Introducing the 2024 PKI & Digital Trust Report     | Download the Report

Checking Cryptographic Algorithm Constraints in Bouncy Castle

Developer Community

The new framework to check algorithm constraints that is now available in Bouncy Castle helps your organization structure and harmonize the usage of cryptography to enable efficient crypto agility.

With all the talk about crypto agility, it is often overlooked that many organizations do not fully know what algorithms they are currently relying on. The new cryptographic algorithm constraint checking framework in Bouncy Castle allows users to determine what algorithms they are using in their applications, even if the usage is below the level of the Java cryptography architecture. In addition, the constraint checking framework can be used to support application developers to ensure that keys and algorithms are within a specific security strength and automatically alert if they do not meet an organization’s requirements. Today and tomorrow, this feature can be essential for staying secure and achieving crypto agility.

Disabling of services can be enforced at runtime by checking any Bouncy Castle service created for suitability before it is made available to a running application. While this is a first release, and there is rather a lot to instrument, it does cover the core service set and more services will be added.

Get Started with Constraint Checking

Making use of the constraint checking is as simple as calling:


and passing a CryptoServicesConstraints object.

There are example implementations of these in org.bouncycastle.crypto.constraints package. Our plan is to further expand coverage and make some level of configuration available via a JVM’s configuration file. To this end, we also welcome feedback on the new feature as we continue to develop it. Post your comments on GitHub Discussions.

For more information

Do you want to try Cryptographic Algorithm Constraint Checking with Bouncy Castle? Here you can find more information to get started: