We either need BouncyCastle or Java8

[AMarcedone]

Hi guys,

I want to support native authenticated encryption of the blob, something like AES in GCM or EAX mode. However, this modes of operation are not supported by plain Java7. So we either need Bouncy Castle or the newer Java8.

However, using Java7 + Bouncy Castle, we need to resort to the BouncyCastle API Calls (as opposed to just using the BouncyCastle provider) because of the following bug: http://blog.philippheckel.com/2014/03/01/cipherinputstream-for-aead-modes-is-broken-in-jdk7-gcm/ (I assume they fixed the vulnerability in Java8, since it dates back to last year.

Thoughts? Which one would you go for?

[jefftn]

I would go for Java8 personally, since I'm already familiar with the Java standard library version of the cryptography library and also want to try the new features of Java8 out.

[AMarcedone]

FYI, I think Oracle jdk 7 supports GCM, but openjdk doesn't. I am not sure how to check if the above bug has been solved on Oracle jdk 7 without downloading and installing it. Will investigate more.

[AMarcedone]

I investigated. Bug is now solved in Oracle Java8, which supports GCM mode. Please make sure you are using Java8, otherwise an exception will be raised after my next push.