC with Security.addProvider(new BouncyCastleProvider(), 0) as first provider might work in simple cases, but Android Pie introduced a nasty check for the BouncyCastleProvider not allowing several modes, e.g. the X.509 certificate path checking cannot be instantiated and some other algorithms. This problem occurs when BC is added with Security.addProvider before sun.security.jca.Providers is first touched. Adding BC to the list of providers is usually required to be able to route indirect calls from other code referring the BC to the new BC version. E.g. the PKCS12 key store is using in its code a call to build a CertificateFactory using BC.
核对载于<代码>sun.security.jca.Providers,并称作java.security.cert.CertificateFactory。 该法典不能区分包括《巴塞尔公约》文本在内的安乐斯和新的工作版本。 解决这一问题的 ha脚石是,在时间开始之前就执行这一法典。 该守则必须在<代码>sun.security.jca.Providers被触动之前执行,否则,现有的加密供应商已经完成了静态代码碎片的读写:
private static final String SUN_PROVIDERS = "sun.security.jca.Providers";
...
// remove BC provider first
Security.removeProvider("BC");
// also remove not sufficient AndroidOpenSSL provider for X.509 - most likely only needed if BouncyCastleJsseProvider is used
Security.removeProvider("AndroidOpenSSL");
// touch the internal Providers class to trigger the static provider loading
// see http://androidxref.com/9.0.0_r3/xref/libcore/ojluni/src/main/java/sun/security/jca/Providers.java#SYSTEM_BOUNCY_CASTLE_PROVIDER
try {
Class.forName(SUN_PROVIDERS);
} catch (ClassNotFoundException e) {
throw new RuntimeException(String.format("%s to patch not found.", SUN_PROVIDERS), e);
}
// insert modern BC as first crypto provider
Security.insertProviderAt(new BouncyCastleProvider(), 0);
