Security-related enhancements include crypto performance updates, new debugging options, and additions to Kerberos and PKI. Credit: PeopleImages.com - Yuri A / Shutterstock While the recently released Java 23 features a dozen official features ranging from a second class-file API preview to an eighth incubator of a vector API, it also comes with various security capabilities. Security enhancements include crypto performance updates and additions to Kerberos and PKI. JDK 23 was released on September 17. A same-day Java Security Blog post from Sean Mullan, technical lead of the Java security libraries team at Oracle, lists JDK 23 security capabilities. Mullan did a similar list for JDK 22 in March. For javax.crypto, the CipherInputStream buffer size was increased from 512 bytes to 8,192 bytes. This can improve performance and is more consistent with buffer sizes for other APIs such as java.io.FileInputStream. Also, the performance of constructing a java.security.SecureRandom object via new SecureRandom() was improved. Also for the crypto API, a new PKS11 configuration attribute named allowLegacy was introduced. Applications can set this value to “true” to bypass legacy checks. The default value is “false.” In the PKI realm, new root CA certificates were added to the cacerts keystore, including CN=Certainly Root R1, 0=Certainly, C=US and CN=Certainly Root E1, O=Certainly, C=US. Also featured are two new GlobalSign root certificates, including CN=GlobalSign Root R46, O=GlobalSign nv-sa, C=BE and CN=GlobalSign Root E46, O=GlobalSign nv-sa, C=BE. Additionally, a new javasecurity.Keystore named KeychainStore-ROOT was added to the Apple security provider. This keystore contains root certificates stored in the system keychain on macOS systems. The Apple provider now supports two keystores: KeychainStore-Root and the existing KeychainStore that contains private keys and certificates for the user’s keychain. This enhancement fixes issues that caused HTTP’s connections to fail because the JDK was unable to find a root certificate to establish trust in the peer’s certificate chain. Kerberos in JDK 23 adds a security property, named jdk.security.krb5.name.case.sensitive, to allow case-sensitive lookups of Kerberos principal names in keytab and credential cache files. Previously, principal names were treated as case-insensitive. Also, debugging output of the Kerberos component now is directed to standard error instead of standard output. In the authorization space in JDK 23, the getSubject now throws UnsupportedOperationException unless a security manager is allowed or enabled. The change was made to prepare users for a future release where this method will be changed to always throw UnsupportedOperationException. In the miscellaneous space, new “thread” and “timestamp” options were added to the java.security.debug system property to help debug applications. Mullan also notes the deprecation of memory access methods in sun.misc.Unsafe slated for removal, which is one of the 12 established features in JDK 23. The JEP says removing the methods is part of a long-term effort to ensure that the Java platform has integrity by default. Related content news Java proposals would boost resistance to quantum computing attacks OpenJDK proposals would provide Java implementations of a quantum-resistant module-latticed-based digital signature algorithm and key encapsulation mechanism. By Paul Krill Nov 08, 2024 2 mins Java Quantum Computing Application Security news ‘Package confusion’ attack against NPM used to trick developers into downloading malware Attackers gunning for supply chains again, deploying innovative blockchain technique to hide command & control. By John E. Dunn Nov 06, 2024 4 mins Vulnerabilities Open Source Security news analysis What Entrust certificate distrust means for developers Secure communications between web browsers and web servers depend on digital certificates backed by certificate authorities. What if the web browsers stop trusting your CA? By Travis Van Oct 30, 2024 9 mins Browser Security Web Development Application Security analysis Why are we still confused about cloud security? We’re building too much complexity and are ill-trained to secure it. The result will be breach after breach, while enterprises wonder what happened. Get a clue now. By David Linthicum Oct 15, 2024 5 mins Cloud Security Identity and Access Management Security Infrastructure Resources Videos