Description
Spongy Castle was created back in 2011 because the Android platform bundled an old, restricted subset of Bouncy Castle. Simply adding an updated version of Bouncy Castle to your app resulted in class-clashes and exceptions - so you needed a repackaged & renamed version, like Spongy Castle.
Why might Spongy Castle be obsolete?
As mentioned in the book Android Security Internals by @nelenkov, the org.bouncycastle
packages in Android were renamed to com.android.org.bouncycastle
starting with Android 3.0 (see also open-keychain/open-keychain#1676 and Android Platform commit 0ac85ead96f - note that the version of BC bundled with Android 4.0 was still a restricted subset). So using Spongy Castle may no longer be necessary, if you can just include an up-to-date version of Bouncy Castle directly.
There are also alternative crypto libraries to consider, like Facebook's Conceal, Google's Conscrypt, libsodium-jni, etc.
Why might Spongy Castle not be obsolete?
- pre-Android 3.0 devices are still in active use. There are higher areas of use in poorer countries, and those people still need secure cryptography. Signal (not a SC user, so far as I'm aware) currently still supports Android 2.3 and up.
- even on post-Android 3.0 devices, device manufacturers are not above carelessly bundling libraries, it's possible that Bouncy Castle may still be bundled on some obscure devices.
- Although the version of Bouncy Castle bundled with Android has a changed package name, it still has "BC" as the provider name, leaving some ambiguity as to the choice of implementation when adding your own copy of Bouncy Castle to the app and choosing "BC" as your provider (thx to David Hook for passing on this point)
So Spongy Castle may still be necessary, if you really do need the functionality of Bouncy Castle on older devices. However it takes non-negligible effort to maintain Spongy Castle, so I'm using this issue to solicit feedback from people on whether they do, or do not, need further releases of Spongy Castle, and also to answer the users who ask "Why hasn't the latest release of Spongy Castle come out yet?"
Why do releases of Spongy Castle lag so far behind Bouncy Castle?
Version | Bouncy release | Spongy release | Lag in days |
---|---|---|---|
1.50 | 3 Dec 2013 | 26 Jan 2014 | 54 |
1.51 | 25 Jul 2014 | 26 Jul 2014 | 1 |
1.52 | 2 Mar 2015 | 15 Jun 2015 | 105 |
1.53 | 12 Oct 2015 | 18 Oct 2015 | 6 |
1.54 | 29 Dec 2015 | 29 Dec 2015 | 0 (thanks to advance warning from @cwgit) |
1.55 | 18 Aug 2016 | - | ... |
1.56 | 23 Dec 2016 | - | ... |
The Bouncy Castle project has a suite of nearly a thousand tests, and with every new release of Spongy Castle I want to make sure that those tests all pass - I have to make sure I haven't broken anything. In particular, I want to make sure that those tests pass in public CI (eg Travis CI) so that people can reproduce my work.
Unfortunately, this is surprisingly difficult:
- The Bouncy Castle project itself has no public CI setup, and they've not been able to share their private CI infrastructure with me.
- Many tests in the suite trigger
javax.crypto.JceSecurity.verifyProviderJar()
checks that will only pass with one of these two problematic options:- Obtain a JCE Code Signing Certificate from Oracle, to sign the Spongy Castle provider for the purpose of the tests - note that the signature is not required for Spongy Castle to operate on Android, just for the tests to pass. I've not yet attempted to go down this path.
- Avoid the signing requirements during tests by using OpenJDK, specifically OpenJDK 7 or earlier - which is no longer available on the current version of Ubuntu.
- Generally, with every new release, a new set of tests fail for other reasons too, and investigating those takes time. Some of the fixes I've found I've been able to contribute back to the upstream Bouncy Castle project.
Sunset on a Spongy Castle?
Given the inevitable obsolescence of Spongy Castle, at some point there will be literally no reason to keep on devoting the significant chunk of time it takes to cut a release! That time may not have arrived yet - but for my own sanity, I'd like to know when it does, so I can use my time to do other stuff.
So, please vote on this issue:
- 👍 to say Spongy Castle is obsolete
- 👎 to say you still need it
...and if you could add a comment, explaining why you need it, and linking to your project, that would be great and hold much more weight with me.