Download Bouncy Castle for Java FIPS
Welcome to the download page for the FIPS-certified editions of Bouncy Castle Java. In addition to the available access options, including Maven Central and direct download, you will find searchable release notes and links to API and other documentation.
Maven
The Bouncy Castle Java FIPS jars are mirrored on the Maven central repository.
Download from bouncycastle.org
We facilitate effortless downloads through bouncycastle.org, simplifying the process for our users.
Documentation
Check out the Bouncy Castle for Java documentation, including the Java FIPS documentation for clear guidance and examples.
Join the Discussion
You can ask questions and learn from specialists in the Bouncy Castle Java forum on GitHub Discussions. We highly appreciate and value your input.
Report an issue
If you encounter any issues that require attention, feel free to report them in our GitHub repository.
Release notes
Find out detailed information about the latest release and search in older release notes.
Roadmap
Details about our current plans and versions in progress for Java FIPS can be found on the Java FIPS Roadmap.
Donate to support the Bouncy Castle APIs
Supporting Bouncy Castle is now a substantial effort, the Java API is now over 300,000 lines, the C# one well past 140,000.
Bouncy Castle Java FIPS Downloads
Except where otherwise stated, this software is distributed under the regular Bouncy Castle license. For full details of other licenses involved, see Third party licenses.
Distribution Files (JAR format)
Checksums
To confirm the integrity of the distributions, checksums are available:
Release notes
Find out detailed information about the latest Bouncy Castle Java FIPS releases and search in older release notes.
Name: bc-fips-1.0.2.4.jar
Patch release to add Java 17 to bc-fips-1.0.2.3 as an operational environment:
- Removes the risk of CVE 2022-45146.
- Deals with the end of the transition periods for PKCS 1.5 RSA encryption and TDES encryption.
- Bug fixes and some improvements. For details, download this file: BC-FJA-KnownIssues-1.0.2.3.csv.
- Certificate Number: 4616
Defects Fixed
- BC-FJA-1.0.2.3-02: JCA aliases do not correctly reflect JCA attributes for supporting algorithm. This is now fixed.
- BC-FJA-1.0.2.3-03: CVE-2022-45156 Java 13 garbage collector changes result in early finalisation of some keys under high loads with Java 17. This is now fixed.
- BC-FJA-1.0.2.3-04: Default Locale may interfere with ASN.1 dates - module now attempts to identify an ASN.1 friendly locale now identified.
- BC-FJA-1.0.2.3-05: CVE-2023-33202 Possible denial of service by within Bouncy Castle PEM parser class.
Additional Features and Functionality
- End of 2023 transition for Triple-DES encryption. The provider blocks Triple-DES encryption. The following properties can be used to override the default behavior:
org.bouncycastle.tripledes.allow_drbg (allow use with DRBGs)
org.bouncycastle.tripledes.allow_prf (allow use in KDFs)
org.bouncycastle.tripledes.allow_wrap (allow use with key wrapping)
org.bouncycastle.tripledes.allow_enc (allow Triple-DES encryption) - End of 2023 transition for RSA PKCS1.5 encryption. The provider blocks RSA with PKCS1.5 encryption. The following property can be used to override the default behavior:
org.bouncycastle.rsa.allow_pkcs15_enc (allow use of PKCS1.5) - MD5 is now explicitly disabled in approved mode unless the property org.bouncycastle.jsse.enable_md5 is set to true.
- Identification and use of system entropy source optimizations (elimination of possible exception throwing, configuration for thread local SecureRandom provider) All secret key and private key types now provide support for Destroyable. Hex.decodeStrict() added to Hex encoder.