Java 23 highlights crypto performance and security

While the recently released Java 23 features a dozen official features ranging from a second class-file API preview to an eighth incubator of a vector API, it also comes with various security capabilities. Security enhancements include crypto performance updates and additions to Kerberos and PKI.

JDK 23 was released on September 17. A same-day Java Security Blog post from Sean Mullan, technical lead of the Java security libraries team at Oracle, lists JDK 23 security capabilities. Mullan did a similar list for JDK 22 in March. For javax.crypto, the CipherInputStream buffer size was increased from 512 bytes to 8,192 bytes. This can improve performance and is more consistent with buffer sizes for other APIs such as java.io.FileInputStream. Also, the performance of constructing a java.security.SecureRandom object via new SecureRandom() was improved. Also for the crypto API, a new PKS11 configuration attribute named allowLegacy was introduced. Applications can set this value to “true” to bypass legacy checks. The default value is “false.”

In the PKI realm, new root CA certificates were added to the cacerts keystore, including CN=Certainly Root R1, 0=Certainly, C=US and CN=Certainly Root E1, O=Certainly, C=US. Also featured are two new GlobalSign root certificates, including CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE and CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE. Additionally, a new javasecurity.Keystore named KeychainStore-ROOT was added to the Apple security provider. This keystore contains root certificates stored in the system keychain on macOS systems. The Apple provider now supports two keystores: KeychainStore-Root and the existing KeychainStore that contains private keys and certificates for the user’s keychain. This enhancement fixes issues that caused HTTP’s connections to fail because the JDK was unable to find a root certificate to establish trust in the peer’s certificate chain.

Kerberos in JDK 23 adds a security property, named jdk.security.krb5.name.case.sensitive, to allow case-sensitive lookups of Kerberos principal names in keytab and credential cache files. Previously, principal names were treated as case-insensitive. Also, debugging output of the Kerberos component now is directed to standard error instead of standard output.

In the authorization space in JDK 23, the getSubject now throws UnsupportedOperationException unless a security manager is allowed or enabled. The change was made to prepare users for a future release where this method will be changed to always throw UnsupportedOperationException. In the miscellaneous space, new “thread” and “timestamp” options were added to the java.security.debug system property to help debug applications.

Mullan also notes the deprecation of memory access methods in sun.misc.Unsafe slated for removal, which is one of the 12 established features in JDK 23. The JEP says removing the methods is part of a long-term effort to ensure that the Java platform has integrity by default.