cOut.write("plaintext".getBytes());	cOut.close();	// bOut now contains the cipher text</code></pre><p>The provider can also be configured as part of your environment via static registrationby adding an entry to the java.security properties file (found in $JAVA_HOME/jre/lib/security/java.security, where $JAVA_HOME is the location of your JDK/JRE distribution). You'll find detailed instructions in the file but basically it comes down to adding a line:<pre><code>    security.provider.&lt;n&gt;=org.bouncycastle.jce.provider.BouncyCastleProvider</code></pre><p>Where &lt;n&gt; is the preference you want the provider at (1 being the most prefered).<p>Where you put the jar is up to mostly up to you, although with jdk1.3 andjdk1.4 the best (and in some cases only) place to have it is in $JAVA_HOME/jre/lib/ext. Note: under Windows there will normally be a JRE and a JDK install of Java if you think you have installed it correctly and it still doesn't work chances are you have added the provider to the installation not being used.<p><b>Note</b>: with JDK 1.4 and later you will need to have installed the unrestricted policyfiles to take full advantage of the provider. If you do not install the policy files you are likelyto get something like the following:<b><pre>        java.lang.SecurityException: Unsupported keysize or algorithm parameters                at javax.crypto.Cipher.init(DashoA6275)</pre></b>The policy files can be found at the same place you downloaded the JDK.<p><h3>5.2 Algorithms</h3><h4>Symmetric (Block)</h4><p>Modes:<ul><li>ECB<li>CBC<li>OFB(n)<li>CFB(n)<li>SIC (also known as CTR)<li>OpenPGPCFB<li>CTS (equivalent to CBC/WithCTS)<li>GOFB</ul><p>Where <i>(n)</i> is a multiple of 8 that gives the blocksize in bits,eg, OFB8. Note that OFB and CFB mode can be used with plain text thatis not an exact multiple of the block size if NoPadding has been specified.<p>Padding Schemes:<ul><li>No padding<li>PKCS5/7<li>ISO10126/ISO10126-2<li>ISO7816-4/ISO9797-1<li>X9.23/X923<li>TBC<li>ZeroByte<li>withCTS (if used with ECB mode)</ul><p>When placed together this gives a specification for an algorithmas;<ul><li>DES/CBC/X9.23Padding<li>DES/OFB8/NoPadding<li>IDEA/CBC/ISO10126Padding<li>IDEA/CBC/ISO7816-4Padding<li>SKIPJACK/ECB/PKCS7Padding<li>DES/ECB/WithCTS</ul><p>Note: default key sizes are in bold.<p><table cellpadding=5 cellspacing=0 border=1 width=80%><tr><th>Name</th><th>KeySizes (in bits) </th><th>Block Size</th><th>Notes</th></tr><tr><td>AES</td><td>0 .. 256 <b>(192)</b></td><td>128 bit</td><td>&nbsp;</td></tr><tr><td>AESWrap</td><td>0 .. 256 <b>(192)</b></td><td>128 bit</td><td>A FIPS AES key wrapper</td></tr><tr><td>Blowfish</td><td>0 .. 448 <b>(448)</b></td><td>64 bit</td><td>&nbsp;</td></tr><tr><td>CAST5</td><td>0 .. 128<b>(128)</b></td><td>64 bit</td><td>&nbsp;</td></tr><tr><td>CAST6</td><td>0 .. 256<b>(256)</b></td><td>128 bit</td><td>&nbsp;</td></tr><tr><td>DES</td><td>64</td><td>64 bit</td><td>&nbsp;</td></tr><tr><td>DESede</td><td>128, 192</td><td>64 bit</td><td>&nbsp;</td></tr><tr><td>DESedeWrap</td><td>128, 192</td><td>128 bit</td><td>A Draft IETF DESede key wrapper</td></tr><tr><td>IDEA</td><td>128 <b>(128)</b></td><td>64 bit</td><td>&nbsp;</td></tr><tr><td>RC2</td><td>0 .. 1024 <b>(128)</b></td><td>64 bit</td><td>&nbsp;</td></tr><tr><td>RC5</td><td>0 .. 128 <b>(128)</b></td><td>64 bit</td><td>Uses a 32 bit word</td></tr><tr><td>RC5-64</td><td>0 .. 256 <b>(256)</b></td><td>128 bit</td><td>Uses a 64 bit word</td></tr><tr><td>RC6</td><td>0 .. 256 <b>(128)</b></td><td>128 bit</td><td>&nbsp;</td></tr><tr><td>Rijndael</td><td>0 .. 256 <b>(192)</b></td><td>128 bit</td><td>&nbsp;</td></tr><tr><td>Skipjack</td><td>0 .. 128 <b>(128)</b></td><td>64 bit</td><td>&nbsp;</td></tr><tr><td>Twofish</td><td>128, 192, 256 <b>(256)</b></td><td>128 bit</td><td>&nbsp;</td></tr><tr><td>Serpent</td><td>128, 192, 256 <b>(256)</b></td><td>128 bit</td><td>&nbsp;</td></tr><tr><td>GOST28147</td><td>256</td><td>64 bit</td><td>&nbsp;</td></tr><tr><td>Camellia</td><td>128, 192, 256</td><td>128 bit</td><td>&nbsp;</td></tr></table><h4>Symmetric (Stream)</h4><p>Note: default key sizes are in bold.<p><table cellpadding=5 cellspacing=0 border=1 width=80%><tr><th>Name</th><th>KeySizes (in bits)</th><th>Notes</th></tr><tr><td>RC4</td><td>40 .. 2048 bits <b>(128)</b></td><td>&nbsp;</td></tr></table><h4>Block Asymmetric</h4><p>Encoding:<ul><li>OAEP - Optimal Asymmetric Encryption Padding<li>PCKS1 - PKCS v1.5 Padding<li>ISO9796-1 - ISO9796-1 edition 1 Padding</ul><p>Note: except as indicated in PKCS 1v2 we recommend you use OAEP, asmandated in X9.44.<p>When placed together with RSA this gives a specification for an algorithmas;<ul><li>RSA/NONE/NoPadding<li>RSA/NONE/PKCS1Padding<li>RSA/NONE/OAEPWithMD5AndMGF1Padding<li>RSA/NONE/OAEPWithSHA1AndMGF1Padding<li>RSA/NONE/OAEPWithSHA224AndMGF1Padding<li>RSA/NONE/OAEPWithSHA256AndMGF1Padding<li>RSA/NONE/OAEPWithSHA384AndMGF1Padding<li>RSA/NONE/OAEPWithSHA512AndMGF1Padding<li>RSA/NONE/ISO9796-1Padding</ul><table cellpadding=5 cellspacing=0 border=1 width=80%><tr><th>Name</th><th>KeySizes (in bits)</th><th>Notes</th></tr><tr><td>RSA</td><td>any multiple of 8 bits large enough for the encryption<b>(2048)</b></td><td>&nbsp;</td></tr><tr><td>ElGamal</td><td>any multiple of 8 bits large enough for the encryption<b>(1024)</b></td><td>&nbsp;</td></tr></table><h4>Key Agreement</h4><p>Diffie-Hellman key agreement is supported using the "DH", "ECDH", and"ECDHC" (ECDH with cofactors) key agreement instances.<p>Note: with basic "DH" only the basic algorithm fits in with the JCE API, ifyou're using long-term public keys you may want to look at the light-weightAPI.<p><h4>ECIES</h4><p>An implementation of ECIES (stream mode) as described in IEEE P 1363a.<p><b>Note:</b> At the moment this is still a draft, don't use it for anythingthat may be subject to long term storage, the key values produced may wellchange as the draft is finalised.<p><h4>Digest</h4><p><table cellpadding=5 cellspacing=0 border=1 width=80%><tr><th>Name</th><th>Output (in bits)</th><th>Notes</th></tr><tr><td>GOST3411</td><td>256</td><td>&nbsp;</td></tr><tr><td>MD2</td><td>128</td><td>&nbsp;</td></tr><tr><td>MD4</td><td>128</td><td>&nbsp;</td></tr><tr><td>MD5</td><td>128</td><td>&nbsp;</td></tr><tr><td>RipeMD128</td><td>128</td><td>basic RipeMD</td></tr><tr><td>RipeMD160</td><td>160</td><td>enhanced version of RipeMD</td></tr><tr><td>RipeMD256Digest</td><td>256</td><td>expanded version of RipeMD128</td></tr><tr><td>RipeMD320Digest</td><td>320</td><td>expanded version of RipeMD160</td></tr><tr><td>SHA1</td><td>160</td><td>&nbsp;</td></tr><tr><td>SHA-224</td><td>224</td><td>FIPS 180-2</td></tr><tr><td>SHA-256</td><td>256</td><td>FIPS 180-2</td></tr><tr><td>SHA-384</td><td>384</td><td>FIPS 180-2</td></tr><tr><td>SHA-512</td><td>512</td><td>FIPS 180-2</td></tr><tr><td>Tiger</td><td>192</td><td>&nbsp;</td></tr><tr><td>Whirlpool</td><td>512</td><td>&nbsp;</td></tr></table><h4>MAC</h4><table cellpadding=5 cellspacing=0 border=1 width=80%><tr><th>Name</th><th>Output (in bits)</th><th>Notes</th></tr><tr><td>Any MAC based on a block cipher, CBC (the default) and CFB modes.</td><td>half the cipher's block size (usually 32 bits)</td><td>&nbsp;</td></tr><tr><td>HMac-MD2</td><td>128</td><td>&nbsp;</td></tr><tr><td>HMac-MD4</td><td>128</td><td>&nbsp;</td></tr><tr><td>HMac-MD5</td><td>128</td><td>&nbsp;</td></tr><tr><td>HMac-RipeMD128</td><td>128</td><td>&nbsp;</td></tr><tr><td>HMac-RipeMD160</td><td>160</td><td>&nbsp;</td></tr><tr><td>HMac-SHA1</td><td>160</td><td>&nbsp;</td></tr><tr><td>HMac-SHA224</td><td>224</td><td>&nbsp;</td></tr><tr><td>HMac-SHA256</td><td>256</td><td>&nbsp;</td></tr><tr><td>HMac-SHA384</td><td>384</td><td>&nbsp;</td></tr><tr><td>HMac-SHA512</td><td>512</td><td>&nbsp;</td></tr><tr><td>HMac-Tiger</td><td>192</td><td>&nbsp;</td></tr></table><p>Examples:<ul><li>DESMac<li>DESMac/CFB8<li>DESedeMac<li>DESedeMac/CFB8<li>DESedeMac64<li>SKIPJACKMac<li>SKIPJACKMac/CFB8<li>IDEAMac<li>IDEAMac/CFB8<li>RC2Mac<li>RC2Mac/CFB8<li>RC5Mac<li>RC5Mac/CFB8<li>ISO9797ALG3Mac</ul><h4>Signature Algorithms</h4><p>Schemes:<ul><li>GOST3411withGOST3410 (GOST3411withGOST3410-94)<li>GOST3411withECGOST3410 (GOST3411withGOST3410-2001)<li>MD2withRSA<li>MD5withRSA<li>SHA1withRSA<li>RIPEMD128withRSA<li>RIPEMD160withRSA<li>RIPEMD256withRSA<li>SHA1withDSA<li>SHA1withECDSA<li>SHA224withECDSA<li>SHA256withECDSA<li>SHA384withECDSA<li>SHA512withECDSA<li>SHA224withRSA<li>SHA256withRSA<li>SHA384withRSA<li>SHA512withRSA<li>SHA1withRSAandMGF1<li>SHA256withRSAandMGF1<li>SHA384withRSAandMGF1<li>SHA512withRSAandMGF1</ul><h4>PBE</h4><p>Schemes:<ul><li>PKCS5S1, any Digest, any symmetric Cipher, ASCII <li>PKCS5S2, SHA1/HMac, any symmetric Cipher, ASCII <li>PKCS12, any Digest, any symmetric Cipher, Unicode </ul><p>Defined in Bouncy Castle JCE Provider<table cellpadding=5 cellspacing=0 border=1 width=80%><tr><th>Name</th><th>Key Generation Scheme</th><th>Key Length (in bits)</th></tr><tr><td>PBEWithMD5AndDES</td><td>PKCS5 Scheme 1</td><td>64</td></tr><tr><td>PBEWithMD5AndRC2</td><td>PKCS5 Scheme 1</td><td>128</td></tr><tr><td>PBEWithSHA1AndDES</td><td>PKCS5 Scheme 1</td><td>64</td></tr><tr><td>PBEWithSHA1AndRC2</td><td>PKCS5 Scheme 1</td><td>128</td></tr><tr><td>PBEWithSHAAnd2-KeyTripleDES-CBC</td><td>PKCS12</td><td>128</td></tr><tr><td>PBEWithSHAAnd3-KeyTripleDES-CBC</td><td>PKCS12</td><td>192</td></tr><tr><td>PBEWithSHAAnd128BitRC2-CBC</td><td>PKCS12</td><td>128</td></tr><tr><td>PBEWithSHAAnd40BitRC2-CBC</td><td>PKCS12</td><td>40</td></tr><tr><td>PBEWithSHAAnd128BitRC4</td><td>PKCS12</td><td>128</td></tr><tr><td>PBEWithSHAAnd40BitRC4</td><td>PKCS12</td><td>40</td></tr><tr><td>PBEWithSHAAndTwofish-CBC</td><td>PKCS12</td><td>256</td></tr><tr><td>PBEWithSHAAndIDEA-CBC</td><td>PKCS12</td><td>128</td></tr></table><h3>5.3 Certificates</h3><p>The Bouncy Castle provider will read X.509 certficates (v2 or v3) as per the examples inthe java.security.cert.CertificateFactory class. They can be provided eitherin the normal PEM encoded format, or as DER binaries.<p>The CertificiateFactory will also read X.509 CRLs (v2) from either PEM or DER encodings.<p>In addition to the classes in the org.bouncycastle.ans1.x509 package for certificategeneration a more JCE "friendly" class is provided in the package org.bouncycastle.jce. The JCE "friendly" class supports RSA, DSA, and EC-DSA.<p><h3>5.4 Keystore</h3><p>The Bouncy Castle package has three implementation of a keystore.<p>The first "BKS" is a keystore that will work with the keytool in the samefashion as the Sun "JKS" keystore. The keystore is resistent to tamperingbut not inspection.<p>The second, <b>Keystore.BouncyCastle</b>, or <b>Keystore.UBER</b> will only work with the keytoolif the password is provided on the command line, as the entire keystoreis encryptedwith a PBE based on SHA1 and Twofish. <b>PBEWithSHAAndTwofish-CBC</b>.This makes the entire keystore resistant to tampering and inspection,and forces verification. The Sun JDK provided keytool will attempt to load a keystore even if nopassword is given,this is impossible for this version. (One might wonder about going to allthis trouble and then having the password on the command line! New keytoolanyone?).<p>In the first case, the keys are encrypted with 3-Key-TripleDES.<p>The third is a PKCS12 compatabile keystore. PKCS12 provides a slightlydifferent situation from the regular key store, the keystore password iscurrently the only password used for storing keys. Otherwise it supportsall the functionality required for it to be used with the keytool. In somesituations other libraries always expect to be dealing with Sun certificates,if this is the case use PKCS12-DEF, and the certificates produced by thekey store will be made using the default provider.<p>There is an example program that produces PKCS12 files suitable forloading into browsers. It is in the packageorg.bouncycastle.jce.examples.<p><p><h3>5.5 Additional support classes for Elliptic Curve.</h3><p>There are no classes for supporting EC in the JDK prior to JDK 1.5. If you are usingan earlier JDK you can find classes for using EC in the followingpackages:<ul><li>org.bouncycastle.jce.spec</li><li>org.bouncycastle.jce.interfaces</li><li>org.bouncycastle.jce</li></ul><h3>6.0 BouncyCastle S/MIME</h3>To be able to fully compile and utilise the BouncyCastle S/MIMEpackage (including the test classes) you need the jar files forthe following APIs.<ul><li>Junit - <a href="http://www.junit.org">http://www.junit.org</a><li>JavaMail - <a href="http://java.sun.com/products/javamail/index.html">http://java.sun.com/products/javamail/index.html</a><li>The Java Activation Framework - <a href="http://java.sun.com/products/javabeans/glasgow/jaf.html">http://java.sun.com/products/javabeans/glasgow/jaf.html</a></ul><h3>6.1 Setting up BouncyCastle S/MIME in JavaMail</h3>The BouncyCastle S/MIME handlers may be set in JavaMail two ways.<ul><li> STATICALLY<br>	Add the following entries to the mailcap file:    <pre>    application/pkcs7-signature;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_signature    application/pkcs7-mime;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_mime    application/x-pkcs7-signature;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_signature    application/x-pkcs7-mime;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_mime    multipart/signed;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.multipart_signed    </pre><li> DYNAMICALLY<br>	The following code will add the BouncyCastle S/MIME handlers dynamically:	    <pre>    import javax.activation.MailcapCommandMap;    import javax.activation.CommandMap;    public static void setDefaultMailcap()    {        MailcapCommandMap _mailcap =            (MailcapCommandMap)CommandMap.getDefaultCommandMap();        _mailcap.addMailcap("application/pkcs7-signature;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_signature");        _mailcap.addMailcap("application/pkcs7-mime;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.pkcs7_mime");        _mailcap.addMailcap("application/x-pkcs7-signature;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_signature");        _mailcap.addMailcap("application/x-pkcs7-mime;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.x_pkcs7_mime");        _mailcap.addMailcap("multipart/signed;; x-java-content-handler=org.bouncycastle.mail.smime.handlers.multipart_signed");        CommandMap.setDefaultCommandMap(_mailcap);    }     </pre></body></html>