1. Home
  2. /
  3. Resources
  4. /
  5. New Releases: Bouncy Castle Java 1.84 and Bouncy Castle Java LTS 2.73.11

New Releases: Bouncy Castle Java 1.84 and Bouncy Castle Java LTS 2.73.11

hero-sub-3
Keyfactor Release

2026-05-12

The Bouncy Castle team is pleased to announce the release of Bouncy Castle Java 1.84 and Bouncy Castle Java LTS 2.73.11.

These releases include the FIPS-compliant keystore PKCS12-PBMAC1, updated OpenPGP support, and fixed CVEs. Bouncy Castle Java 1.84 also offers PQC support for Java 17 users.

Key Updates

FIPS-Compliant Keystore PKCS12-PBMAC1

A PKCS12-PBMAC1 keystore has been added, which is FIPS-compliant, uses PBMAC1, and supports RFC 9879.

The implementation is done in conjunction with the FIPS BCJSSE provider, which now also supports the PKCS12-PBMAC1 KeyStore in both bctls-fips-2.0.23 and bctls-fips-2.1.23.

PQC Support for Java 17 Users (Bouncy Castle Java 1.84)

With Bouncy Castle Java 1.84, Java 17 users can now use the PQC algorithms ML-KEM and NTRU via the Java KEM API. This update is in line with Oracle backporting the KEM API to Java 17.

The KEM API is the standard mechanism for using KEMs in Java. Having access to it in Java 17 will allow users to port programs using the KEM API across a wider range of JVMs.

Updated OpenPGP Support (New Draft RFCs)

The PGP APIs have been updated to ensure compatibility with GPG (GNU Privacy Guard) and the new draft RFCs that describe the OpenPGP protocol.

Updates include added encryption key filtering by purpose, a new OpenPGPKey constructor, KeyPassphraseProvider-based passphrase change, wildcard (anonymous) recipient handling, and Web of Trust methods for third-party signature chains and delegations.

Fixed CVEs

Fixes for the following CVEs:

  • CVE-2025-14813 – GOSTCTR implementation unable to process more than 255 blocks correctly
  • CVE-2026-0636 – LDAP Injection Vulnerability in LDAPStoreHelper.java
  • CVE-2026-3505 – Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion
  • CVE-2026-5588 – PKIX draft CompositeVerifier accepts empty signature sequence as valid
  • CVE-2026-5598 – Non-constant time comparisons risk private key leakage in FrodoKEM

Release Notes

Bouncy Castle Java 1.84
Bouncy Castle Java LTS 2.73.11

Download

Both Bouncy Castle Java 1.84 and Java LTS 2.73.11 are now available on Maven Central and on bouncy castle.org/download. Software Bill of Material (BOM) files are available on Maven Central for both versions.

Download JavaDownload Java LTS

Related resources

Keyfactor Release
Signing
Release
17 December, 2025

New Community Release: SignServer 7.3.2

This release of SignServer Community edition brings expanded REST options and...
Read more
Keyfactor Release
Installation & Deployment
Post-Quantum Cryptography
Release
17 December, 2025

New Community Release: EJBCA 9.3

This release of EJBCA Community edition includes several new features, includ...
Read more
Close