1. Home
  2. /
  3. Download
  4. /
  5. Download Bouncy Castle Java FIPS

Download Bouncy Castle for Java FIPS

Welcome to the download page for the FIPS-certified editions of Bouncy Castle Java. In addition to the available access options, including Maven Central and direct download, you will find searchable release notes and links to API and other documentation.

Bouncy Castle Java
hero-sub-2

Documentation

Check out the Bouncy Castle for Java documentation, including the Java FIPS documentation for clear guidance and examples.

View the Documentation

Join the Discussion

You can ask questions and learn from specialists in the Bouncy Castle Java forum on GitHub Discussions. We highly appreciate and value your input.

Go to GitHub Discussions

Report an issue

If you encounter any issues that require attention, feel free to report them in our GitHub repository. 

Report an Issue

Release notes

Find out detailed information about the latest release and search in older release notes.

Go to Release notes

Roadmap

Details about our current plans and versions in progress for Java FIPS can be found on the Java FIPS Roadmap.

View Roadmap

Donate to support the Bouncy Castle APIs

Supporting Bouncy Castle is now a substantial effort, the Java API is now over 300,000 lines, the C# one well past 140,000.

Donate

Bouncy Castle Java FIPS Downloads

Except where otherwise stated, this software is distributed under the regular Bouncy Castle license. For full details of other licenses involved, see Third party licenses

Distribution Files (JAR format)

The 2.1.0 release, BC-FJA 2.1.0 (Certificate #4943) , is certified for use on Java 8, Java 11, Java 17 and Java 21. The 2.1.1 release is a patch release on 2.1.0, going into submission. For differences see the release notes.

Note: as with the regular Java BC release, this distribution now has a bcutil jar containing classes that do not need to be in the certified provider jar. For most purposes you will need to include the bcutil jar in your application. Please see the release notes for details on this release.

Provider (patched) bc-fips-2.1.1.jar bc-fips-2.1.1-sources.jar bc-fips-2.1.1-javadoc.jar
Provider bc-fips-2.1.0.jar bc-fips-2.1.0-sources.jar bc-fips-2.1.0-javadoc.jar
ASN.1 Utility Classes bcutil-fips-2.1.4.jar bcutil-fips-2.1.4-sources.jar bcutil-fips-2.1.4-javadoc.jar
PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL bcpkix-fips-2.1.9.jar bcpkix-fips-2.1.9-sources.jar bcpkix-fips-2.1.9-javadoc.jar
SMIME bcmail-fips-2.1.6.jar bcmail-fips-2.1.6-sources.jar bcmail-fips-2.1.6-javadoc.jar
Jakarta SMIME bcjmail-fips-2.1.6.jar bcjmail-fips-2.1.6-sources.jar bcjmail-fips-2.1.6-javadoc.jar
OpenPGP/BCPG bcpg-fips-2.1.11.jar bcpg-fips-2.1.11-sources.jar bcpg-fips-2.1.11-javadoc.jar
DTLS/TLS API/JSSE Provider bctls-fips-2.1.20.jar bctls-fips-2.1.20-sources.jar bctls-fips-2.1.20-javadoc.jar

The 2.0.0 release, BC-FJA 2.0.0 (Certificate #4743) , is certified for use on Java 8, Java 11, Java 17 and Java 21.

Note: as with the regular Java BC release, this distribution now has a bcutil jar containing classes that do not need to be in the certified provider jar. For most purposes you will need to include the bcutil jar in your application though. Other details on differences between the 1.0.2 series and the 2.0.0 can be found in the porting guide.

Provider bc-fips-2.0.1.jar bc-fips-2.0.1-sources.jar bc-fips-2.0.1-javadoc.jar
Provider bc-fips-2.0.0.jar bc-fips-2.0.0-sources.jar bc-fips-2.0.0-javadoc.jar
ASN.1 Utility Classes bcutil-fips-2.0.3.jar bcutil-fips-2.0.3-sources.jar bcutil-fips-2.0.3-javadoc.jar
PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL bcpkix-fips-2.0.8.jar bcpkix-fips-2.0.8-sources.jar bcpkix-fips-2.0.8-javadoc.jar
SMIME bcmail-fips-2.0.5.jar bcmail-fips-2.0.5-sources.jar bcmail-fips-2.0.5-javadoc.jar
Jakarta SMIME bcjmail-fips-2.0.5.jar bcjmail-fips-2.0.5-sources.jar bcjmail-fips-2.0.5-javadoc.jar
OpenPGP/BCPG bcpg-fips-2.0.9.jar bcpg-fips-2.0.9-sources.jar bcpg-fips-2.0.9-javadoc.jar
DTLS/TLS API/JSSE Provider bctls-fips-2.0.20.jar bctls-fips-2.0.20-sources.jar bctls-fips-2.0.20-javadoc.jar

The 1.0.2.4 release, BC-FJA 1.0.2.4, is certified for use on Java 7, Java 8, Java 11, and Java 17.

Provider bc-fips-1.0.2.4.jar bc-fips-1.0.2.4-sources.jar bc-fips-1.0.2.4-javadoc.jar
PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL bcpkix-fips-1.0.7.jar bcpkix-fips-1.0.7-sources.jar bcpkix-fips-1.0.7-javadoc.jar
SMIME bcmail-fips-1.0.4.jar bcmail-fips-1.0.4-sources.jar bcmail-fips-1.0.4-javadoc.jar
Jakarta SMIME bcjmail-fips-1.0.4.jar bcjmail-fips-1.0.4-sources.jar bcjmail-fips-1.0.4-javadoc.jar
OpenPGP/BCPG bcpg-fips-1.0.7.1.jar bcpg-fips-1.0.7.1-sources.jar bcpg-fips-1.0.7.1-javadoc.jar
DTLS/TLS API/JSSE Provider bctls-fips-1.0.19.jar bctls-fips-1.0.19-sources.jar bctls-fips-1.0.19-javadoc.jar
Checksums

To confirm the integrity of the distributions, checksums are available:

Download BC-FJA 1.0.2.4 Checksums

Download BC-FJA 2.0.0 Checksums

Download BC-FJA 2.1.0 Checksums

Maven Central Signing Key

If you are trying to confirm the signatures for artifacts from Maven Central, you can use the public key linked below.

Download bc_maven_public_key.asc

Release notes

Find out detailed information about the latest Bouncy Castle Java FIPS releases and search in older release notes.  

Latest release Release BC-FJA 2.1.1 Release BC-FJA 2.1.0 Release BC-FJA 2.0.1 Release BC-FJA 2.0.0 Release BC-FJA 1.0.2.4 Release BC-FJA 1.0.2.3 Release BC-FJA 1.0.2.2 Release BC-FJA 1.0.2.1 Release BC-FJA 1.0.2 Release BC-FJA 1.0.1 Release BC-FJA 1.0.0
Release BC-FJA 2.0.1
21 August, 2025
Name: bc-fips-2.0.1.jar Defects Fixed CVE-2025-8885 Possible DOS in processing specially formed ASN.1 Object Identifiers – a size limit of 4096 bytes...

Name: bc-fips-2.0.1.jar

Defects Fixed

  • CVE-2025-8885 Possible DOS in processing specially formed ASN.1 Object Identifiers – a size limit of 4096 bytes has been placed on encoded ASN.1 OIDs. See the details in the NVD record: CVE-2025-8885.
  • PKCS#12 implementation now coded to always use the BCFIPS provider. This prevents occassional NoSuchAlgorithmExceptions where KeyStore.getInstance() is used to set the provider object to use.
  • The jar now contains OSGI details in the MANIFEST including multi-release information.
  • A potential compatibility issue around OCSP CertID using NULL or absent parameters has been addressed in order to prevent OCSP cache issues.
  • The module-info now includes the org.bouncycastle.asn1.cryptlib package.
  • The CipherInputStream class would sometimes fail on finalization for AEAD ciphers used in MAC-only mode due to not priming the cipher if there was no attempt to read. This has been fixed.
  • The BCFKS implementation will now recognise HMAC-SHA-3 and KMAC secret keys.
  • The jar now contains multiple checksums which will allow it to be used with jlink providing the JVM involved does not require signed providers. Note: this feature is not cleared as FIPS compliant (yet).
Close