Decouple CertUtil to use both BC and BCFIPS

[strehle]

This PR was created because of an issue with the chain
From spring-security we load opensaml5 and this uses this project.

Until a certain version is was possible to run spring and opensaml with BCFIPS variant of bouncy castle but with the PR #68 there was a hard dependency to BC introduced.

This PR removes the hard dependency and allows again both providers

[dfish3r]

Sorry it's taken me so long to get to this PR. I'd like to add a test with the BCFIPS provider available. What does your classpath look like when using the FIPS provider? Do you add bc-fips and exclude bcprov-jdk18on? Can these two jars co-exist?

[strehle]

Sorry it's taken me so long to get to this PR. I'd like to add a test with the BCFIPS provider available. What does your classpath look like when using the FIPS provider? Do you add bc-fips and exclude bcprov-jdk18on? Can these two jars co-exist?

No they cannot co-exist, because they offere the same APIs behind their providers, so there would be classpath collisions or runtime errors. Both offer the usage of security providers, but in your case you.used directly classes from one providers, unfortunatly for us the wrong ones. Yes we exclude the bcprov-jdk18* libraries and use these here https://github.com/cloudfoundry/uaa/blob/develop/gradle/libs.versions.toml . Your library is used in opensaml and our goal is to use opensaml with FIPS compliant libraries

FYI here is a post with more insights about co-existance: https://security.stackexchange.com/questions/274212/what-is-the-main-difference-between-bcprov-and-bc-fips-bouncycastle-jar
It may work to have both libraries in classpath but the usage must be separated means use the security providers to access the libraries