The new framework to check algorithm constraints that is now available in Bouncy Castle helps your organization structure and harmonize the usage of cryptography to enable efficient crypto agility.
With all the talk about crypto agility, it is often overlooked that many organizations do not fully know what algorithms they are currently relying on. The new cryptographic algorithm constraint checking framework in Bouncy Castle allows users to determine what algorithms they are using in their applications, even if the usage is below the level of the Java cryptography architecture. In addition, the constraint checking framework can be used to support application developers to ensure that keys and algorithms are within a specific security strength and automatically alert if they do not meet an organization’s requirements. Today and tomorrow, this feature can be essential for staying secure and achieving crypto agility.
Disabling of services can be enforced at runtime by checking any Bouncy Castle service created for suitability before it is made available to a running application. While this is a first release, and there is rather a lot to instrument, it does cover the core service set and more services will be added.
Get Started with Constraint Checking
Making use of the constraint checking is as simple as calling:
and passing a CryptoServicesConstraints object.
There are example implementations of these in org.bouncycastle.crypto.constraints package. Our plan is to further expand coverage and make some level of configuration available via a JVM’s java.security configuration file. To this end, we also welcome feedback on the new feature as we continue to develop it. Post your comments on GitHub Discussions.