2024-05-22
Bouncy Castle Java 1.78.1
Bouncy Castle Java now has an additional API supporting Messaging Layer Security (MLS) as described in RFC 9420. This new feature is interesting for anyone interested in implementing secure communications between more than two endpoints. If you want to know more about MLS, there is a good article on wire.com, and you can also read more on messaginglayersecurity.rocks.
MLS provides a protocol that provides efficient asynchronous group key establishment with forward secrecy and post-compromise security for groups ranging in size from two to thousands. Unlike TLS which supports two endpoints, MLS allows you to connect multiple endpoints efficiently. The new API would be of interest to anyone trying to allow for efficient secured multi-party conversations.
OSGi, Open Service Gateway Initiative, is a Java application container framework that allows multiple versions of different jars to be used in parallel. This update provides the necessary metadata for OSGi to recognize all the capabilities of the Bouncy Castle multi-release jars.
To delve deeper into this, the prior release supported multi-release classes but not the comprehensive multi-release support. With the additional metadata tailored for OSGi, backward compatibility Bouncy Castle users can now make full use of features in newer JVMs like Java 17 and Java 21, all while maintaining compatibility stretching back to Java 8.
Bouncy Castle Java 1.78.1 also upgrades the jars to be compatible with the multi-release version of OSGi. This should eliminate previous issues related to OSGi containers not having a clear view of the capabilities of some of the jars. Additional changes have been made to lock down the version better to prevent accidental API overlap.
The 1.78.1 release also deals with 4 CVEs. We wish thank the external researchers that found and reported the issues.
As this is the case, all Bouncy Castle Java users should consider updating to this release, particularly if you use the BC JSSE/TLS APIs or accept certificates created using Ed25519.
Release 1.78.1 deals with the following CVEs:
Learn more in the release notes or download the new release to try it out for yourself: