New Java release offers MLS support, improved OSGi support, and security updates

Bouncy Castle Java 1.78.1

Messaging Layer Security (MLS) support

Bouncy Castle Java now has an additional API supporting Messaging Layer Security (MLS) as described in RFC 9420. This new feature is interesting for anyone interested in implementing secure communications between more than two endpoints. If you want to know more about MLS, there is a good article on wire.com, and you can also read more on messaginglayersecurity.rocks.

MLS provides a protocol that provides efficient asynchronous group key establishment with forward secrecy and post-compromise security for groups ranging in size from two to thousands. Unlike TLS which supports two endpoints, MLS allows you to connect multiple endpoints efficiently. The new API would be of interest to anyone trying to allow for efficient secured multi-party conversations.

Improved OSGi support

OSGi, Open Service Gateway Initiative, is a Java application container framework that allows multiple versions of different jars to be used in parallel. This update provides the necessary metadata for OSGi to recognize all the capabilities of the Bouncy Castle multi-release jars.

To delve deeper into this, the prior release supported multi-release classes but not the comprehensive multi-release support. With the additional metadata tailored for OSGi, backward compatibility Bouncy Castle users can now make full use of features in newer JVMs like Java 17 and Java 21, all while maintaining compatibility stretching back to Java 8.

Bouncy Castle Java 1.78.1 also upgrades the jars to be compatible with the multi-release version of OSGi. This should eliminate previous issues related to OSGi containers not having a clear view of the capabilities of some of the jars. Additional changes have been made to lock down the version better to prevent accidental API overlap.

Security Updates

The 1.78.1 release also deals with 4 CVEs. We wish thank the external researchers that found and reported the issues.

As this is the case, all Bouncy Castle Java users should consider updating to this release, particularly if you use the BC JSSE/TLS APIs or accept certificates created using Ed25519.

Release 1.78.1 deals with the following CVEs:

• CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.
• CVE-2024-30171 - Possible timing-based leakage in RSA based handshakes due to exception processing eliminated.
• CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.
• CVE 2024-34447 - When endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address.

Try it out

Learn more in the release notes or download the new release to try it out for yourself:

Download