Globally register bouncycastle security provider in JDK 11

Question

In Java 8, I've globally registered the Bouncy Castle security provider by doing the following steps:

1. copy bouncycastle jar to jre/lib/ext
2. add security.provider.<N>=org.bouncycastle.jce.provider.BouncyCastleProvider jre/lib/security/java.security

Everything worked perfectly fine!

Now in Java 11, I've found java.security in conf/security/, which is fine, but there is no lib/ext anymore in Java 11.

What is the way to go to globally register Bouncy Castle in Java 11?

Answer 1

So with Java 9, with the introduction of modules, you can place the Bouncy Castle jars in its own new directory or just about anywhere. You just have to provide the jar path in the --modules-path when u run jlink. Here is steps to build a JRE with org.bouncycastle:

• Download your JDK of choice (I chose azul JDK 11.0.12).
• Edit /conf/security/java.security to add BouncyCastle:

security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS security.provider.3=SUN

…

If you append them last as oppose to first, the default SSL provider will NOT be BouncyCastle, which is fine but you will have to be exploit about your SSL provider when you get/initialize the default SSL provider.

• Download the BouncyCastle jars and place them in its new directory under the JDK directory
• Build JRE with jlink with following command from the JDK:

./bin/jlink --no-header-files --no-man-pages
  --compress=2 --strip-debug
  --module-path <DIR_PATH_TO_BOUNCY_CASTLE_JARS>
  --add-modules <LIST_OF_MODULES>, org.bouncycastle.fips.core,org.bouncycastle.fips.tls
  --output ./JRE_OUTPUT_DIR --ignore-signing-information

• Check that the bouncycastle modules are incorporated with:

./<JRE_OUTPUT_DIR>/bin/java --list-modules

It should list org.bouncycastle.fips.core and org.bouncycastle.fips.tls