Bouncy Castel dependency? about acme4j HOT 9 CLOSED

acme4j is currently using Bouncy Castle for these purposes:

• Generating a CSR for ordering a certificate
• Creating a X509Certificate for the tls-alpn-01 challenge
• All utility classes in the org.shredzone.acme4j.util package
• The acme4j-smime module makes extensive use of Bouncy Castle for parsing, validating, and creating S/MIME emails

I would like to remove the Bouncy Castle dependency, but unfortunately the Java Cryptography Framework offers no sufficient alternatives.

It is possible to avoid Bouncy Castle if you do not use the tls-alpn-01 challenge, the acme4j-smime module, and the utility classes. But when ordering a certificate, you would then have to create a CSR yourself by other means, and then invoke Order.execute(byte[] csr).

from acme4j.

Thanks, I will try your suggestion -
I only need HTTP-01 protocol as I am developing a Java Helidon wen server, extension and want to minimize external dependencies to the absolutely necessary minimum (similar to the ACME plug-in IBM did for OpenLiberty). I Have not looked at IBM's code too much, but from what I saw, they do not use Bouncy Castle ...

Another question - any strong reason for using SLF4J instead of the Java 9 Platform logging, which serves the same purpose - a facade for other logging frameworks (including SLF4J)?

from acme4j.

I just had a quick look at IBM's OpenLiberty source, and they use acme4j. 😆 They also use acme4j's CSRBuilder, so I am sure they use Bouncy Castle.

You could use OpenSSL for creating CSRs, but then you'll have a dependency to an external tool.

About logging: I will have a look at JEP 264 and check if it is an option to switch. I could remove a dependency that way, but I first have to make sure it won't break existing logging.

from acme4j.

Thanks you for proving me wrong on IBM OpenLiberty!

I just looked at some code for generating CSR in Java here. In the RELATED section below the article they offer other useful examples

from acme4j.

Your example uses a lot of sun.* packages, which are not part of the public Java API: https://www.oracle.com/java/technologies/faq-sun-packages.html

So this is not an option. However you could still use it in your code, and invoke Order.execute(byte[] csr) with the generated CSR.

from acme4j.

Sorry ..Indeed, sun.com.* stuff is not good (probably does not work on other JDKs at all).

As for the logging .. this is interesting

from acme4j.

Btw, feel free to close this issue.

I would also recommend enabling the Discussions tab for this project, for topics like this

from acme4j.

Discussions are enabled now. Thank you for the pointer.

Feel free to reopen if you found a way to remove the BC dependency.

from acme4j.

Thank you @shred !
The arguments and justifications for you choices explained in the above thread are very solid, so I will use acme4j as is. If I discover a better replacement for bouncyc castle, I will bring it to your attention.

from acme4j.