1. Home
  2. /
  3. Download
  4. /
  5. Download Bouncy Castle Java FIPS

Download Bouncy Castle for Java FIPS

Welcome to the download page for the FIPS-certified editions of Bouncy Castle Java. In addition to the available access options, including Maven Central and direct download, you will find searchable release notes and links to API and other documentation.

Bouncy Castle Java
hero-sub-2

Documentation

Check out the Bouncy Castle for Java documentation, including the Java FIPS documentation for clear guidance and examples.

View the Documentation

Join the Discussion

You can ask questions and learn from specialists in the Bouncy Castle Java forum on GitHub Discussions. We highly appreciate and value your input.

Go to GitHub Discussions

Report an issue

If you encounter any issues that require attention, feel free to report them in our GitHub repository. 

Report an Issue

Release notes

Find out detailed information about the latest release and search in older release notes.

Go to Release notes

Roadmap

Details about our current plans and versions in progress for Java FIPS can be found on the Java FIPS Roadmap.

View Roadmap

Donate to support the Bouncy Castle APIs

Supporting Bouncy Castle is now a substantial effort, the Java API is now over 300,000 lines, the C# one well past 140,000.

Donate

Bouncy Castle Java FIPS Downloads

Except where otherwise stated, this software is distributed under the regular Bouncy Castle license. For full details of other licenses involved, see Third party licenses

Distribution Files (JAR format)

The 2.1.0 release, BC-FJA 2.1.0 (Certificate #4943) , is certified for use on Java 8, Java 11, Java 17, and Java 21. The 2.1.2 release is a patch release on 2.1.0/2.1.1, going into submission. For differences, see the release notes.

Note: as with the regular Java BC release, this distribution now has a bcutil jar containing classes that do not need to be in the certified provider jar. For most purposes, you will need to include the bcutil jar in your application. Please see the release notes for details on this release.

Provider (patched) bc-fips-2.1.2.jar bc-fips-2.1.2-sources.jar bc-fips-2.1.2-javadoc.jar
Provider bc-fips-2.1.0.jar bc-fips-2.1.0-sources.jar bc-fips-2.1.0-javadoc.jar
ASN.1 Utility Classes bcutil-fips-2.1.5.jar bcutil-fips-2.1.5-sources.jar bcutil-fips-2.1.5-javadoc.jar
PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL bcpkix-fips-2.1.10.jar bcpkix-fips-2.1.10-sources.jar bcpkix-fips-2.1.10-javadoc.jar
SMIME bcmail-fips-2.1.6.jar bcmail-fips-2.1.6-sources.jar bcmail-fips-2.1.6-javadoc.jar
Jakarta SMIME bcjmail-fips-2.1.6.jar bcjmail-fips-2.1.6-sources.jar bcjmail-fips-2.1.6-javadoc.jar
OpenPGP/BCPG bcpg-fips-2.1.11.jar bcpg-fips-2.1.11-sources.jar bcpg-fips-2.1.11-javadoc.jar
DTLS/TLS API/JSSE Provider bctls-fips-2.1.22.jar bctls-fips-2.1.22-sources.jar bctls-fips-2.1.22-javadoc.jar

The 2.0.0 release, BC-FJA 2.0.0 (Certificate #4743) , is certified for use on Java 8, Java 11, Java 17 and Java 21.

Note: as with the regular Java BC release, this distribution now has a bcutil jar containing classes that do not need to be in the certified provider jar. For most purposes you will need to include the bcutil jar in your application though. Other details on differences between the 1.0.2 series and the 2.0.0 can be found in the porting guide.

Provider bc-fips-2.0.1.jar bc-fips-2.0.1-sources.jar bc-fips-2.0.1-javadoc.jar
Provider bc-fips-2.0.0.jar bc-fips-2.0.0-sources.jar bc-fips-2.0.0-javadoc.jar
ASN.1 Utility Classes bcutil-fips-2.0.5.jar bcutil-fips-2.0.5-sources.jar bcutil-fips-2.0.5-javadoc.jar
PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL bcpkix-fips-2.0.10.jar bcpkix-fips-2.0.10-sources.jar bcpkix-fips-2.0.10-javadoc.jar
SMIME bcmail-fips-2.0.5.jar bcmail-fips-2.0.5-sources.jar bcmail-fips-2.0.5-javadoc.jar
Jakarta SMIME bcjmail-fips-2.0.5.jar bcjmail-fips-2.0.5-sources.jar bcjmail-fips-2.0.5-javadoc.jar
OpenPGP/BCPG bcpg-fips-2.0.12.jar bcpg-fips-2.0.12-sources.jar bcpg-fips-2.0.12-javadoc.jar
DTLS/TLS API/JSSE Provider bctls-fips-2.0.22.jar bctls-fips-2.0.22-sources.jar bctls-fips-2.0.22-javadoc.jar

The 1.0.2.4 release, BC-FJA 1.0.2.4, is certified for use on Java 7, Java 8, Java 11, and Java 17.

Provider bc-fips-1.0.2.4.jar bc-fips-1.0.2.4-sources.jar bc-fips-1.0.2.4-javadoc.jar
PKIX/CMS/EAC/PKCS/OCSP/TSP/OPENSSL bcpkix-fips-1.0.7.jar bcpkix-fips-1.0.7-sources.jar bcpkix-fips-1.0.7-javadoc.jar
SMIME bcmail-fips-1.0.4.jar bcmail-fips-1.0.4-sources.jar bcmail-fips-1.0.4-javadoc.jar
Jakarta SMIME bcjmail-fips-1.0.4.jar bcjmail-fips-1.0.4-sources.jar bcjmail-fips-1.0.4-javadoc.jar
OpenPGP/BCPG bcpg-fips-1.0.7.1.jar bcpg-fips-1.0.7.1-sources.jar bcpg-fips-1.0.7.1-javadoc.jar
DTLS/TLS API/JSSE Provider bctls-fips-1.0.19.jar bctls-fips-1.0.19-sources.jar bctls-fips-1.0.19-javadoc.jar
Checksums

To confirm the integrity of the distributions, checksums are available:

Download BC-FJA 1.0.2.4 Checksums

Download BC-FJA 2.0.0 Checksums

Download BC-FJA 2.1.0 Checksums

Maven Central Signing Key

If you are trying to confirm the signatures for artifacts from Maven Central, you can use the public key linked below.

Download bc_maven_public_key.asc

Release notes

Find out detailed information about the latest Bouncy Castle Java FIPS releases and search in older release notes.  

Latest release Release BC-FJA 2.1.2 Release BC-FJA 2.1.1 Release BC-FJA 2.1.0 Release BC-FJA 2.0.1 Release BC-FJA 2.0.0 Release BC-FJA 1.0.2.4 Release BC-FJA 1.0.2.3 Release BC-FJA 1.0.2.2 Release BC-FJA 1.0.2.1 Release BC-FJA 1.0.2 Release BC-FJA 1.0.1 Release BC-FJA 1.0.0
Release BC-FJA 2.1.2
22 September, 2025
Name: bc-fips-2.1.2.jar Defects Fixed CVE‐2025‐12194 – While the situation with the JVM garbage collector overrun for Java 17 and Java 21 greatly impr...

Name: bc-fips-2.1.2.jar

Defects Fixed

  • CVE‐2025‐12194 – While the situation with the JVM garbage collector overrun for Java 17 and Java 21 greatly improved with the changes in 2.1.1, we’ve still had some reports that can only be related to the use of the disposal daemon. The disposal code for Java 9 and later has now been rewritten to use reachability fencing, which allows the disposal code to free up native resources without delay, leading to much more reliable performance. See the details in the NVD record: CVE-2025-12194.
  • The jar now contains multiple checksums which will allow it to be used with jlink, provided the JVM involved does not require signed providers. This feature is not cleared as FIPS compliant (yet).
  • The CertPath processing would eliminate certificates on the basis of mismatched KeyIds. This behavior has been corrected in line with RFC 4158, Section 3.5.12 to ignore the KeyId in case of mismatch.
  • A missing provider reference in the PKCS#12 KeyStore code could cause an UnknownAlgorithmException to be thrown on key extraction when the BCFIPS provider was not explicitly installed in the JVM’s provider list. This has been fixed.

Additional features and functionality

  • Where a delay is needed between GC flagging and final disposal of native resources the system/security property org.bouncycastle.native.cleanup_delay can be set to non-zero (the default is zero). The number given is considered to be seconds unless followed by the string "ms", in which case it is read as milli-seconds.
  • It is now possible to set the priority of the native disposal thread using the system/security property org.bouncycastle.native.cleanup_priority. Settings can be "min", "normal", or "high". The default setting is "min".
Close