Bouncy Castle use in each Java product

I’d like to know a bit more about which Java products use Bouncy Castle. As far as I can tell, the only products that list Bouncy Castle as a dependency in their pom.xml are Aspose.Slides and Aspose.Email (based on the latest versions of all products in your Maven repository). However, several other products (such as Aspose.Words and Aspose.Pdf) list the Bouncy Castle license in the license disclosure file in the ZIP downloaded through the download link on this site. Can you provide an official list of all Java products in the Aspose.Total family that use Bouncy Castle in any way (even if it’s used as part of an uber JAR that wouldn’t require adding the Bouncy Castle JAR to the classpath)?

[edit] Also, is it possible to use different security providers for the products that depend on Bouncy Castle, or is the dependency on Bouncy Castle specifically?

@clayton.gavin,

Following APIs use Bouncy Castle:

  • Apsose.Words
  • Aspose.Slides
  • Aspose.Cells
  • Aspose.Email
  • Aspose.PDF
  • Aspose.Imaging

For rest of the APIs, we have forwarded the query to our product team. We will update you as soon as any further updates are available on this.

@clayton.gavin,

Following APIs also use Bouncy Castle:

  • Aspose.Email
  • Aspose.Tasks
  • Aspose.CAD

Furthermore Aspose.Diagram does not use Bouncy Castle

Any update on the other part of my question?

@clayton.gavin,

It is not possible to use different security providers other than Bouncy castle. For instance in case of Aspose.Imaging and Aspose.CAD has embedded Bouncy castle jar inside it.

So Aspose libraries will ignore the security providers specified in the JDK and directly reference the embedded Bouncy Castle classes?

Is this hard dependency on Bouncy Castle for all cryptographic functions, or only particular algorithms?

Are Aspose.Imaging and Aspose.CAD the only two libraries with Bouncy Castle embedded, or do all of the libraries in your previous responses embed Bouncy Castle and have a hard dependency on it?

This one may be irrelevant depending on your answers to the other questions, but is it possible to get a version of the JARs without Bouncy Castle embedded?

Sorry for being tedious about this. It’s just that the applications that I work on can’t use Bouncy Castle. I’d like to use Aspose.Total (primarily Aspose.Words and Aspose.PDF), but if there’s no way to separate the Aspose libraries from Bouncy Castle then I can’t use Aspose.

@clayton.gavin,

Bouncy Castle (BC) is not used for all cryptographic algorithms in the API as some of the algorithms are implemented through system classes as well. Changing the dependency to some other library is not a viable option at our end.

Could you please tell us:

  1. What exact problems are you facing with BC that are giving rise to scenario for abandoning Aspose APIs in your application?
  2. Is it that you want to use some specific security provider owing to some known security flaws in BC?
  3. Are you facing some error while using the APIs at your end?
  4. What exact code sample or use case you are following that requires to avoid BC at your end?

Further details from your end will help us identify your exact requirement and assist you accordingly.

I can only use FIPS approved security providers. Bouncy Castle does release a FIPS compliant version, which would be acceptable. Is it possible to get versions of the Aspose.Total libraries that embed and use only the FIPS compliant version of Bouncy Castle?

Same as above

No, in fact everything I’ve tried so far seems to work fine without the Bouncy Castle JAR in the classpath. Of course, Bouncy Castle may still be getting used in those scenarios if it’s embedded in the Aspose JARs.

I have to completely avoid the use of non-FIPS compliant security providers, so it’s not dependent on any specific use case. My high level use case is to use the various Aspose.Total libraries to load files and use them in generated Word and PDF files. The input files would span pretty much the entire Aspose.Total family (Office files, image files, HTML, PDF, etc.), but I just need Word and PDF for output formats. I only need to generate password protected files, not read them, so I would only handle password protected files in Aspose.Words and Aspose.PDF.

@clayton.gavin,

Thank you for updating us in detail. We have logged the requirements as feature request into our system against each Aspose product for further investigation. We will update you here once there is some information or a fix version available in this regard. Details of the logged ID are as under:

Use of FIPS compliant version of Bouncy Castle in Aspose

  • EMAILJAVA-34344
  • WORDSJAVA-1736
  • TASKSJAVA-489
  • NOTEJAVA-425
  • SLIDESJAVA-36910
  • IMAGINGJAVA-906
  • CADJAVA-206
  • CELLSJAVA-42523
  • BARCODEJAVA-444
  • OCRJAVA-802
  • PDFJAVA-37442

Thanks for your help with this. Do you have any idea when you will be able to investigate and resolve these feature requests?

@clayton.gavin,

The tickets are currently in the queue among other tickets for investigation. We will update you here once there is some information or a fix version available in this regard.

@clayton.gavin,

This is to inform you that we have fixed the issue logged earlier as “CELLSJAVA-42523” regarding Aspose.Cells for Java. In our upcoming version/fix: Aspose.Cells for Java v18.4 (which is scheduled to be releases in the next few days), the feature is added. You will be notified here once the release is published. Please note, from v18.4, we will support both Java Release and Java FIPS Release of bouncy castle.

The issues you have found earlier (filed as CELLSJAVA-42523) have been fixed in this update. This message was posted using BugNotificationTool from <a href=“https://#{request.env[“HTTPS_HOST”]}”>Downloads module by Amjad_Sahi

The issues you have found earlier (filed as CELLSJAVA-42523) have been fixed in Aspose.Cells for Java 18.4. Please also see the document for your reference:

The issues you have found earlier (filed as SLIDESJAVA-36910) have been fixed in this update. This message was posted using BugNotificationTool from Downloads module by mudassir.fayyaz

The issues you have found earlier (filed as IMAGINGJAVA-906) have been fixed in this update.

@clayton.gavin,

Regarding WORDSJAVA-1736, it is to update you that we have just implemented the support of FIPS in Aspose.Words for Java. The fix of WORDSJAVA-1736 will be included in next version of Aspose.Words for Java i.e. 18.10. We will inform you via this thread as soon as next version containing the FIPS support will be released at the start of next month.

In the meantime, we have also built an interim-built release for you to test this FIPS support implementation on your end. You can download this release form the following link:

You should type SecuritySettings.startFipsMode() to turn-on FIPS mode for the current thread. Once the mode is set, you cannot switch-off FIPS mode for the current thread.

This feature is not documented yet, so please share if you have some suggestions about public API.

The issues you have found earlier (filed as EMAILJAVA-34344) have been fixed in this update. This message was posted using BugNotificationTool from Downloads module by MuzammilKhan

The issues you have found earlier (filed as WORDSJAVA-1736) have been fixed in this Aspose.Words for .NET 18.10 update and this Aspose.Words for Java 18.10 update.

The issues you have found earlier (filed as TASKSJAVA-489) have been fixed in this update.