Bouncy Castel dependency?

[hrstoyanov]

Hello, This is not an issue, but since the Discussions tab for this project is not enabled, I wouldllike ask here is there a strong reason to be using Bouncy Castle rather than the built-in Java Cryptography Framework (Sorry, I only looked briefly at the code)? If not, any plans to remove this dependency?

[shred]

acme4j is currently using Bouncy Castle for these purposes:

• Generating a CSR for ordering a certificate
• Creating a X509Certificate for the tls-alpn-01 challenge
• All utility classes in the org.shredzone.acme4j.util package
• The acme4j-smime module makes extensive use of Bouncy Castle for parsing, validating, and creating S/MIME emails

I would like to remove the Bouncy Castle dependency, but unfortunately the Java Cryptography Framework offers no sufficient alternatives.

It is possible to avoid Bouncy Castle if you do not use the tls-alpn-01 challenge, the acme4j-smime module, and the utility classes. But when ordering a certificate, you would then have to create a CSR yourself by other means, and then invoke Order.execute(byte[] csr).

[hrstoyanov]

Thanks, I will try your suggestion - I only need HTTP-01 protocol as I am developing a Java Helidon wen server, extension and want to minimize external dependencies to the absolutely necessary minimum (similar to the ACME plug-in IBM did for OpenLiberty). I Have not looked at IBM's code too much, but from what I saw, they do not use Bouncy Castle ...

Another question - any strong reason for using SLF4J instead of the Java 9 Platform logging, which serves the same purpose - a facade for other logging frameworks (including SLF4J)?

[shred]

I just had a quick look at IBM's OpenLiberty source, and they use acme4j. :laughing: They also use acme4j's CSRBuilder, so I am sure they use Bouncy Castle.

You could use OpenSSL for creating CSRs, but then you'll have a dependency to an external tool.

About logging: I will have a look at JEP 264 and check if it is an option to switch. I could remove a dependency that way, but I first have to make sure it won't break existing logging.

[hrstoyanov]

Thanks you for proving me wrong on IBM OpenLiberty!

I just looked at some code for generating CSR in Java here. In the RELATED section below the article they offer other useful examples

[shred]

Your example uses a lot of sun.* packages, which are not part of the public Java API: https://www.oracle.com/java/technologies/faq-sun-packages.html

So this is not an option. However you could still use it in your code, and invoke Order.execute(byte[] csr) with the generated CSR.

[hrstoyanov]

Sorry ..Indeed, sun.com.* stuff is not good (probably does not work on other JDKs at all).

As for the logging .. this is interesting

[hrstoyanov]

Btw, feel free to close this issue.

I would also recommend enabling the Discussions tab for this project, for topics like this

[shred]

Discussions are enabled now. Thank you for the pointer.

Feel free to reopen if you found a way to remove the BC dependency.

[hrstoyanov]

Thank you @shred ! The arguments and justifications for you choices explained in the above thread are very solid, so I will use acme4j as is. If I discover a better replacement for bouncyc castle, I will bring it to your attention.