First of all, bcprov contains the Java security provider as well as the "lightweight API". Quite often this library is simply referred to as "Bouncy Castle", shortened to the acronym "BC" as provider name in Java. These providers provide SPI's (service provider implementations) or implementation classes that allow specific algorithms to be used by the Cipher, Signature, MessageDigest and Mac classes (etc.) that provide a unified API for your applications.
The Bouncy Castle library has it's own specific architecture and API. It is this public API is generally revered to as the "lightweight API". The Bouncy Castle library provides most of this functionality as services that are registered using the Bouncy Castle provider implementation. That way the supplied algorithms can be used from generic classes such as Cipher.
The library also contains a lot of utility classes, some of which are simply required to implement the provider. All the implementation classes are available to the user, which means that the lightweight API is a bit of a maze. It also means that there is a chance that updates break software that make use of the lightweight API. For instance, there have been a few updates of the ASN.1 encoder / decoder that weren't backwards compatible.
The main reason to use the Bouncy Castle library is the extended functionality that is provided. For instance, the Bouncy Castle provider provides a lot of ciphers that are not present in the standard Java runtime. However, you should keep in mind that the algorithms that are provided by the Java runtime can be optimized to use CPU speedups and may receive better testing. So before choosing it you should definitely check if the algorithms are not present in the Java provided algorithms.
A relatively new development is the support for CPU hardware acceleration when using an LTS release - currently only on Linux.
bcfips is the certified FIPS provider. FIPS uses a specific set of algorithms defined by NIST and bcfips therefore contains a subset of the functionality provided by bcprov. FIPS also has strict rules when it comes to e.g. destruction of key material. FIPS certification is rather expensive and time consuming and BC would want you to get a support contract when using their FIPS provider.
You may need this library if your software is required to use FIPS certified algorithm implementations. Note that they will still be implemented in software and will therefore e.g. not use AES acceleration.
Now bcpkix is a different beast altogether. It provides support for "PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL" protocols and container formats.
The following modules are present:
- PKIX (in the
cert package) means "X.509 based Public Key Infrastructure and contains support for certificates, certificate requests, CRL's etc.; the same type of certificates that are used for TLS that is used for HTTPS, i.e. the secure connections that your browser uses. There are some separate related packages inside the main package:
cmc: Certificate Management over CMSdvcs: Data Validation and Certification Server Protocolsest: Enrollment over Secure Transport
- CMS means Cryptographic Message Syntax, a format to envelope (i.e. encrypt) and sign messages in a structural way. CMS is also known as PKSC#7 (
.p7 file extension) which is the standard in which it is defined. CMS is a flexible, descriptive format, i.e. it indicates which algorithms are used and helps with key management. It uses X.509 certificates and is based on the same technology.
- MIME: related to CMS, SMIME is the use of CMS within the email protocols.
- EAC is a technology used for European ePassports. It stands for Extended Access Control, which can be used to gain access to e.g. the fingerprint or - in the case of the German passport - additional personal information, assuming you've got the right set of certificates and keys of course.
- PKCS stands for Public Key Cryptographic Standards, historically created by "RSA Laboratories", however the classes mainly seem to support PKCS#8 (private key storage), PKSC#10 (certification requests) and PKCS#12 (key / trust stores). This adds support to create and parse files with
.p8, .p10 / .csr and .12 / .pfx file extensions.
- OCSP is the Online Certificate Status Protocol, used to check the status of X.509 certificates, e.g. when using TLS.
- TSP means Time Stamping Protocol, a method of signing messages together with a date / time from a trusted source (it can also mean Trusted Service Provider, but here it doesn't).
- OpenSSL is of course a library and application. It has some specific / proprietary methods concerning key derivation from passwords and the application of these to encrypt / decrypt PKCS#8 private keys.
The operator in the PKIX library seems to be a way to operate directly on the "lightweight API" or on the JCA provided API using a generalized interface (basically a way of performing dependency injection).
You'd use this library if you need to implement any of the higher level protocols / container formats. Many of these formats are relatively old, so you might be looking for e.g. NaCL instead of CMS. That said, CMS certainly can be secured and having these protocols implemented is great for (backwards) compatibility with existing systems.
If I'm not mistaken the PKIX library can be used without installing the Bouncy Castle ("BC") provider, except when you're using specific algorithms not provided by the existing providers in your Java runtime.
Unfortunately the documentation of Bouncy Castle is very sparse, most packages do not even explain what they are for or how they can be used. There isn't a huge amount of JUnit tests or demo applications either.
