2

I can see bcprov-jdk15 as well as bcprov-jdk16 on my project path. Can there be a scenario where we need both ?

xtratic
  • 4,600
  • 2
  • 14
  • 32
Rajeev Akotkar
  • 1,377
  • 4
  • 26
  • 46
  • Possible duplicate of [Java, Classpath, Classloading => Multiple Versions of the same jar/project](https://stackoverflow.com/questions/6105124/java-classpath-classloading-multiple-versions-of-the-same-jar-project) – xtratic Nov 16 '18 at 19:41
  • It is possible that library you use could depend on `bcprov-jdk15` while another library depends on `bcprov-jdk16`. But the issue is that Java can't easily distinguish between different versions of the same qualified names. Often you can use the higher version if that dependency (in this case Bouncy Castle) maintained backwards compatibility. See [this link](https://www.quora.com/Is-there-a-way-to-use-multiple-versions-of-the-same-dependency-when-building-with-Maven-or-Gradle) as well. – xtratic Nov 16 '18 at 19:52

3 Answers3

7

The 15 and 16 point to JRE 1.5 and 1.6 for compatibility. Your version is 1.46 at most because that's the latest version where the JDK 1.5 and 1.6 were targeted separately. The 1.46 version was created on February 2011. The current version is 1.60, July 2018.

So you do not need nor should want either of those jars. You probably want the latest, otherwise you may be behind with regard to security fixes. Note that you should do some testing to see if the latest version runs with your code and change your code if it doesn't. Generally Bouncy Castle libs are backwards compatible, but some components such as its own ASN.1 API have gone through some serious changes.

So you'd better use this one from the Maven repository or download the latest from the Bouncy Castle site itself. You should use the one with 15on, which is for all versions of Java equal or greater than 1.5 (on = onwards).

Storing these jars without their version number is of course ludicrous. If you need to rename .jar files just to make your code run then there are some issues that you need to address.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263
  • Yes you are correct I am using bcprov-jdk16-1.46 along with bcprov-jdk15on-1.60.If I have understood this correctly then removing bcprov-jdk16-1.46 this shoudnt be havin any impact as bcprov-jdk15on-1.60 will be having all the features . – Rajeev Akotkar Nov 17 '18 at 04:02
  • Yes, in almost all cases that shouldn't have any impact. I've actually seen cases where removing BC entirely didn't do any harm, but that's less likely. Please try to remove 1.46 and test the software! – Maarten Bodewes Nov 17 '18 at 04:07
  • And? Did it work? Please don't forget to upvote good answers and accept one of them. I see you have ever accepted a single answer, so it seems you know what to do. Accepted answers helps others and it is the best way of saying thanks on StackExchange. Maybe it is time to revisit some of the old questions? – Maarten Bodewes Nov 27 '18 at 06:55
1

The java version is relevant to Bouncy Castle. What you have are jars for Java 1.5 and Java 1.6
You should have only 1 in your classpath and use the Bouncy Castle jar closest to your Java runtime environment version. When you have more than one, you dont know which version of the code is being run. Class loading orders are not guaranteed and typically differs across environments, java versions, etc. You are more likely to have bugs that are difficult to reproduce when you have two versions of the same jar.

John Camerin
  • 677
  • 5
  • 15
0

What is important is the last 3 digits in the version e.g. 149 in bcprov-jdk15on-149.jar. This is the actual version of Bouncy Castle. Pick whichever is the newer one.

You should analyze your classpath dependencies (e.g. mvn dependency:tree) to understand which versions are you actually using. In principle the newer version should be backward compatible but this is not guranteed and there could be bugs.

Karol Dowbecki
  • 43,645
  • 9
  • 78
  • 111