Using Bouncy Castle with an Android app

by fba » Sat, 28 Aug 2010 06:55:39 GMT

Sponsored Links
 Has anyone managed to use Bouncy Castle in one of their apps?   I need
to be able to do detailed manipulations of x509 certificates (generate
CSRs, generate key pairs, convert between different certificate
formats, etc.), and BC seems the best way to do that.

I have tried putting the bcprov library in to my project, and then
just using BC like I normally would.   When the app is installed, a
large number of "DexOpt: not verifying"... messages pop up.  I suspect
this is because BC is already used in Android.  However, when I make
calls to certain methods in certain classes, I get errors like this :

java.lang.ClassCastException: org.bouncycastle.asn1.DERSequence

I suspect this is because of ambiguity between the classes that are
included in the OS, and the ones in my project.

Is there any way to get around this?  Maybe tell my program to use the
BC library that is included with it and ignore the one included in the

Or, could I get around this by making sure that I am using the same
version that is included in the OS?   (Or, in a nutshell, is the
ClassCastException likely to be a problem because the parameters
defined for the same method names don't match?)

Thanks for any help!


Using Bouncy Castle with an Android app

by Frank Weiss » Sat, 28 Aug 2010 07:17:17 GMT

 I suppose you might try asking the folks at BouncyCastle to provide an
Andorid/Dalvik/Harmony version or become a committer on that project.
(Damnit! I'm starting to see some merit to the Oracle vs
Google/Android lawsuit)


Sponsored Links

Using Bouncy Castle with an Android app

by Fabrizio Giudici » Sat, 28 Aug 2010 07:29:08 GMT

Hash: SHA1

I don't fully understand what's happening to you because more details
are needed, and generally speaking I think that Android would prevent
you from embedding in your app classes which are already present in
the runtime, but your problem seems to definitely fall within this area.

One possible solution (but it's about the symptom, not necessarily the
real cause and thus not necessarily the best solution) is to use a
static bytecode manipulator that renames packages in a jar. I use
Maven and there is the maven-shade-plugin, but I'm sure similar tools
exist for Ant. The basic idea is that if you have L.jar containing
com.acme.MyClass and A.jar referring to it, with the tool you can
directly feed in L.jar and A.jar and achieve L2.jar and A2.jar where
both the original class and its references have been replaced by
something such as This works for me (not for
BouncyCastle but for other stuff). With this trick, your source files
stay as they are, but the binary code gets fixed before being
converted to dex.

- -- 
Fabrizio Giudici - Java Architect, Project Manager
Tidalwave s.a.s. - "We make Java work. Everywhere." -
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
Comment: Using GnuPG with Mozilla - 



Using Bouncy Castle with an Android app

by joebowbeer » Tue, 31 Aug 2010 05:49:20 GMT

 If there's a conflict at runtime then you may not need to include the
BC classes yourself.  Just add BC to your bootclasspath for building.
Seems a bit fragile, though, even if it works...

Can you access the needed functionality via the



Using Bouncy Castle with an Android app

by joebowbeer » Tue, 31 Aug 2010 06:02:17 GMT

 By the way, bouncycastle is currently in libcore: ;a=tree;f=security


Using Bouncy Castle with an Android app

by joebowbeer » Tue, 31 Aug 2010 09:09:31 GMT

 By the way, the bouncycastle sources are currently in libcore: ;a=tree;f=security


Using Bouncy Castle with an Android app

by Robert Nekic » Tue, 31 Aug 2010 21:46:23 GMT

 I'm using bcprov-jdk16-145 in my app and it works fine.  I also see
the DexOpt messages in logcat and I get some build warnings from it
(Ignoring InnerClasses attribute for an anonymous inner class that
doesn't come with an associated EnclosingMethod attribute. (This class
was probably produced by a broken compiler.)

Regardless, it ultimately builds and appears to work properly.  I'm
using it for some x509 stuff but I haven't encountered any

I'd love to remove it if this stuff is actually available in Android
somewhere since the jar adds quite a lot of bulk to my app.


Using Bouncy Castle with an Android app

by fba » Wed, 01 Sep 2010 05:49:25 GMT

 (Robert Nekic) Have you tried to generate a CSR with BC in your app?
I seem to be able to do a lot of different certificate related things,
but hit the ClassCastException when I try to generate a CSR.

The other route I have looked at is CoDec, but the license listed on
SourceForge doesn't match the license in the code.   I have contacted
the developers who have said they will get back to me, but I am
looking for a mitigation route if the license doesn't pan out how I
would hope.

Does anyone know of any other libraries that would work for
certificate manipulation?   The classes don't have
any obvious way to generate a CSR, so I am not sure that will work.
Also, I don't need to be able to actually generate SSL sessions using
the certificates, since they are fed in to another program that
handles all of that.  I just need to be able to work with the


Other Threads

1. Problem to open a internal activity( using sharedUserId.

Hello everybody,

In my application, I need to open the Browser Download History
represented by the activity But when I start this
activity this error message appears:

WARN/ActivityManager(582): Permission Denial: starting Intent
{ flags=0x10000000 comp={} } from ProcessRecord{43700fd8} (pid=723, uid=10018) requires null

So, I used android:sharedUserId="android.uid.system" in my
AndroidManifest, to get the system permission. This solution resolved
the first problem, but creates a side effect. My application is a
system application (like camera, launcher, etc), it cannot be
uninstalled, so when i run the phone build, my apk is not installed
and this error message appears:


You guys know why this is happening?
Is there another way to open the Browser Download History?



2. C&D cyanogen devs comeon, really?

So everytime I have seen someone ask about apps2sd for android, the
response has been something along the lines of 'well if you don't like
the space on the phone modify it yourself if its that easy'  Someone
takes this to heart and does it for free for thousands of users who
are already supporting google and you shut them down?  Now we have to
pick between having space for apps on our phone -OR- not having the
marketplace on our phone anymore so it doesn't even matter?  I highly
suggest if you are going to C&D cyanogen to  give users who have PAID
for a 'powered by google' android device to backup their google apps
that they paid for.  We have paid for the software we should be
entitled to use it with any build of android we choose.  Otherwise,
you might want to try taking user requests a little more seriously.

3. Packaged Google Apps

4. ImageButton on Graphic Background

5. Is Java JDK 1.6 official supported for Android SDK 1.6

6. Paging bos luckysebastian

7. Why is my file not accesible at data/data ?