Mirko Caserta has released Bruce 2.0, a library that wraps JCA with a clean API. As such, it attempts to address the same gap for cryptography that commons email covers for JavaMail: the underlying library is technically correct - the best kind of correct - but a bear to use, and that difficulty creates a barrier that prevents people who really should use the specification from being willing to lean into it.
\nJCA works, of course. It's just that using it requires knowledge that casual practitioners aren't likely to have, and this means that we are forced into either learning the ins and outs of cryptography to have decent data security, or we cargo-cult security concerns. It'd be like asking someone to master physics when all they want to do is fly a remote control plane; airflow is important to those designing planes, but requiring a degree for such things is a little much, when even young children are able to come up with paper airplanes that fly well.
\nBruce takes the agony of all the nuts and bolts of security and, well, fixes it. From this, stolen shamelessly from "Digital signatures in Java: the hard way vs. the Bruce way":
\n// Load the keystore\nKeyStore keystore = KeyStore.getInstance("PKCS12");\ntry (InputStream is = new FileInputStream("keystore.p12")) {\n keystore.load(is, "changeit".toCharArray());\n}\n\n// Extract keys\nPrivateKey privateKey = (PrivateKey)\n keystore.getKey("alice", "changeit".toCharArray());\nPublicKey publicKey =\n keystore.getCertificate("alice").getPublicKey();\n\nbyte[] message = "Transfer $500 to Alice".getBytes("UTF-8");\n\n// Sign\nSignature signer = Signature.getInstance("SHA256withRSA");\nsigner.initSign(privateKey);\nsigner.update(message);\nbyte[] signatureBytes = signer.sign();\n\n// Encode for transport\nString encoded = Base64.getEncoder().encodeToString(signatureBytes);\n\n// Decode and verify\nbyte[] decoded = Base64.getDecoder().decode(encoded);\nSignature verifier = Signature.getInstance("SHA256withRSA");\nverifier.initVerify(publicKey);\nverifier.update(message);\nboolean isValid = verifier.verify(decoded);\n... to this:
\nvar keystore = keystore(\n "classpath:keystore.p12", \n "changeit".toCharArray(), \n "PKCS12");\nvar privateKey = privateKey(keystore, "alice", "changeit".toCharArray());\nvar publicKey = publicKey(keystore, "alice");\n\nvar signer = signerBuilder()\n .key(privateKey)\n .algorithm("SHA256withRSA")\n .build();\n\nvar verifier = verifierBuilder()\n .key(publicKey)\n .algorithm("SHA256withRSA")\n .build();\n\nvar message = Bytes.from("Transfer $500 to Alice");\nvar signature = signer.sign(message);\nvar encoded = signature.encode(BASE64); // ready for transport\nvar isValid = verifier.verify(message, Bytes.from(encoded, BASE64));\nI'll be clear: I'm not a cryptographer, and the technical correctness of Bruce isn't something I can vouch for personally. Security libraries earn trust slowly and should - this is not the domain where "looks good to me" is sufficient due diligence. Read the documentation, examine the source, and run your tests. Run all your tests. Write new ones. The exposure surface for cryptographic code is meaningfully different from, say, a misbehaving email client.
\nBut the API design is immediately legible, the intent is clear, and the problem it solves is real. If it holds up under scrutiny - and that scrutiny is your job for your projects, not mine - Bruce looks like exactly the kind of thing the Java ecosystem needed someone to build.
","excerpt":"Mirko Caserta has released Bruce 2.0, a library that wraps JCA with a clean API. Bruce takes the agony of all the nuts and bolts of security and, well, fixes it. Security libraries earn trust slowly and should - this is not the domain where \"looks good to me\" is sufficient due diligence, but the reduced API surface might be a good thing for the normative case.","authorId":"019c5c8a-609d-7cd4-975b-50bbcc412a33","authorDisplayName":"dreamreal","status":"APPROVED","publishedAt":"2026-03-25T13:09:35.407Z","sortOrder":0,"createdAt":"2026-03-25T13:09:28.299082Z","updatedAt":"2026-03-25T15:08:42.081393Z","commentCount":0,"tags":["bruce","cryptography","java","jca"],"categories":[],"markdownSource":null}