The Bouncy Castle library has an OpenPGP Maven listing which specifies that it relies during compile time on the Bouncy Castle Provider, which is a separate module / artifact / library / .jar file. However, the OpenPGP library has been build on top of the Java Cryptography Architecture (JCA) per its own specifications (using e.g. Cipher with a CipherSpi implementation for instance, provided by a Java security provider).

How does the OpenPGP library depend on the Bouncy Castle provider?

• Does it use the library directly through the "lightweight" API (is it really a compile time requirement, in other words)?
• Does it depend on cryptographic functions in the library for common OpenPGP functionality?
• Does it depend on cryptographic functions in the library to implement specific functionality such as Elliptic Curves?

If it depends on runtime functionality, should the provider be placed in a specific location in the prioritized list of providers?

Is it required for the OpenPGP API version and Bouncy Castle provider version to match?