New Release: Composite Signatures, Unsigned Certificates, and CRMF/CMP challenge-response.

Bringing first-to-market PQC innovations, new IETF-backed standards, expanded Java 25 compatibility, and enhanced CMP/CRMF capabilities. 

We are excited to announce the release of Bouncy Castle Java 1.83, introducing several significant new features driven by emerging post-quantum standards, customer demand, and ongoing alignment with the evolving Java platform. This release delivers major enhancements for organizations preparing for PQC migration, firmware signing workflows, trust anchor optimization, and certificate issuance for next-generation KEM keys.
Below is an overview of the key new capabilities in Bouncy Castle Java 1.83.

Composite Signatures (First to Market)

For firmware signing, hybrid deployments, and PQC transition strategies 

The newly accepted IETF Composite Signatures draft is now supported in Bouncy Castle Java. Composite signatures combine ML-DSA with a classical signature algorithm of equivalent pre-PQC strength, offering an “off-the-shelf” hybrid mechanism for those seeking added resilience or wanting to hedge against algorithmic uncertainty.

Key Benefits:

• Enables PQC and classical algorithms to function side-by-side.
• Ideal for firmware signing and long-lived assets.
• Uses officially assigned IANA OIDs and aligns with evolving industry best practices.

This feature was driven directly by interest from some of our largest customers and positions Bouncy Castle Java as a leader in PQC hybrid adoption. Read more and explore our #KEYMASTER episode about the Current state of composites signatures and certificates 

Unsigned X.509 Certificates (Trust Anchor Size Reduction)

For teams optimizing trust anchors for PQC-era algorithms 

Bouncy Castle Java now supports the upcoming IETF “Unsigned X.509 Certificates” draft (with IANA OID id-alg-unsigned). This standard allows trust anchors to omit the digital signature entirely—replacing it with a zero-length value, since trust anchors must inherently be accepted without validation.

Practical Impact:

• Significantly reduces size of PQC trust anchors (especially for algorithms like SLH-DSA).
• Produces more compact certificate encodings across all modern algorithms.
• Highly relevant for environments with constrained storage or large trust anchor sets.

Given the rapid move toward PQC, we expect strong demand from customers looking to streamline certificate storage and distribution. Read more and explore our #KEYMASTER episode about: Introducing Unsigned X.509 Certificates for a Simpler Root of Trust

Support for Java 25 KDF API

HKDF, PBKDF2, and SCRYPT via the new standard Java interface

Java 25 introduces a formal Key Derivation Function (KDF) API, including standard naming for several HKDF variants and their parameters. Bouncy Castle Java 1.83 adds full support for this API, including HKDF, PBKDF2, and SCRYPT.

What This Enables

• Ensures BC Java compatibility and consistency with Oracle’s new platform standard.
• SCRYPT provides memory-hard resistance against specialized hardware attacks.
• Supports modern workflows, including ML-KEM key establishment scenarios.

Demonstrates our commitment to staying aligned with the core Java ecosystem while giving developers continuity across both Bouncy Castle and Oracle-provided interfaces.

Enhanced CRMF/CMP Support for KEM Keys (Alternative POP Mechanism)

For certificate issuance workflows that avoid the limitations of certEncr 

Bouncy Castle Java 1.83 now implements the CRMF/CMP challenge-response approach for Proof-of-Possession (POP) of KEM public keys, an alternative to the widely used certEncr method.

Operational Advantages

• Allows CAs to confirm private key possession before issuing a certificate.
• Avoids issuing certificates that must be published (e.g., CT logs) without client confirmation.
• Provides a standards-based POP path for scenarios where certEncr is not preferred or possible.

This feature directly supports customers designing modern PKIs for KEM algorithms as part of PQC migration. Read more and explore our #KEYMASTER episode about Can PKCS10 handle post-quantum certificates

Get Started with Bouncy Castle Java 1.83

Bouncy Castle Java 1.83 continues our commitment to delivering cutting-edge cryptographic capabilities backed by open standards and real-world customer needs. With significant advancements in PQC readiness, trust anchor optimization, Java platform integration, and CMP/CRMF workflows, this release provides essential building blocks for modern security architectures.

Download

Bouncy Castle Java 1.83 is now available on Maven Central and on bouncy castle.org/download. Release notes 

Download Java

If you have questions or need help planning your migration strategy, our team is here to support you. Sign up for support: https://www.bouncycastle.org/support/