|Follow us on:|
Latest Java Releases
Release 1.68 is now available for download.
This release is a primarily about TLS and to alert people to a recent CVE. Concerning TLS, the BCJSSE now supports TLS 1.3 and session resumption for TLS 1.2 and earlier. A few small bugs in the ASN.1 library and PGP package have also been fixed and the PGPSignatureSubpacketGenerator now supports the editing of a pre-existing signature sub-packet list.
Security Advisory As described in CVE-2020-28052, the OpenBSDBCrypt.checkPassword() method had a flaw in it due to a change for BC 1.65. BC 1.66 is also affected. The issue was fixed in BC 1.67. If you are using OpenBSDBCrypt.checkPassword() and you are using BC 1.65 or BC 1.66 we strongly advise either not using the utility method or moving to BC 1.67 or later. We would like to thank Matti Varanka and Tero Rontti from the Synopsys Cybersecurity Research Center for finding the problem and bringing it to our attention.
Further details on other additions and bug fixes can be found in therelease notesfile accompanying the release.
Java Version Details With the arrival of Java 15. jdk15 is not quite as unambiguous as it was. The jdk15on jars are compiled to work with anything from Java 1.5 up. They are also multi-release jars so do support some features that were introduced in Java 9, Java 11, and Java 15. If you have issues with mulit-release jars see the jdk15to18 release jars below.
Change Warning (users of 1.52 or earlier): The PEM Parser now returns an X509TrustedCertificate block when parsing an openssl trusted certificate, the new object was required to allow the proper return of the trusted certificate’s attribute block. Please also see the porting guide for advice on porting to this release from much earlier ones (release 1.45 or earlier).
Further Note (users of Oracle JVM 1.7 or earlier, users of “pre-Java 9” toolkits): As of 1.63 we have started including signed jars for “jdk15to18”, if you run into issues with either signature validation in the JCE or the presence of the multi-release versions directory in the regular “jdk15on” jar files try the “jdk15to18” jars instead. Please also note the JCE certificate in the public access versions of Oracle Java 6 (6u45) and Oracle Java 7 (7u80) is expiring on the 20th April this year (2020). Oracle does distribute JVMs for Java 6 and Java 7 with a newer, and stronger, certificate to holders of Java Support Contracts.
Others have contributed to this release, both with code and/or financially and you can find them listed in the contributors file. We would like to thank holders of Crypto Workshop support contracts for additional time that was contributed back to this release through left over consulting time provided as part of their support agreements. Thank you, one and all!
If you’re interested in grabbing the lot in one hit (includes JCE, JCE provider, light weight API, J2ME, range of JDK compatibility classes, signed jars, fries, and king prawns…) download crypto-168.tar.gz or crypto-168.zip, otherwise if you are only interested in one version in particular, see below. Early access to our FIPS hardened version of the Java APIs is now available for both BC-FJA 1.0.3 and BC-FJA 2.0.0 as well, contact us at email@example.com for further information.
Get the most out of your Bouncy Castle experience!
Get a support contract through Crypto Workshop. We have found two things that distinguish our support contract holders from our regular user base. Developers with access to a support contract are more likely to raise an issue with us early rather than try and muddle through, and developers with access to a support contract also take a more active interest in the beta releases, both FIPS and non-FIPS. The second one is useful as it means any issues or shortfalls in the beta are able to be fixed while the updates are still in beta. The first one is a real cost saver as it does not lead to us receiving emails starting with “Our development team has spent (some number of) weeks trying to work out…” It is much cheaper to have a support contract!
Signed JAR files
From release 1.40 some implementations of encryption algorithms were removed from the regular jar files at the request of a number of users. Jars with names of the form *-ext-* still include these (at the moment the list is: NTRU).
The following signed provider jars are provided so that you can make use of the debug information in them. In the case of the non-provider jars (bcpkix, bcpg, and bcmail), the jar files do not need to be signed to work. You can rebuild them with debug turned on, or operate directly from the source, if you need.
Sources and JavaDoc
- The tar archives were created using GNU tar (some versions of Solaris tar will have problems extracting them)
- The J2ME source distribution includes zips for the class files
You can find the release notes, documentation, and specifications here.
You can find checksums for confirming the integrity of the distributions here
Too slow? You can also find the latest versions on one of our mirrors:
The current working betas, when available, for the next release for JDK 1.5 to JDK 1.15 can be found at https://www.bouncycastle.org/betas. If you need a beta to be made available for another version of Java please ask by emailing firstname.lastname@example.org.
The BC jars are now mirrored on the Maven central repository. You can find them at https://repo1.maven.org/maven2/org/bouncycastle.
Just want to look at the source? The source code repository is now mirrored on GitHub and accessible from here. The repository can be cloned using either
git clone https://github.com/bcgit/bc-java.git or git protocol git clone git://github.com/bcgit/bc-java.git
Previous releases, as well as the latest ones, can be downloaded from our ftp server ftp.bouncycastle.org. Please note the FTP server does not support passive mode.