### Start OpenSSL TLS Client Source: https://github.com/bcgit/bc-java/blob/main/tls/docs/OpenSSLSetup.html Use this command to start an OpenSSL TLS client. Ensure you have the necessary certificate files. ```bash openssl s_client -connect localhost:5556 -debug -msg -state -tls1_2 -CAfile x509-ca-rsa.pem -cert x509-client-rsa.pem -key x509-client-key-rsa.pem -verify 0 ``` -------------------------------- ### Start OpenSSL DTLS Client Source: https://github.com/bcgit/bc-java/blob/main/tls/docs/OpenSSLSetup.html Use this command to start an OpenSSL DTLS client. The -mtu option is important for DTLS. ```bash openssl s_client -connect localhost:5556 -mtu 1500 -debug -msg -state -dtls1_2 -CAfile x509-ca-rsa.pem -cert x509-client-rsa.pem -key x509-client-key-rsa.pem -verify 0 ``` -------------------------------- ### Start OpenSSL TLS Server Source: https://github.com/bcgit/bc-java/blob/main/tls/docs/OpenSSLSetup.html Use this command to start an OpenSSL TLS server. This command is useful for testing TLS handshakes. ```bash openssl s_server -accept 5556 -debug -msg -state -tls1_2 -www -CAfile x509-ca-rsa.pem -cert x509-server-rsa-sign.pem -key x509-server-key-rsa-sign.pem -verify 0 ``` -------------------------------- ### Start GnuTLS Server for TLS Source: https://github.com/bcgit/bc-java/blob/main/tls/docs/GnuTLSSetup.html Use this command to start the GnuTLS server for standard TLS connections. Ensure you have the necessary certificate files in your working directory. ```bash gnutls-serv --http --x509cafile x509-ca-rsa.pem --x509keyfile x509-server-key-rsa-sign.pem --x509certfile x509-server-rsa-sign.pem ``` -------------------------------- ### Start OpenSSL DTLS Server Source: https://github.com/bcgit/bc-java/blob/main/tls/docs/OpenSSLSetup.html Use this command to start an OpenSSL DTLS server. This server will print received data to stdout. ```bash openssl s_server -accept 5556 -mtu 1500 -debug -msg -state -dtls1_2 -CAfile x509-ca-rsa.pem -cert x509-server-rsa-sign.pem -key x509-server-key-rsa-sign.pem -verify 0 ``` -------------------------------- ### Install Bouncy Castle Provider Dynamically Source: https://github.com/bcgit/bc-java/wiki/Provider-Installation Use this method for dynamic installation of the Bouncy Castle Provider at runtime. Ensure the BouncyCastleProvider class is imported. ```java import org.bouncycastle.jce.provider.BouncyCastleProvider; ... Security.addProvider(new BouncyCastleProvider()); ``` -------------------------------- ### Build and Test Project with Gradle Source: https://github.com/bcgit/bc-java/blob/main/README.md Execute the clean and build tasks for the project using gradlew. Ensure JAVA_HOME points to JDK 25 or higher, or that gradlew can find a suitable installation. ```bash ./gradlew clean build ``` -------------------------------- ### Enrollment using enroll.sh Source: https://github.com/bcgit/bc-java/blob/main/test/est/example/README.md Perform certificate enrollment using the enroll.sh script. This example specifies the trust anchor, EST server URL, authentication credentials, and a common name for the certificate. ```bash ./enroll.sh -t server.ta.pem -u testrfc7030.com:8443 --auth estuser:estpwd -c BARRY Subject: CN=BARRY Issuer: CN=estExampleCA Serial Number: 8727 Not Before: Tue Feb 07 16:00:25 AEDT 2017 Not After: Wed Feb 07 16:00:25 AEDT 2018 Signature Algorithm: org.bouncycastle.asn1.x509.AlgorithmIdentifier@ca7a8819 ``` -------------------------------- ### Run ensurejar.sh Script Source: https://github.com/bcgit/bc-java/blob/main/test/est/example/README.md Execute this script to ensure dependencies are met for the EST examples. It downloads the provider, builds the Bouncycastle distribution using Gradle, and copies the necessary JARs. ```bash cd /test/est/example ./ensurejar.sh ``` -------------------------------- ### Build Full JDK 1.5 Distribution Source: https://github.com/bcgit/bc-java/wiki/Building-the-Code-from-Source-Distributions Use this command to build the full JDK 1.5 distribution, including the provider and libraries. Ensure JAVA_HOME is correctly set and necessary libraries are on your classpath. ```shell sh build15+ ``` -------------------------------- ### Initialize and Use Light-weight API for Encryption Source: https://github.com/bcgit/bc-java/blob/main/docs/specifications.html This snippet demonstrates how to initialize and use the light-weight API for encryption, specifically mimicking DES/CBC/PKCS5Padding. Ensure you have the necessary key and input data. ```java /* * This will use a supplied key, and encrypt the data * This is the equivalent of DES/CBC/PKCS5Padding */ BlockCipher engine = new DESEngine(); BufferedBlockCipher cipher = new PaddedBlockCipher(new CBCCipher(engine)); byte[] key = keyString.getBytes(); byte[] input = inputString.getBytes(); cipher.init(true, new KeyParameter(key)); byte[] cipherText = new byte[cipher.getOutputSize(input.length)]; int outputLen = cipher.processBytes(input, 0, input.length, cipherText, 0); try { cipher.doFinal(cipherText, outputLen); } catch (CryptoException ce) { System.err.println(ce); System.exit(1); } ``` -------------------------------- ### Example Server URL for EST Source: https://github.com/bcgit/bc-java/blob/main/test/est/example/README.md This is the URL for the Cisco Test Server used in EST examples. Ensure this server is accessible for testing. ```http http://testrfc7030.com/ ``` -------------------------------- ### Example CA Certificate in PEM Format Source: https://github.com/bcgit/bc-java/blob/main/test/est/example/README.md This is an example of a CA certificate in PEM format, as might be fetched during an EST process. It is used to establish trust for subsequent operations. ```pem -----BEGIN CERTIFICATE----- MIIBUjCB+aADAgECAgkAwc6rXEzvJGowCQYHKoZIzj0EATAXMRUwEwYDVQQDEwxl ZXhhbXBsZUNBMEHhcNMTYwOTA3MTcxOTM5WhcNMTcwOTA3MTcxOTM5WjAXMRUw EwYDVQQDEwxlc3RFeGFtcGxlQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQs JmLuU8faAKwGQs6A0WpYlwdwR/C0U6kvIIMjcLdPX+OBtYtHo2B8WMDOU5AkGgZ+ Bmy9ZdaZj2BTqGqsiNSioy8wLTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTSse7P EyPT3DkGbsMutPbRjWpKdDAJBgcqhkjOPQQBA0kAMEYCIQDtdmXQD7TQo/mLMsce Hw+Xzwb+1WhQoG8ra1PkEugcygIhAPOZ/L5cnpw/1S8rpVfxSVXUOQpatrgIo50y WmAvxibh -----END CERTIFICATE----- ``` -------------------------------- ### Start GnuTLS Server for DTLS Source: https://github.com/bcgit/bc-java/blob/main/tls/docs/GnuTLSSetup.html Use this command to start the GnuTLS server for Datagram Transport Layer Security (DTLS) connections. This command includes UDP and MTU settings. ```bash gnutls-serv --echo --udp --mtu 1500 --x509cafile x509-ca-rsa.pem --x509keyfile x509-server-key-rsa-sign.pem --x509certfile x509-server-rsa-sign.pem ``` -------------------------------- ### Create PKCS#12 KeyStore and Self-Signed Certificate Source: https://context7.com/bcgit/bc-java/llms.txt Demonstrates generating an EC key pair, creating a self-signed X.509 certificate, and storing them in a PKCS#12 KeyStore. Requires Bouncy Castle provider setup. ```java import java.io.ByteArrayOutputStream; import java.math.BigInteger; import java.security.*; import java.security.cert.X509Certificate; import java.util.Date; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.Extension; import org.bouncycastle.cert.jcajce.*; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; Security.addProvider(new BouncyCastleProvider()); // Generate EC key pair for TLS end-entity KeyPairGenerator kpGen = KeyPairGenerator.getInstance("EC", "BC"); kpGen.initialize(256); KeyPair kp = kpGen.generateKeyPair(); // Self-signed certificate X500Name dn = new X500Name("CN=myserver.example.com,O=Example,C=GB"); JcaX509v3CertificateBuilder certBldr = new JcaX509v3CertificateBuilder( dn, BigInteger.ONE, new Date(System.currentTimeMillis() - 5000), new Date(System.currentTimeMillis() + 365L * 24 * 3600 * 1000), dn, kp.getPublic()); certBldr.addExtension(Extension.basicConstraints, true, new BasicConstraints(false)); var signer = new JcaContentSignerBuilder("SHA256withECDSA").setProvider("BC").build(kp.getPrivate()); X509Certificate cert = new JcaX509CertificateConverter() .setProvider("BC") .getCertificate(certBldr.build(signer)); // Write to PKCS#12 KeyStore ks = KeyStore.getInstance("PKCS12", "BC"); ks.load(null, null); ks.setKeyEntry("mykey", kp.getPrivate(), null, new java.security.cert.Certificate[]{cert}); ByteArrayOutputStream bOut = new ByteArrayOutputStream(); ks.store(bOut, "changeit".toCharArray()); // Reload and verify KeyStore loaded = KeyStore.getInstance("PKCS12", "BC"); loaded.load(new java.io.ByteArrayInputStream(bOut.toByteArray()), "changeit".toCharArray()); PrivateKey reloaded = (PrivateKey) loaded.getKey("mykey", null); System.out.println("Key algorithm: " + reloaded.getAlgorithm()); // EC ``` -------------------------------- ### Thread Local Setup of ImplicitlyCA with JDK 1.4 API Source: https://github.com/bcgit/bc-java/wiki/Using-the-Bouncy-Castle-Provider's-ImplicitlyCA-Facility Configure the thread-local ImplicitlyCA parameter using the Bouncy Castle API and JDK 1.4 for elliptic curve cryptography. This setup is specific to the current thread. ```java import org.bouncycastle.math.ec.ECCurve; import org.bouncycastle.jce.spec.ECParameterSpec; ... ECCurve curve = new ECCurve.Fp( new BigInteger("883423532389192164791648750360308885314476597252960362792450860609699839"), // q new BigInteger("7fffffffffffffffffffffff7fffffffffff8000000000007ffffffffffc", 16), // a new BigInteger("6b016c3bdcf18941d0d654921475ca71a9db2fb27d1d37796185c2942c0a", 16)); // b ECParameterSpec ecSpec = new ECParameterSpec( curve, curve.decodePoint(Hex.decode("020ffa963cdca8816ccc33b8642bedf905c3d358573d3f27fbbd3b3cb9aaaf")), // G new BigInteger("883423532389192164791648750360308884807550341691627752275345424702807307")); // n ConfigurableProvider config = (ConfigurableProvider)Security.getProvider("BC"); config.setParameter(ConfigurableProvider.THREAD_LOCAL_EC_IMPLICITLY_CA, ecSpec); ``` -------------------------------- ### Build X509v1CertificateBuilder with JCA Source: https://github.com/bcgit/bc-java/wiki/BC-"Version-2"---The-post-BC-1.46-changes Example of constructing an X509v1CertificateBuilder using JCA components, including setting validity dates and principals. ```java ContentSigner sigGen = ...; PublicKey publicKey = .... Date startDate = new Date(System.currentTimeMillis() - 24 * 60 * 60 * 1000); Date endDate = new Date(System.currentTimeMillis() + 365 * 24 * 60 * 60 * 1000); X509v1CertificateBuilder v1CertGen = new JcaX509v1CertificateBuilder( new X500Principal("CN=Test"), BigInteger.ONE, startDate, endDate, new X500Principal("CN=Test"), publicKey); X509CertificateHolder certHolder = v1CertGen.build(sigGen); ```