None of these answers is accurate in 2021 or even several years prior.
Neither using Spongy Castle nor recompiling Bouncy Castle with a different package namespace are necessary since the package name conflicts on Android platform were resolved in Honeycomb (unless you still support pre-honeycomb devices). For details why see: https://github.com/rtyley/spongycastle/issues/34
The correct solution is to include the standard Bouncy Castle libraries in your Android application as follows.
The first step is to include the necessary libraries in your gradle file. You can get standard Bouncy Castle from maven, no need to download and check-in the JARs into your project.
When building with gradle add the following to your dependencies
section in your gradle project file:
// See https://www.bouncycastle.org/releasenotes.html for latest revision
implementation 'org.bouncycastle:bcpkix-jdk15to18:1.68'
implementation 'org.bouncycastle:bcprov-jdk15to18:1.68'
Depending on your needs you may not need to actually add the Java security provider from the officially released Bouncy Castle. If you just want to use Bouncy Castle classes directly you may do so now. For example I can write this code that builds an X500Name object without installing the security provider:
X500NameBuilder nameBuilder = new X500NameBuilder();
nameBuilder.addRDN(BCStyle.PSEUDONYM, "xyz");
nameBuilder.addRDN(BCStyle.E, "[email protected]");
X500Name name = nameBuilder.build();
On the other hand if you want to write code that takes advantage of Bouncy Castle via the security provider then you should first replace the built-in Android Bouncy Castle security provider with the standard one since Java does not allow two security providers with the same name. This should be done as early as possible during application startup:
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class MyApplication extends Application {
static {
Security.removeProvider("BC");
// Confirm that positioning this provider at the end works for your needs!
Security.addProvider(new BouncyCastleProvider());
}
}
Note that Java security providers rely heavily on reflection. If you are using obfuscation or shrinking your project then the Bouncy Castle classes will end being culled or renamed inappropriately, to prevent that you need to add the following or similar to proguard.pro
file:
-keep class org.bouncycastle.jcajce.provider.** { *; }
-keep class org.bouncycastle.jce.provider.** { *; }
Finally you can write code that will use the standard Bouncy Castle security provider under the hood:
// MD2 hash is not secure, just demonstrating...
MessageDigest md = MessageDigest.getInstance("MD2");
byte[] messageDigest = md.digest(byteData);
Since MD2
isn't provided by any of the Android built-in security providers it will only be found if you've added the Bouncy Castle security provider as described above.